Checkmarx Details Potential Threats to AWS S3 Buckets
Checkmarx has disclosed how cybercriminals can hijack S3 storage bucket binaries on the Amazon Web Services (AWS) cloud by replacing binaries with malicious ones after a bucket has been deleted.
Without altering a single line of code, cybercriminals can swap out S3 bucket binaries and exfiltrate stolen user IDs, passwords, local machine environment variables and local host name and then move that data to a hijacked bucket.
Guy Nachshon, software engineer at Checkmarx, said there is no way to prevent this activity other than through ongoing monitoring of S3 binaries.
The first instance of this vulnerability was discovered in an open source NPM package, dubbed “bignum,” following an advisory published by GitHub. The latest version, 0.13.1, of that NPM was published more than three years ago and has never been compromised, but versions 0.12.2-0.13.0 relied upon binaries hosted on an S3 bucket. About six months ago, the S3 buckets were deleted, but an unidentified attacker noticed the sudden abandonment of a once-active AWS bucket and seized control of it. As a result, whenever bignum was downloaded or re-installed, users unknowingly downloaded the malicious binary file the attacker installed.
This is possible because each AWS S3 bucket has a globally unique name. When the bucket is deleted, the name becomes available again. If a package pointed to a bucket as its source, the pointer would continue to exist even after the bucket’s deletion, so all the cyberattacker needed to do was reroute the pointer toward a different S3 bucket.
Identifying this type of attack requires IT teams to monitor the strings contained within the file for abnormal behavior, noted Nachshon.
To prevent this attack from occurring elsewhere, Checkmarx has now taken over all the deserted buckets inside open source packages it has discovered. Now, when someone tries to reach the files hosted in those S3 buckets, they will receive a disclaimer that files were planted inside those buckets by Checkmarx.
It’s not clear how many S3 buckets may have been compromised in this fashion, but as cybercriminals increasingly attack software supply chains, they are looking to exploit any weakness, noted Nachshon. Cybersecurity teams need to carefully review who can gain access to any element of those software supply chains, he added.
Of course, it’s still early days as far as the adoption of DevSecOps workflows is concerned, but progress is being made. The issue is that as additional vulnerabilities in software supply chains are discovered, organizations need to be able to respond accordingly. The challenge is that most application developers are creatures of habit, so getting them to change a process can take time.
One way or another, however, DevSecOps best practices will become more deeply embedded across the software development life cycle as pending legislation increasingly makes it a requirement. The challenge and the opportunity are to get ahead of those requirements today versus reacting to them tomorrow.
