The latest Palo Alto Networks Unit 42 Cloud Threat Report found sensitive data was found in 66% of cloud storage buckets. This data is vulnerable to ransomware attacks. The SANS Institute recently reported that these attacks can be carried out by abusing cloud provider storage security controls and default settings.
“In the past few months, we have witnessed two different ways to carry out ransomware attacks that are nothing but legal cloud security features,” warns Brandon Evans, a security consultant and certified SANS instructor. Halcyon has disclosed an attack campaign that leverages SSE-C, one of Amazon S3’s native encryption mechanisms, to encrypt each target bucket. A few months ago, security consultant Chris Faris demonstrated how attackers can use a simple script generated by CHATGPT to perform similar attacks using different AWS security features, KMS keys using foreign key materials. “Obviously, this topic is the best for both threat actors and researchers,” Brandon said.
To combat cloud ransomware, SANS recommends organizations to:
Understanding the power and limitations of cloud security controls: Using the cloud does not automatically make your data secure. “The first cloud services most people use are file backup solutions such as OneDrive, Dropbox, and Icloud,” explains Brandon. “These services typically have file recovery capabilities enabled by default, but this is not the case with Amazon S3, Azure Storage, or Google Cloud Storage. It’s important that security experts understand how these services work and don’t assume that the cloud will save them.” Block unsupported cloud encryption methods: AWS S3 SSE-C, AWS KMS foreign key material, and similar encryption techniques can be abused as attackers have full control over the key. Organizations can use identity and access management (IAM) policies to mandate the encryption methods used in S3, such as SSE-KMS, using AWS-hosted key materials. Enables backup, object version, and object locking. These are some of the integrity and availability controls for cloud storage. None of them are enabled by default in one of the Big 3 cloud providers. When used properly, it increases the chances that your organization can recover data after a ransomware attack. Balance between security, cost and data lifecycle policy: These security features cost money. “Cloud providers don’t host data versions or backups for free. At the same time, organizations don’t offer blank checks for data security,” Brandon says. Each Big 3 cloud provider allows customers to define lifecycle policies. These policies make organizations no longer need it when they are unable to automatically delete objects, versions, or backups. However, it should be noted that attackers can also take advantage of lifecycle policies. It was used in the aforementioned attack campaign, urging targets to pay ransom quickly.
Check out Brandon’s webcast for more information. “The Cloud won’t save you from ransomware: What will happen?”, https://www.sans.org/webcasts/cloud-wont-save-you-from–from-heres-what-will/
Interested in additional tactics to mitigate Big 3 Cloud Provider attacks? Watch Brandon’s Course, SEC510: Cloud Security Controls and Mitigations at Sans 2025 live at Orlando or online this April. The course will be available in Baltimore, Maryland in June or in Washington, DC in July at Brandon later this year.
Source link
