Elevator Pitch
Ransomware is tough. It’s hard on the target, but harder for the attacker. The logistics of downloading, storing, locally encrypting and uploading the data, while not getting caught. So, as everybody else these days, let’s pay a Cloud Service to do the job. Let’s utilize a feature as a weapon.
Description
A successful ransomware attack is the culmination of numerous steps taken by an attacker: gaining initial access to the victim’s environment, identifying sensitive data, exfiltrating sensitive data, encrypting original data, re-uploading them, delete the original plaintext, ask for ransom, play poker on shady websites to launder money etc. Long story short, Ransomware is tough. It’s tough for the target to deal with, but much harder for the Attacker. The logistics of attacking, storing the data, encrypting it locally, uploading, not get detected while doing so, etc. It’s a mess. So, as everybody does it these days, let’s pay for a Cloud Service to get the job done. This talk will outline how an attacker can abuse the principle of Least-Privilege on KMS keys to encrypt the data on its target’s buckets, making them unaccessable. We will see how effective Least-Privilege can be when done right and how very few can access the resource when denied the access. This talk will journey into a hypothetical attacker with limited funds, which lock the data inside a bucket, inside the target’s infrastructure, using target’s identities and the target will have nothing to do against it. We will be showing several techniques that one can utilize, what are their benefits, how they can be prevented or nullified and how follow it with a better one that works. The talk will also provide blue teamers with techniques they can use to prevent, detect and nullify the attacks and how to better secure their cloud environments. All of it will be followed by small demos for both attackers and defenders.