Locking the Locks: How “RansomWhen” Unmasks the Identities Hijacking Your AWS S3 Buckets
RansomWhen is a tool to enumerate identities that can lock S3 Buckets using KMS, resulting in ransomwares, as well as detect occurances of S3 Ransomwares using KMS
Enumerating Identities
To enumerate the identities, the tool will use the JSON Blob on path scenarios/scenarios.json containing the privileges needed for different attacks. That JSON is configurable with the below format. Each scenario will have a name and a list of events to check.
[pastacode lang=”markup” manual=”%7B%0A%20%20%20%20%22Create%20Locked%20Key%20and%20Encrypt%20Bucket%20using%20CopyObject%22%3A%20%5B%0A%20%20%20%20%20%20%20%20%22kms%3ACreateKey%22%2C%0A%20%20%20%20%20%20%20%20%22s3%3APutBucketEncryptionConfiguration%22%2C%0A%20%20%20%20%20%20%20%20%22s3%3ACopyObject%22%0A%20%20%20%20%5D%0A%7D” message=”” highlight=”” provider=”manual”/]
Each scenario will be listed as:
- allowed, for cases when all the events in a scenario are allowed
- partially, for cases when at least 1 event in the scenario is allowed
- denied, for cases when no event on the scenario is allowed
Attach Custom KMS Key Store
Create Locked Key and Encrypt Bucket using CopyObject
Create Locked Key and Encrypt Bucket using Get/Put Object
Create Role, Add Inline Policy and Delete
Create Role, Attach Inline Policy and Delete
Create User, Add Inline Policy and Delete
Create User, Attach Inline Policy and Delete
Delete CloudTrail Trail
Stop Logging
Stop Logging using KMS
Update Current Custom KMS Key Store
Update Key Policy to Lock Key and Encrypt Bucket using CopyObject
Update Key Policy to Lock Key and Encrypt Bucket using Get/Put Object
Finding malicious events
As far as finding identities with malicious events, the tool will look into the JSON Blob scenarios/events.json. That file can also be configured, with a format as below, where each event will have its information set to either null or a value, just as it is supposed to be saved on the CloudTrail Logs.
[pastacode lang=”markup” manual=”%7B%0A%20%20%22CreateKey%22%3A%20%7B%0A%20%20%20%20%22UserAgent%22%3A%20null%2C%0A%20%20%20%20%22Identity%22%3A%20null%2C%0A%20%20%20%20%22RequestParameters%22%3A%20null%2C%0A%20%20%20%20%22ResponseElements%22%3A%20null%2C%0A%20%20%20%20%22ErrorCode%22%3A%20null%2C%0A%20%20%20%20%22ErrorMessage%22%3A%20null%2C%0A%20%20%20%20%22EventSource%22%3A%20%22kms.amazonaws.com%22%0A%20%20%7D%0A%7D” message=”” highlight=”” provider=”manual”/]
The events below are the ones that will get checked on CloudTrail. And as seen before, each event can be configured to check for specific indicators.
[pastacode lang=”markup” manual=”kms%3ACreateKey%0Akms%3APutKeyPolicy%0Akms%3AReEncrypt%0Akms%3ACreateCustomKeyStore%0Akms%3AUpdateCustomKeyStore%0Akms%3AConnectCustomKeyStore%0Akms%3ADisconnectCustomKeyStore%0Akms%3ADeleteCustomKeyStore%0As3%3APutBucketEncryptionConfiguration%0As3%3ACopyObject%0As3%3APutObject%0As3%3AGetObject%0Aiam%3ACreateUser%0Aiam%3ADeleteUser%0Aiam%3ACreateRole%0Aiam%3ADeleteRole%0Aiam%3AAttachUserPolicy%0Aiam%3APutUserPolicy%0Aiam%3AAttachRolePolicy%0Aiam%3APutRolePolicy%0Acloudtrail%3AStopLogging%0Acloudtrail%3ADeleteTrail%0Acloudtrail%3AUpdateTrail” message=”” highlight=”” provider=”manual”/]
Then, running the tool, would list all the identities (IAM Users and Roles) and the events they have ran over the last 90 days.
Install & Use
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
