Ransomware in the cloud

Recently we were engaged by a company after they were targeted by a ransomware attack in their AWS environment. In this blog we want to show you what happened and how we were able to piece together the picture based on available logging.

Recently, a company was targeted by a ransomware attack in their AWS environment. Invictus Incident Response was engaged to investigate the attack and piece together the picture based on available logging. The attack was mapped to the MITRE ATT&CK steps, with the initial access being due to accidentally exposed long-term credentials. The threat actor then performed reconnaissance activities, such as attempting to create additional users and listing other users, buckets and access keys. The attempt to create a root user was unsuccessful as each AWS account by default has a root user.

The threat actor was able to exfiltrate data from the S3 bucket due to the access key they had. This was confirmed by using the AWS billing information which contained an entry for a GetObject Operation which is recorded when a file is downloaded from a S3 bucket. After the exfiltration of the data, the threat actor disabled bucket versioning, deleted data from several buckets and left behind a ransom note.

Invictus Incident Response provided a list of recommendations tailored to the prevention, detection, response and recovery of a ransomware incident in AWS. These included enabling a trail in CloudTrail to store data in a S3 bucket which allows for longer data retention, enabling CloudTrail for data events, limiting the usage of long-term access key, protecting access keys, enabling bucket versioning with MFA delete and using AWS Backup for immutable backups.

Ransomware is a threat for all organizations, not just limited to on-premise environments. It is important to follow the recommendations provided by Invictus Incident Response to prevent, detect, respond and recover from a ransomware incident in AWS. Invictus Incident Response is an incident response company that specialises in supporting organisations facing a cyber attack. They can be contacted at [email protected] or through their website at https://www.invictus-ir.com/247.

📓 Ransomware in the cloud

👉🏽 Recently we were engaged by a company after they were targeted by a ransomware attack in their AWS environment. In this blog we want to show you what happened and how we were able to piece together the picture based on available logging. 👉🏽 Description of a ransomware attack on a company's AWS environment. 👉🏽 Invictus Incident Response was engaged to investigate the attack. 👉🏽 The attack was mapped to the MITRE ATT&CK steps. 👉🏽 Accidentally exposed long-term credentials were the initial access point. 👉🏽 The threat actor performed reconnaissance activities. 👉🏽 Exfiltration of data from the S3 bucket was confirmed. 👉🏽 Threat actor disabled bucket versioning, deleted data and left a ransom note. 👉🏽 Invictus Incident Response provided recommendations for prevention, detection, response and recovery. 👉🏽 Ransomware is a threat for all organizations, not limited to on-premise environments. 👉🏽 Invictus Incident Response is an incident response company that specializes in supporting organizations facing a cyber attack.

🔗 source link: https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82

🔗 summarized content: https://hut.threathunterz.com/battlefield-intel/articles-and-reports/ransomware-in-the-cloud

#Ransomware #AWS #IncidentResponse #Prevention #Detection