Permission settings for cloud object storage services like S3 buckets are frequently the cause of data breaches. But Rhino Security Labs, a penetration testing and security assessment firm, is drawing attention to another concern. By leveraging S3 buckets as a new attack surface and using targeted attack vectors, malicious actors can not only steal your data, but also hold it for ransom.
So how does a cloud object storage ransomware attack happen?
Let’s say the attacker is working in AWS. The first step would be for them to create a KMS key in their own AWS account, providing public access to use that KMS key for encryption so it can be used on other AWS accounts. The attacker would then identify a target S3 bucket holding important or sensitive data and gain write-level access to it (either due to bucket exposure or a compromised user in the target AWS account).
With the target S3 bucket in sight, the attacker moves forward by checking to see if certain configuration settings are enabled:
- The key security configuration settings are S3 Object Versioning and Multi-factor Authentication Delete (MFA Delete).
- If Object Versioning is not enabled, then the attacker is good to go!
- If Object Versioning is enabled, but MFA Delete is disabled, the attacker can disable Object Versioning.
- If both Object Versioning and MFA Delete are enabled, the attacker would likely abort the mission and find an alternative target.
After the configuration groundwork is laid, the attacker, through the AWS API, can replace each object in a bucket with a new copy of itself, but this time the objects are encrypted with the attacker’s KMS key.
Next, the attacker schedules the deletion of the KMS key, giving a 7-day window until the key is deleted and the data is lost forever. Finally, the attacker uploads a final unencrypted file, usually with an ominous name like “ransom-note.txt,” which provides instructions on how the victim can get their files back. Until then, the compromised bucket won’t be available to anyone but the attacker. If the victim doesn’t pay up within 7 days, their data will be lost forever.
Similar to malware attacks on hard drives, cloud object storage services like S3 buckets can be compromised and the files held for ransom.
You can prevent this from happening by adhering to security best practices like:
- following the principle of least-privileged access in provisioning IAM permissions
- enabling CloudTrail logging and monitoring for all actions
- enabling S3 object versioning and MFA delete for your objects
- using bucket policies and access control lists to restrict public access
- using the S3 block public access feature to add an extra layer of security and ensure that there’s no accidental public exposure
Remember, attacks like this can only happen if you don’t have proper security and access control. However, with cloud at scale, it’s easy for organizations to lose track of all object storage containers in all regions in all accounts, so we expect to see this pattern play out more in the year ahead. To see how DivvyCloud can help you achieve continuous security and compliance, contact one of our cloud security experts today!