Threat of Ransomware Lurks in Amazon S3 Buckets

New research from cloud security firm Ermetic shows that nearly all businesses have identities that, if compromised, would place at least 90 percent of the S3 buckets in their AWS account at risk.

Ermetic conducted the study to determine the circumstances that would allow ransomware to make its way to Amazon S3 buckets. The research revealed a very high potential for ransomware in organizations’ environments.

Amazon Simple Storage Service (Amazon S3) is an object storage service that offers scalability, data availability, security, and performance. Customers of all sizes and industries can use it to store and protect any amount of data for a range of use cases, according to Amazon. These use cases include data lakes, websites, mobile applications, backup and restore, archive, enterprise applications, IoT devices, and big data analytics.

Amazon S3 provides easy-to-use management features so subscribers can organize data and configure finely-tuned access controls to meet specific business, organizational, and compliance requirements. Amazon S3 is designed for 99.9 percent (11 9’s) of durability, and stores data for millions of applications for companies all around the world, Amazon claims.

AWS S3 buckets are considered highly reliable and are used with great confidence. But cloud security stakeholders do not realize that S3 buckets face a great security risk from an unexpected source: identities, wrote Lior Zatlavi, senior cloud architect at Ermetic in discussing the company’s white paper report “New Research: The Threat of Ransomware to S3 Buckets” in his October report.

“A compromised identity with a toxic combination of entitlements can easily perform ransomware on an organization’s data,” he wrote.

Results Highlights

Researchers looked for identities with permissions that had the ability and lacked effective mitigation and exposure to a risk factor. Those conditions allowed attackers to perform ransomware on at least 90 percent of the S3 buckets in an AWS account.

The results revealed high potential for ransomware penetration when not using AWS mitigation controls. The findings include:

  • Every environment sampled had at least one AWS account in which an identity — and often many more than one — met the above criteria.
  • In more than 70 percent of environments, EC2 instances met the above criteria, with the risk factor being public exposure to the internet.

Moreover, the permissions that granted access to the buckets were excessive. They could have been significantly reduced without hurting business operations by simply removing the unnecessary permissions.

  • In over 45 percent of environments, IAM (identity and access Management) roles were available for third-party use that were allowed to elevate their privileges to admin.
  • This finding is incredible and horrific for cloud security reasons beyond ransomware. It means that the S3 buckets in the environment were exposed to ransomware.
  • In more than 95 percent of environments, IAM users met the above criteria with the risk factor being access keys that were enabled but unrotated for 90 days.
  • In almost 80 percent of environments, IAM users met the above criteria with the risk factor being access keys enabled but inactive for more than 180 days.
  • In nearly 60 percent of environments, IAM users that met the above criteria with the risk factor being console access that was enabled but without a requirement to use MFA at login.

Over 96 percent of environments had inactive IAM roles, and almost 80 percent of environments had inactive IAM users that met the above criteria.

Alarming Results

These findings focus on “smash and grab” operations involving a single, compromised identity. They reveal a grave situation, according to Zatlavi.

“In targeted campaigns, bad actors may move laterally to compromise multiple identities and use their combined permissions, greatly improving their ability to execute ransomware,” he explained.

In short, based on the samples researched, millions of enterprises currently using S3 as reliable data storage are in danger of ransomware attacks. The high possibility of exposure to even simple ransomware operations is a clear call to action for cloud security stakeholders to take mitigating steps, he cautioned.

AWS S3 has long become a standard for storing file object data. Despite the many efforts in making S3 secure, security monitoring continues to see data in private buckets exposed or exploited in novel ways, offered Erkang Zheng, founder and CEO at JupiterOne.

“Just how many ways can I trip over my own buckets and spill the data? The short answer is far too many,” he told TechNewsWorld.

Cloud services today are built almost completely on third-party tools. Think of CI/CD roles, monitoring tools, platform services for data stores, lambdas, and ML. All have a thin shim of a business’s specific identities, added Mohit Tiwari, co-founder and CEO at Symmetry Systems.

“These identities can write to data and hence can obviously ransomware the data as well. This fact alone likely explains the number of risky sounding identities in the report,” he told TechNewsWorld.

Mixed Bag of Bucket Threats

Security experts have seen a significant uptick recently in open S3 buckets being compromised simply because of misconfiguration. If users cannot even set up a basic, secure cloud bucket with proper encryption and authorization and authentication, we will be even worse at securing actual vulnerabilities in the data storage systems themselves, observed Zheng.

“While AWS secures the infrastructure behind the scenes, they also make it very flexible for you to configure the resources and their access. Understanding this flexibility and applying controls properly is your responsibility. However, this amount of flexibility can sometimes get in the way and complicate things. That’s why I have long been an advocate of using a graph data model and automated data analysis to assist,” he said.

Knowing what cyber assets exist at a given moment in time is difficult due to the ephemeral nature of cloud infrastructure, he added. Organizations need continuous monitoring of their cyber assets to deliver the vigilance required to stop these accidental disclosures from happening in the future.

The S3 buckets to which the identities had access were not protected by effective, out-of-the-box AWS features for mitigating the exposure, according to Ermetic’s Zatlavi.

Third parties alone are not risky. First-party identities can be phished or exploited and be risky. Numbers will likely show that OWASP (Open Web Application Security Project) attacks and phished identities have been extremely durable threats, Tiwari said.

“Finally, reports that create fear, uncertainty, and doubt about cloud IAM belie the fact that by providing an open, programmable interface for permissions, the cloud enables the best security tools to scale organization-wide. Organizations that embrace security automation — and start with what matters, their data — will find the cloud to be far more secure than crusty on-premises environments,” he suggested.

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Jack M. Germain
More in Cybersecurity

Technewsworld Channels