GhostWriter: Writable AWS S3 Buckets Could Be Exploited to Overwrite Existing Data and Files, or Upload Malware
The exposure of sensitive data via misconfigured AWS S3 buckets has been regular over the last few years. In two months this summer, researchers discovered thousands of potentially sensitive files belonging to the U.S. National Geospatial-Intelligence Agency (NGA); information on millions of Verizon customers; and a database containing details of 198 million American voters.
In each case a misconfiguration of the S3 buckets left the data freely accessible to anyone via the internet. Amazon’s ‘shared responsibility’ model clearly states that Amazon is responsible for security of the cloud (that is, the cloud infrastructure) while the customer is responsible for security in the cloud (that is, protecting data through AWS configuration and/or other means). In leaving the data open to public reads, S3 data exposure is clearly the fault of the customers and not Amazon.
Now, however, Skyhigh Networks research has discovered that some AWS customers are also leaving their data open to public writes. Skyhigh calls this vulnerability, ‘GhostWriter‘. In a blog post Friday, chief scientist & VP Eng., Sekhar Sarukkai, warned, “In such cases a 3rd party, unbeknownst to either the data owner or the data consumer, can launch a surreptitious man-in-the-middle (MITM) attack.”
Vulnerable buckets found by Skyhigh — which has reported its findings to AWS — are owned by leading national news/media sites, large retail stores, popular cloud services, and leading advertisement networks. An adversary merely has to locate writable buckets to be able to overwrite existing data and files, or upload malware into the bucket.
“Bucket owners who store JavaScript or other code should pay particular attention to this issue,” warns Sarukkai, “to ensure that 3rd parties don’t silently overwrite their code for drive-by attacks, bitcoin mining or other exploits. Even benign image or document content left open for overwriting can be exploited for steganography attacks or malware distribution.”
Ironically, this vulnerability could affect researchers who find a readable bucket and download the data for analysis, not knowing that a third-party has already altered the data. However, the biggest danger will be to the data owners and authorized users who access the stored data. They could download and use incorrect data, or even download malware from their own or a partner’s data.
It is not known whether this vulnerability has ever been exploited — but it certainly exists. “We’ve informed our customers about misconfigured S3 Buckets and the possible opportunity for GhostWriter attacks and there has been some alarm,” Skyhigh’s chief European spokesperson Nigel Hawthorn told SecurityWeek. “Some have been experiencing issues of differing severity recently which GhostWriter may have been the cause of. Considering how widely used S3 is, it’s hard to see how it hasn’t been exploited. We have worked with those customers and AWS to rectify configurations.”
Sarukkai believes that there are two aspects to staying safe from GhostWriter: ‘trust but verify’ (by ensuring that staff can only download from own or third-party buckets that are not susceptible to GhostWriter); and ‘trust but audit’ (by making sure that an organization’s own S3 buckets are not publicly writable).
Skyhigh Networks has the facility to audit S3 buckets used by its own CASB customers, while “AWS provides many native best-practices and tools to manage and validate policies for configuring S3,” notes Sarukkai. In August, Amazon announced a new service called Macie. Macie uses machine learning to help its customers discover, classify and protect sensitive data.
Related: Stealthy Attack Could Hit 50 Percent of Large Office 365 Customers: Report
Related: Accenture Exposed Data via Unprotected Cloud Storage Bucket
More from Kevin Bowers
- Alexa May Be Recording More Than You Realize
- UK’s NCSC Adopts HackerOne for Vulnerability Coordination Disclosure
- Artificial Intelligence in Cybersecurity is Not Delivering on its Promise
- Untangle Partners With Malwarebytes to Bring Layered Security to SMBs
- Testing Security Products: Third-Party Standards vs. In-House Testing
- New Cyber Readiness Program Launched for SMBs
- Personal Details of 120 Million Brazilians Exposed
- Researchers Find Thousands of Twitter Amplification Bots in Just One Day
Latest News
- US Charges 20-Year-Old Head of Hacker Site BreachForums
- Tesla Hacked Twice at Pwn2Own Exploit Contest
- CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections
- Critical WooCommerce Payments Vulnerability Leads to Site Takeover
- PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
- CISA Gets Proactive With New Pre-Ransomware Alerts
- Watch on Demand: Supply Chain & Third-Party Risk Summit Sessions
- TikTok CEO Grilled by Skeptical Lawmakers on Safety, Content
