AWS S3 Buckets at Risk of “GhostWriter” MiTM Attack

GhostWriter: Writable AWS S3 Buckets Could Be Exploited to Overwrite Existing Data and Files, or Upload Malware

The exposure of sensitive data via misconfigured AWS S3 buckets has been regular over the last few years. In two months this summer, researchers discovered thousands of potentially sensitive files belonging to the U.S. National Geospatial-Intelligence Agency (NGA); information on millions of Verizon customers; and a database containing details of 198 million American voters.

In each case a misconfiguration of the S3 buckets left the data freely accessible to anyone via the internet. Amazon’s ‘shared responsibility’ model clearly states that Amazon is responsible for security of the cloud (that is, the cloud infrastructure) while the customer is responsible for security in the cloud (that is, protecting data through AWS configuration and/or other means). In leaving the data open to public reads, S3 data exposure is clearly the fault of the customers and not Amazon.

Now, however, Skyhigh Networks research has discovered that some AWS customers are also leaving their data open to public writes. Skyhigh calls this vulnerability, ‘GhostWriter‘. In a blog post Friday, chief scientist & VP Eng., Sekhar Sarukkai, warned, “In such cases a 3rd party, unbeknownst to either the data owner or the data consumer, can launch a surreptitious man-in-the-middle (MITM) attack.”

Vulnerable buckets found by Skyhigh — which has reported its findings to AWS — are owned by leading national news/media sites, large retail stores, popular cloud services, and leading advertisement networks. An adversary merely has to locate writable buckets to be able to overwrite existing data and files, or upload malware into the bucket.

“Bucket owners who store JavaScript or other code should pay particular attention to this issue,” warns Sarukkai, “to ensure that 3rd parties don’t silently overwrite their code for drive-by attacks, bitcoin mining or other exploits. Even benign image or document content left open for overwriting can be exploited for steganography attacks or malware distribution.”

Ironically, this vulnerability could affect researchers who find a readable bucket and download the data for analysis, not knowing that a third-party has already altered the data. However, the biggest danger will be to the data owners and authorized users who access the stored data. They could download and use incorrect data, or even download malware from their own or a partner’s data.

It is not known whether this vulnerability has ever been exploited — but it certainly exists. “We’ve informed our customers about misconfigured S3 Buckets and the possible opportunity for GhostWriter attacks and there has been some alarm,” Skyhigh’s chief European spokesperson Nigel Hawthorn told SecurityWeek. “Some have been experiencing issues of differing severity recently which GhostWriter may have been the cause of. Considering how widely used S3 is, it’s hard to see how it hasn’t been exploited. We have worked with those customers and AWS to rectify configurations.” 

Sarukkai believes that there are two aspects to staying safe from GhostWriter: ‘trust but verify’ (by ensuring that staff can only download from own or third-party buckets that are not susceptible to GhostWriter); and ‘trust but audit’ (by making sure that an organization’s own S3 buckets are not publicly writable).

Skyhigh Networks has the facility to audit S3 buckets used by its own CASB customers, while “AWS provides many native best-practices and tools to manage and validate policies for configuring S3,” notes Sarukkai. In August, Amazon announced a new service called Macie. Macie uses machine learning to help its customers discover, classify and protect sensitive data. 

Related: Stealthy Attack Could Hit 50 Percent of Large Office 365 Customers: Report 

Related: Accenture Exposed Data via Unprotected Cloud Storage Bucket