On July 19, 2020, a large PaaS announced attackers had accessed its misconfigured S3 bucket, and altered a copy of its development code it shared with customers. Attackers accessed a misconfigured AWS storage resource and found a portion of the development code that had been available on this unprotected S3 bucket since 2015. The updated code made the browser load an extra URL that had been linked to Magecart attacks. This was a clear case of an opportunist attack on a misconfigured AWS resource for financial gain. This attack seems to be related to a long running “Malvertising” campaign dating back to 2013.
Once aware of the attack, the company locked down the S3 bucket and updated a clear version of the library to the data path. A full scale audit was set in place in order to ensure other misconfigured AWS resources had been noticed. Thankfully no evidence of customer data was found to be accessed by the attackers. Many attackers are looking specifically for misconfigured AWS, Azure, or Google Cloud resources in the service supply chain companies to then infect all the companies that rely on them.
It is important to ensure enterprise data management policies extend to S3 buckets. Too commonly S3 buckets are left unsecured and unencrypted, therefore vulnerable to attack. In situations with multiple cloud providers, it is business critical to review the access control for each specific provider.
Access control systems in the cloud are very powerful which lends them to being very complex. They are a common source for data breaches especially in the fast paced Dev world of deployments and upgrades. Introducing a separation of duties between Dev and Security can help effectively reduce risk. This is especially true when Dev teams are pushing out updates at an incredibly fast pace. New releases and updates are a signal to attackers looking for vulnerabilities so using a tool to help block code promotion when a vulnerability exists is important.
Human error is always a factor, which is why it is so important to continually educate and train employees, and work with the proper cloud security platform. Having visibility into access changes and configuration is crucial during cloud deployments. Procuring a SIEM and utilizing it in conjunction with identity and data security tools can help set alerts on high risk activities.