AWS Cloud Storage Service Vulnerable to Ransomware, Says New Research

New research from Ermetic shows Amazon Web Services (AWS) cloud storage is at high risk for ransomware due to high-risk identities and configuration errors.

In virtually all of the participating organizations, Ermetic found identities that, if compromised, would place at risk at least 90% of the Simple Storage Service (S3) buckets in an AWS account.

Ermetic identified the following findings in the organizations that would allow ransomware to reach and execute on AWS cloud storage:

• Over 70% of the environments had machines publicly exposed to the internet and identities whose permissions allowed the exposed machines to perform ransomware.
• Over 45% had third-party identities with the ability to perform ransomware by elevating their privileges to admin level. Ermetic said that’s an “astounding” finding with potentially harmful implications far beyond ransomware.
• Almost 80% had identity and access management (IAM) users with enabled access keys that had the ability to perform ransomware.

Major Ransomware Attack on AWS Inevitable

Shai Morag is Ermetic‘s CEO.

Ermetic Research’s Shai Morag

“Very few companies are aware that data stored in cloud infrastructures like AWS is at risk from ransomware attacks, so we conducted this research to investigate how often the right conditions exist for Amazon S3 buckets to be compromised,” he said. “We found that in every single account we tested, nearly all of an organization’s S3 buckets were vulnerable to ransomware.”

It’s now a matter of when – not if – a major ransomware attack will hit AWS, Morag said.

Ermetic’s findings focus on single, compromised identities. In many ransomware campaigns, bad actors often move laterally to compromise multiple identities and use their combined permissions. That greatly increases their ability to access resources.

Erkang Zheng is founder and CEO of JupiterOne. He said AWS cloud storage has long become a standard for storing file object data.

JuipterOne’s Erkang Zheng

“We have seen a significant uptick recently in open S3 buckets being compromised simply because of misconfiguration,” he said. “If we can’t even set up a basic, secure cloud bucket with proper encryption and authorization and authentication, we will be even worse at securing actual vulnerabilities in the data storage systems themselves.”

Continuous Asset Monitoring Needed

AWS secures the infrastructure behind the scenes, Zheng said. However, it also makes it very flexible for users to configure the resources and their access.

“Understanding this flexibility and applying controls properly is your responsibility,” he said. “However, this amount of flexibility can sometimes get in the way and complicate things. Knowing what cyber assets exist at a given moment in time is difficult due to the ephemeral nature of cloud infrastructure. Organizations need continuous monitoring of their cyber assets to deliver the vigilance required to stop these accidental disclosures from happening in the future.”

Saumitra Das is CTO and co-founder of Blue Hexagon, a cloud-native artificial intelligence (AI) security provider.

Blue Hexagon’s Saumitra Das

“This report highlights the urgent need to detect threats in the cloud and not just focus on misconfigurations,” he said. “It also highlights that ransomware is not just an on-premises problem, but as the pandemic has accelerated cloud migration of workloads it has also accelerated cloud migration for attackers and ransomware criminal operators.”

Cloud Monitoring Important

It’s critical to monitor three things in the cloud, Das said. Those are:

• The runtime activity of identities in terms of what they are doing and from where.
• Cloud storage (S3) in terms of the read/write pattern and what is actually being stored.
• Network activity, which can highlight when instances either inadvertently or deliberately opened to the internet are brute-forced and then identities stored on those instances are used for lateral movement.

Keeping an eye on cloud infrastructure attacks can thwart attackers from gaining enough privilege and access to ransom the data.