Ransomware in the cloud
--
Insights from practical experience
Our cloud incident response trainings are now available!
Background
Recently we were engaged by a company after they were targeted by a ransomware attack in their AWS environment. In this blog we want to show you what happened and how we were able to piece together the picture based on available logging.
Due to confidentiality we will be using censored screenshots to protect our client’s information. They approved the publication of this blog, to prevent other companies from becoming a victim to a similar attack.
Attack overview
The overall attack activity is mapped to the MITRE ATT&CK steps as shown in the figure below:
Initial Access
The threat actor was able to get into the environment due to accidentally exposed long-term credentials. The first malicious activity happened outside of the 90-day retention period of CloudTrail. However, based on analysis of subsequent events and open-source analysis we were able to determine that a specific access key was used which was publicly exposed. Luckily the access key was for an account that only had rights to a specific S3 bucket.
Reconnaissance
Following the initial access the threat actor performed the following activities for reconnaissance.
Most of the activities are self-explanatory and they are attempts to list other users, buckets and any available access keys.
The more interesting calls are around Quotas the ListServiceQuotas and GetSendQuota events are related to the AWS Simple Email Solution (SES) service. We’ve seen that SES is an interesting attack vector for threat actors, because they can leverage SES for spamming and (spear)phishing campaigns. Because the access keys that were used for making these calls had limited permissions these calls all resulted in AccessDenied events as shown in an example below.
