Threat Actors Leveraging Misconfigurations As Attack Vectors

Introduction

Amazon Simple Storage Service, also known as Amazon S3, is a widely used cloud service provided by Amazon Web Services that offers object storage via a web service interface. The storage containers are referred to as “buckets,” and the files contained within these are referred to as “objects.” S3 offers limitless storage for each bucket, which owners may employ to store the files. 

Several enterprises with varying degrees of business requirements rely on cloud services such as Amazon Web Services (AWS). While, AWS has been advising best practices for securing the data storage and data accessibility, the security community has frequently pointed out serious misconfigurations during the implementation of the AWS environment by the enterprises.

Exploitation using Open-Source

We observed several methods and open-source tools for scanning and determining S3 buckets during our research. Once the attacker has a dataset of S3 Buckets resources for the target, they can use various misconfigurations resulting in unauthorized access and modification of data, resulting in two different outcomes:

• Obtain access to files in the list of targeted S3 buckets exposed in public.
• Write/upload files to the unprotected S3 bucket; the attacker can also modify access privileges to all objects and manipulate the file content.

The attackers generally leverage Google Dorking Technique to create custom-crafted search queries targeting an organization that might fetch them confidential data and sensitive information, including Personally Identifiable Information (PII) and Protected Health Information (PHI).

While investigating the scope of the breach via S3 misconfiguration, Cyble Researchers also came across multiple exposures which contained sensitive company information. Figures 1 and 2 display a few of such files exfiltrated from S3 buckets. These exposed buckets belonged to the two different impacted organizations and exposed their internal budget and monetary expenses information into the public. Sensitive information such as financial data was most likely intended to remain confidential.

Related Threat Activities in Cybercrime Forums

Cyble Research Labs has recently observed several threat actors that leveraged the AWS S3 misconfigurations to conduct data breaches to sell on the cybercrime forums. We’ve listed some examples of notable threat activity that we observed are:

In June 2022, a threat actor active on an English-language forum offered to sell data exfiltrated from an Indian insurance company. Our analysis led us to believe that the breached data was apparently hosted on an Amazon Simple Storage Service (S3) connected to the standard endpoint for the Asia Pacific (Mumbai) region at the s3.ap-south-1.amazonaws.com and were apparently susceptible to exposure on the internet probably due to the misconfigurations.

Subsequently, the same threat actor also offered to sell a database belonging to an investment solutions firm based in India. The data alleged consisted of Personally Identifiable Information (PII) database such as name, address, permanent account number, bank name, phone number, email address, and other portfolio details.

A few days after the TA’s claims, the impacted organization confirmed that the breached data was likely due to exposure of one of the S3 bucket instances in their AWS environment.

Countermeasures

Our basic recommendations for the industry-wise enterprises to avoid breaches caused by the S3 misconfigurations are as follows:

• Implementing least privilege policies using Identity and Access Management (IAM) might help the enterprise AWS environment stay safe and secure from potential breaches.
• Enabling recommended encryption standards for the S3 buckets to protect the data.
• Creating policies to track misconfigured S3 buckets. [An article published by VMware explains the process of creating policies to be on the lookout for misconfigured S3 buckets].
• Regular audits over the technology workflow process in an effort to identify any possible loopholes in the process.
• Enterprises are also advised to implement Digital Risk Protection Services (DRPS) program to monitor their infrastructure at potential risk.

Conclusion

Our research suggests that the cybercriminals, including less-sophisticated or novice threat actors, continue to proactively explore S3 buckets exposed to the public using various open-source tools and techniques to further leverage them. Our findings also revealed an ongoing trend on cybercrime forums targeting various industries including banking and finance leveraging AWS S3 Bucket misconfigurations.

Enterprises should keep this in mind while configuring their AWS infrastructure for their business requirements. We will continue to identify threat activities in the cybercrime forums to keep an eye on this ongoing trend.