Amazon AWS Servers Might Soon Be Held for Ransom, Similar to MongoDB

Haythem Elmir

Amazon AWS S3 cloud storage servers might soon fall victims to ransom attacks, similar to how hacker groups held tens of thousands of MongoDB databases for ransom throughout 2017.

The statement, made today on social media by infosec expert Kevin Beaumont, is nothing short of a prophecy of things to come, an opinion shared by many security professionals to whom Bleeping Computer spoke today.

Amazon AWS S3 known to leak data

Amazon AWS S3 storage servers have been leaking data all 2017, being behind some of the most notable data leaks of last year, including breaches at the NSA, the US Army, analytics providers, and more.

Those incidents happened because companies left data on publicly-readable S3 buckets (« bucket » being a term used to describe an S3 storage unit). In most cases, that data was found by security researchers who helped companies secure their systems, but hackers could get to these files first, too.

However, there’s also a category of S3 buckets that are even more dangerous than publicly-readable servers. Those are publicly-writeable ones —buckets allowing any user, with or without an Amazon S3 account, to write or delete data on the AWS S3 instance. A Skyhigh Networks report from September 2017 found that 7% of all Amazon AWS S3 buckets were publicly-writeable.

AWS S3 buckets to go the way of MongoDB and friends

Experts believe that hacker groups who have been busy holding MongoDB, ElasticSearch, Hadoop, CouchDB, Cassandra, and MySQL servers for ransom all of 2017 might soon turn their sights on S3 publicly-writeable buckets.

The 2017 ransom attacks usually followed the same pattern. Hackers found an exposed server, wiped data, and left a ransom note behind asking for a ransom. Some victims paid, hoping to recover data, but most users were left at the altar, as hackers did not have the storage space to back up all the ransomed servers, and never returned any of the promised data.

Now, something like this is bound to happen to Amazon S3 server owners.

« The MongoDB incidents showed that the ‘spray and pray’ strategy works, even without saving the data, » security researcher Dylan Katz told Bleeping Computer.

Katz believes that S3 data will be wiped, and not held for ransom per-se, mainly because S3 buckets tore humongous amounts of data, which an attacker would not be able to host it all.

AWS S3 ransom attacks are technically possible

The problem, as stated before, relies with AWS S3 account owners who misconfigure servers, allowing read-write access to their machines.

« S3 is like the C programming language. Plenty of ways to shoot yourself in the foot, » security researcher Mike Gualtieri told Bleeping Computer.

Gualtieri even went as far as to create a proof-of-concept script that takes advantage of these servers to fool victims into believing their data was encrypted.

« I […] was able to write a little script that listed the contents of the bucket and also attempted to download one of the files, » Gualtieri told us, « then it stored the file contents as an MD5 hash, deleted the file, and re-uploaded it with the extension .enc. »

« Deletion of files en masse also looks to be possible, » the expert said.

Researchers has been warning AWS S3 customers for months

It’s scenarios like these that scare some security researchers. One of them is Robbie Wiggins.

For the past months [1, 2], Wiggins has been scanning the web for publicly-writeable S3 buckets and leaving behind a text file with a warning to server owners.

« This is a friendly warning that your Amazon AWS S3 bucket settings are wrong, » Wiggins writes in these files. « Anyone can write to this bucket. Please fix this before a bad guy finds it. »

Laisser un commentaire

Next Post

North Korean Hacking Group APT37 Expands Targets

A lesser known hacker group believed to be working on behalf of the North Korean government has been expanding the scope and sophistication of its campaigns, according to a report published on Tuesday by FireEye. The threat actor is tracked by FireEye as APT37 and Reaper, and by other security […]