The research demonstrates how attackers can encrypt S3 bucket contents using AWS Key Management Service (KMS), potentially affecting massive amounts of corporate data in minutes.
Amazon Web Services (AWS) is the world’s most comprehensive and broadly adopted cloud, offering over 200 fully featured services from data centres globally.
According to the researchers' findings, an attacker with access to an AWS environment could encrypt approximately 900 MB of data per second using cross-account KMS keys. In their proof-of-concept test, the team successfully encrypted 2,000 files totalling 100 GB in just 1 minute and 47 seconds, highlighting the speed and severity of potential attacks.
The attack methodology involves creating a KMS key in a separate AWS account with encryption-only permissions and then using this key to re-encrypt objects in compromised S3 buckets. Since the victim doesn't have access to the attacker's KMS key, they cannot decrypt their files without meeting the attacker's demands.
What makes this attack vector particularly dangerous is the time gap between execution and detection. While AWS CloudTrail logs typically take 5-15 minutes to deliver, an attacker could potentially encrypt up to 270 GB of data before security teams receive the first alert. This volume could represent hundreds of thousands of business-critical files, including photos, videos, and documents.
However, the researchers also outlined several defensive measures organizations can implement to protect against such attacks.
Key recommendations include enabling S3 Object Versioning with Multi-Factor Authentication (MFA) Delete, implementing strict bucket policies that enforce specific encryption requirements, and following the principle of least privilege for AWS IAM permissions.
"S3 ransomware can be fairly straightforward for an attacker to perform, but with the right defenses in place, you can protect yourself," the researchers noted in their report.
They emphasize the importance of maintaining proper access controls, regular security audits, and comprehensive backup strategies.
Rhino Security Labs has released a testing script on GitHub to assist organizations in assessing their vulnerability to this attack vector. The script, designed for defensive purposes, helps security teams evaluate their S3 bucket configurations and build appropriate detection mechanisms.
The team recommends implementing multiple layers of security controls and maintaining robust incident response plans to mitigate potential attacks.