Amazon Web Services (AWS) Breach Incident Score: Analysis & Impact (AMA5032150112125)

In this Rankiteo incident briefing, we review the Amazon Web Services (AWS) breach identified under incident ID AMA5032150112125.

The analysis begins with a detailed overview of Amazon Web Services (AWS)'s information like the linkedin page: https://www.linkedin.com/company/amazon-web-services, the number of followers: 10479176, the industry type: IT Services and IT Consulting and the number of employees: 143678 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 804 and after the incident was 759 with a difference of -45 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on Amazon Web Services (AWS) and their customers.

A newly reported cybersecurity incident, "Ransomware Operators Targeting AWS S3 Buckets with Cloud-Native Encryption Abuse", has drawn attention.

Cybersecurity researchers have warned about ransomware operators shifting focus from traditional on-premises targets to cloud storage services, particularly AWS S3 buckets.

The disruption is felt across the environment, affecting AWS S3 buckets.

In response, and began remediation that includes hardening S3 bucket configurations, enhancing encryption key management and monitoring for abnormal key rotation activities.

The case underscores how teams are taking away lessons such as Attackers are evolving tactics to abuse legitimate cloud services (e.g., encryption/key management) as perimeter defenses improve and Organizations must monitor cloud-native security controls beyond traditional perimeter protections, and recommending next steps like Implement strict access controls and encryption key management policies for S3 buckets, Monitor for unusual key rotation or encryption activities in cloud environments and Adopt zero-trust principles for cloud storage services.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Valid Accounts: Cloud Accounts (T1078.004) with moderate to high confidence (85%), supported by evidence indicating entry point such as misconfigured S3 buckets, compromised cloud credentials. Under the Persistence tactic, the analysis identified Account Manipulation: SSH Authorized Keys (T1098.004) with moderate to high confidence (70%), supported by evidence indicating abuse of cloud-native encryption and key management services (e.g., encryption management, key rotation). Under the Defense Evasion tactic, the analysis identified Impair Defenses: Disable Cloud Logs (T1562.001) with moderate to high confidence (75%), supported by evidence indicating harder to distinguish malicious activity from legitimate administrative actions and Impair Defenses: Disable or Modify Cloud Firewall (T1562.008) with moderate to high confidence (70%), supported by evidence indicating abuse of cloud-native encryption and key management services. Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with high confidence (95%), with evidence including abuse of cloud-native encryption to render data unrecoverable, and manipulating built-in AWS capabilities like key rotation and encryption controls and Data Destruction (T1485) with moderate to high confidence (85%), supported by evidence indicating render data permanently unrecoverable. Under the Credential Access tactic, the analysis identified Unsecured Credentials: Private Keys (T1552.004) with moderate to high confidence (80%), with evidence including weak encryption key management practices, and compromised cloud credentials. Under the Privilege Escalation tactic, the analysis identified Valid Accounts: Cloud Accounts (T1078.004) with moderate to high confidence (80%), supported by evidence indicating abuse of cloud-native encryption and key management services. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.