GhostWriter

Hackers can exploit exposed Amazon S3 buckets to carry out silent Man-in-the-Middle attacks or other hacks on a company's customers or internal staff.

Codenamed GhostWriter, the technique relies on an attacker scanning the Internet and identifying misconfigured S3 buckets that not only have been left exposed online for anyone to view, but the server owner has also forgotten to restrict write access.

GhostWriter - replacing legitimate files with malicious ones

Attackers can leverage these S3 configuration mishaps to replace original files with modified versions that they use for nefarious purposes.

"Bucket owners who store JavaScript or other code should pay particular attention to this issue to ensure that 3rd parties don’t silently overwrite their code for drive-by attacks, Bitcoin mining, or other exploits," said Sekhar Sarukkai, Chief Scientist at Skyhigh Networks.

Sarukkai details one of these attacks. For example, if an attacker finds an exposed S3 bucket with write access belonging to a news agency, the attacker could replace ad code and redirect revenue to his account or intercept and redirect subscription payments.

GhostWriter MitM attack

GhostWriter is a stealthy method of hacking companies

The GhostWriter technique Sarukkai describes is most deadly when used as a means to carry out Man-in-the-Middle attack and intercept incoming traffic.

The attack is stealthy and hard to pick up, as it relies on the trust most organizations put in cloud providers.

GhostWriter can be used against both a company's end users and employees alike, allowing attackers a way to go after the company's customers, or hack its internal network and search for more sensitive data. One misconfigured S3 bucket is all it takes.

Cloud servers are high-value targets

Sadly, these types of attacks are not theoretical. Earlier this year, a Chinese cyber-espionage group has taken aim at cloud providers. The group compromised cloud providers in order to have an avenue to reach deep inside their targets' internal networks, leveraging on the fact that most companies use cloud-based services for tasks on operations like document sharing, Intranet applications, human resource management, and more.

While it's not confirmed that the Chinese hackers used a GhostWriter attack — and most likely didn't — the effects of a GhostWriter incident are the same, and attackers that find an exposed S3 bucket can carry out similar attacks and reach deep inside other companies by replacing files and executing silent MitM attacks on incoming traffic.

Speaking to Bleeping Computer, security researcher Dylan Katz also pointed out that the attack is eerily similar to how Russian cyber-espionage group APT28 (DNC hackers) often replace legitimate files on shared directories with malware-laced documents.

In a scan of over 1,600 Amazon S3 buckets accessed from inside enterprise networks, Skyhigh said that 4% were vulnerable to GhostWriter attacks, allowing remote unauthenticated users to write content to the bucket.

Previous research by the same company released in September also discovered that 7% of all Amazon S3 buckets are exposed to remote users, allowing anyone to view their content.

Humans are to blame, as usual

"I think S3 buckets have the same issue MongoDB has," Katz told Bleeping in a private conversation. "Admins expect them to be secure by default, and there's not enough clarity in warnings or documentation to prevent user error. If there's an easy way to set something up, people will use it, even if it's less secure."

And Katz is right, as misconfigured S3 buckets have been behind quite a few leaks in recent months.

⬨ Top defense contractor Booz Allen Hamilton leaks 60,000 files, including employee security credentials and passwords to a US government system.
⬨ Verizon partner leaks personal records of over 14 million Verizon customers, including names, addresses, account details, and for some victims — account PINs.
⬨ An AWS S3 server leaked the personal details of WWE fans who registered on the company's sites. 3,065,805 users were exposed.
⬨ Another AWS S3 bucket leaked the personal details of over 198 million American voters. The database contained information from three data mining companies known to be associated with the Republican Party.
Another S3 database left exposed only leaked the personal details of job applications that had Top Secret government clearance.
Dow Jones, the parent company of the Wall Street Journal, leaked the personal details of 2.2 million customers.
⬨ Omaha-based voting machine firm Election Systems & Software (ES&S) left a database exposed online that contained the personal records of 1.8 million Chicago voters.
⬨ Security researchers discovered a Verizon AWS S3 bucket containing over 100 MB of data about the company's internal system named Distributed Vision Services (DVS), used for billing operations.
⬨ An auto-tracking company leaked over a half of a million records with logins/passwords, emails, VIN (vehicle identification number), IMEI numbers of GPS devices and other data that is collected on their devices, customers and auto dealerships.
⬨ An S3 bucket leaked data of thousands of Australian government and bank employees.

Now imagine if hackers would have also had write access to these servers, not just the possibility to view and download files. One misconfigured S3 bucket is all it takes.

Companies that want to avoid GhostWriter attacks or other leaks due to misconfigured S3 buckets, should review the following Amazon documentation pages and make sure they fully understand their S3 server's permissions level:

In addition, Mark Nunnikhoven, Vice President of Cloud Research at Trend Micro, also has a simple guide on how to secure an Amazon S3 buckets.

Image credits: Cristiano Zoucas, Sahua D, Bleeping Computer, Skyhigh Networks