In light of recent news about the new Codefinger ransomware, Kaspersky Digital Footprint Intelligence has revealed a significant number of AWS-related credentials exposed on the dark web. The findings highlight that many users are potentially at risk from a new campaign, as compromised or publicly disclosed AWS keys (or credentials, in other words) can serve as entry points for cyberattacks.
In the first two weeks of January 2025 alone, over 100 unique accounts for AWS platform were compromised and published on the dark web. Over a longer period, Kaspersky observed more than 18,000 compromised credentials linked to “console.aws.amazon.com”, where system access keys are managed; over 126,000 accounts associated with “portal.aws.amazon.com”; and more than 245,000 accounts tied to “signin.aws.amazon.com”. These resources provide access to AWS in different ways.
Such compromises often result from the activity of data stealers – malicious software designed to harvest sensitive information. In the statistics described above, the most frequently used stealers were Lumma and RedLine.
Although the scale of compromised AWS credentials is alarming, these risks are manageable through proactive security practices. Users should exercise caution when downloading files from untrusted or unknown sources, ensure all devices are protected with robust and up-to-date security solutions, and avoid sharing sensitive information publicly. Maintaining separate credentials for different services and enabling multi-factor authentication (MFA) are critical steps for enhancing security.
Organisations can also take proactive measures by scanning the dark web for exposed credentials and immediately changing any that are found to be compromised. Regularly updating passwords and access keys, combined with the use of password management tools, is a good practice for bolstering defenses. Additionally, adopting role-based access management and adhering to the principle of least privilege can minimise the impact of potential breaches.
By following these recommendations, users and organisations can significantly reduce the likelihood of falling victim to threats like Codefinger and similar attacks.