Hackers can exploit exposed Amazon S3 buckets to carry out silent Man-in-the-Middle attacks or other hacks on a company's customers or internal staff.
Codenamed GhostWriter, the technique relies on an attacker scanning the Internet and identifying misconfigured S3 buckets that not only have been left exposed online for anyone to view, but the server owner has also forgotten to restrict write access.
Attackers can leverage these S3 configuration mishaps to replace original files with modified versions that they use for nefarious purposes.
Sarukkai details one of these attacks. For example, if an attacker finds an exposed S3 bucket with write access belonging to a news agency, the attacker could replace ad code and redirect revenue to his account or intercept and redirect subscription payments.
The GhostWriter technique Sarukkai describes is most deadly when used as a means to carry out Man-in-the-Middle attack and intercept incoming traffic.
The attack is stealthy and hard to pick up, as it relies on the trust most organizations put in cloud providers.
GhostWriter can be used against both a company's end users and employees alike, allowing attackers a way to go after the company's customers, or hack its internal network and search for more sensitive data. One misconfigured S3 bucket is all it takes.
Sadly, these types of attacks are not theoretical. Earlier this year, a Chinese cyber-espionage group has taken aim at cloud providers. The group compromised cloud providers in order to have an avenue to reach deep inside their targets' internal networks, leveraging on the fact that most companies use cloud-based services for tasks on operations like document sharing, Intranet applications, human resource management, and more.
While it's not confirmed that the Chinese hackers used a GhostWriter attack — and most likely didn't — the effects of a GhostWriter incident are the same, and attackers that find an exposed S3 bucket can carry out similar attacks and reach deep inside other companies by replacing files and executing silent MitM attacks on incoming traffic.
Speaking to Bleeping Computer, security researcher Dylan Katz also pointed out that the attack is eerily similar to how Russian cyber-espionage group APT28 (DNC hackers) often replace legitimate files on shared directories with malware-laced documents.
In a scan of over 1,600 Amazon S3 buckets accessed from inside enterprise networks, Skyhigh said that 4% were vulnerable to GhostWriter attacks, allowing remote unauthenticated users to write content to the bucket.
Previous research by the same company released in September also discovered that 7% of all Amazon S3 buckets are exposed to remote users, allowing anyone to view their content.
"I think S3 buckets have the same issue MongoDB has," Katz told Bleeping in a private conversation. "Admins expect them to be secure by default, and there's not enough clarity in warnings or documentation to prevent user error. If there's an easy way to set something up, people will use it, even if it's less secure."
And Katz is right, as misconfigured S3 buckets have been behind quite a few leaks in recent months.
Now imagine if hackers would have also had write access to these servers, not just the possibility to view and download files. One misconfigured S3 bucket is all it takes.
Companies that want to avoid GhostWriter attacks or other leaks due to misconfigured S3 buckets, should review the following Amazon documentation pages and make sure they fully understand their S3 server's permissions level:
In addition, Mark Nunnikhoven, Vice President of Cloud Research at Trend Micro, also has a simple guide on how to secure an Amazon S3 buckets.