Misconfigured Amazon S3 Buckets Vulnerable to Man-in-the-Middle Attacks

Threat actors can leverage misconfigured Amazon S3 buckets that allow public write access to perform Man-in-the-Middle (MitM) attacks. This attack vector, dubbed GhostWriter by Skyhigh researchers, can provide a threat actor with the opportunity to replace original files stored in the misconfigured bucket with modified or malicious versions, replace code and redirect revenue to the threat actor’s account, or intercept and redirect subscription payments. Bucket administrators who store JavaScript code on publicly accessible cloud servers run the risk of having their code overwritten with scripts designed to conduct malicious activity such as drive-by attacks and cryptocurrency mining operations. As GhostWriter can be used to gain access to an organization’s internal network, these bucket misconfigurations potentially expose sensitive employee and customer data to unauthorized access and leave the organization liable for the costs and reputational damage resulting from a data breach. This vulnerability exists due to human error rather than a software or hardware vulnerability; researchers found that more than 1,600 S3 buckets are accessed from within enterprise networks and about 4 percent of those were exposed to GhostWriter due to misconfiguration. Financially-motivated actors and state-sponsored advanced persistent threat (APT) groups have begun targeting Amazon S3 buckets and other cloud storage containers to gain access to private networks and valuable data. It is vital that S3 buckets are properly configured using the most secure settings available to avoid this and similar attacks. The NJCCIC recommends Amazon cloud storage customers review both Skyhigh’s report on GhostWriter and Amazon’s resource guide, apply the recommended configurations, and regularly audit their security settings to maintain the confidentiality and integrity of their data. To help administrators quickly locate and secure misconfigured and publicly accessible Amazon S3 buckets, Kromtech Security has released a free tool, dubbed the Kromtech S3 Inspector. More information about this tool, including a link to download it, is available here. The NJCCIC makes no claim as to the effectiveness of this tool and users are advised to exercise caution when downloading and installing any software from the internet. Additionally, Amazon has just released new S3 security features including default encryption, permission checks, and an update to the AWS dashboard that warns administrators of exposed buckets.