Security

Unsecured Amazon S3 buckets are prime cloud target for ransomware attacks

Thousands of S3 buckets are incorrectly configured as being publicly writable, making them easy to exploit.

Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • Security researchers are dropping notes in publicly writable S3 buckets to inform owners that their configuration leaves them vulnerable to attack.
  • Amazon has provided free access to the S3 bucket permissions checker in AWS Trusted Advisor for all users in response to this issue.

Misconfigured S3 buckets are a too-common problem among Amazon Web Services (AWS) users, and security researchers are taking notice. Noted security researcher Kevin Beaumont has warned that publicly writable S3 buckets could be used by criminals in ransom attacks, similar to how tens of thousands of MongoDB instances were targeted last year.

Given the nature of ransomware attacks, and the massive amount of data that can be stored in S3 buckets, it is unlikely to be cost-efficient for hackers to copy data to restore to affected users who actually pay a ransom. As such, the likelihood of being able to retrieve data in the event that a ransom is paid is rather low—making this type of attack a "false ransom."

Security researcher Robbie Wiggins has been running a script which inserts a file named "POC.txt" in buckets erroneously configured to be publicly writable. Wiggins claimed in a tweet that the note has been left in 5260 buckets thus far. The BBC reported that almost 50 such warnings have been found in systems controlled by the organization. In a statement to the BBC, Wiggins noted that, of the buckets identified so far, "Lots of buckets appear to [have] been abandoned and forgotten about."

SEE: Comparison chart: Virtualization platforms (Tech Pro Research)

Just in the past six months, documents have been exfiltrated from unprotected S3 buckets belonging to Verizon, the NSA, the US Military, French marketing company Octoly, and analytics firm Alteryx, which included data from credit reporting bureau Experian and the US Census Bureau.

Josh Mayfield, director at enterprise security firm FireMon, stated that "AWS will likely see a sizable ransomware attack in the coming months, not due to any flaws in AWS security, but because of misconfigurations. There is a persistent belief that since the infrastructure is a 'service' (IaaS), then the responsibility falls to the IaaS provider to secure their systems."

Mayfield also noted that "AWS has gone through painstaking security development to bring the most robust controls you can have with a public cloud. Still, AWS users consistently fail to configure those controls."

In an effort to mitigate potential issues, Amazon announced this week that the bucket permissions check in AWS Trusted Advisor is now free for all users. The utility was previously available only to Business and Enterprise support customers. Given that the aforementioned groups who had documents stolen from publicly accessible S3 buckets would have logically been in those support tiers to begin with, Mayfield's claim that users fail to proactively configure these settings rings true.

Also see

cloudbox.jpg
Image: iStockphoto/BrianAJackson

About James Sanders

James Sanders is a Writer for TechRepublic. Since 2013, he has been a regular contributor to TechRepublic and Tech Pro Research.

Editor's Picks

Free Newsletters, In your Inbox