The Clop ransomware gang executed a data theft and extortion campaign by targeting organizations’ cloud storage environments. The attackers exploited a zero-day vulnerability in the GoAnywhere MFT (Managed File Transfer) secure file transfer tool to gain initial access to victims’ networks.

Security researchers at Sophos reported that after compromising the GoAnywhere MFT servers, which were often hosted on Amazon Web Services (AWS) EC2 instances, the attackers obtained AWS access keys. These keys were associated with EC2 instance profiles, granting them programmatic access to other AWS services belonging to the victim organization.

Anatomy of the S3 Bucket Attack

Once the Clop operators acquired the AWS access keys, they used them to access and control the victims’ Amazon S3 storage buckets. The attackers deployed scripts that systematically iterated through the S3 buckets, copying the stored data to their own attacker-controlled systems. This process constituted a massive data exfiltration event.

After successfully exfiltrating the data, the attackers’ scripts proceeded to delete the original files and folders from the victims’ S3 buckets. This steal-and-delete tactic effectively holds the data hostage, as the victims lose access to their original copies stored in the cloud. The attackers then left ransom notes demanding payment to prevent the public release of the stolen information.

A Shift in Ransomware Tactics

This campaign marks a departure from traditional ransomware attacks that focus on encrypting files on local networks and servers. Instead of deploying encryptors, the Clop group focused entirely on data exfiltration and deletion within the cloud environment. The campaign targeted over 130 organizations that used the vulnerable GoAnywhere MFT software.

The entire operation, from exfiltration to deletion, was automated using scripts. Analysis of these tools revealed their specific purpose was to list all S3 buckets, copy the contents, and then permanently remove the original data. This direct attack on cloud data storage represents a documented evolution in ransomware gang operations.

Source: https://www.csoonline.com/article/4094475/ransomware-gangs-find-a-new-hostage-your-aws-s3-buckets.html