Cloud Security, DevSecOps

Attacker seizes abandoned S3 bucket to launch malicious payloads

An abandoned AWS S3 bucket was seized by an unknown attacker and used it to launch malicious payloads designed to steal user IDs, passwords, local machine environment variables, and local host names, before exfiltrating the data, according to CheckMarx. (Image credit: matejmo via Getty Images)

An unidentified attacker recently noticed the sudden abandonment of a once-active AWS S3 bucket and recognizing an opportunity, seized it to launch malicious payloads.

Here’s how it happened: An NPM package named “bignum” has a component that is used for downloading binary files during installation that was hosted on an Amazon AWS S3 bucket. If it could not reach the bucket, the software would then search locally for the binary. 

But users who downloaded bignum also downloaded these malicious binaries, which were used to steal user IDs, passwords, local machine environment variables, and local host names, before exfiltrating the data, according a June 15 blog post from CheckMarx.

“The basic idea here is that without altering a single line of code, attackers can poison open-source packages or repositories, and be easily unnoticed," wrote Guy Nachshon, a software engineer at Checkmarx. “If a package references a file from a domain on the cloud (there are multiple package managers that work only by doing that), if the maintainer has deserted the domain or did not complete his payments, an attacker can just take over his domain and no one will know - resulting in an infected package.”

The main issue was that the distribution source for a binary package was an S3 bucket that appears to have been abandoned and then eventually deleted, said Patrick Tiquet, vice president, security and architecture at Keeper Security. Tiquet said It appears the S3 bucket was still in use in existing software as a distribution point and the malicious actor noticed that the abandoned S3 bucket was still used as a distribution location and then simply created a new S3 bucket with the same name.

“This allowed the malicious actor to replace the binary package with a malicious binary that exfiltrated user and password information to an external location,” said Tiquet. “This could be a problem with not only distribution of software binaries, but IP addresses, domain names, externally referenced JavaScript libraries, and even disused subdomains. This scenario could repeat anywhere there’s a previously trusted distribution location that falls out of use and is abandoned. Once it's abandoned, a malicious actor could gain control of the address or location and use it to discreetly distribute malicious payloads.”

Nick Rago, Field CTO at Salt Security, added that developers rely on third-party, community driven, open-source software packages and components as they build applications and services. Many of those third-party packages themselves rely on other third-party components, and those rely on others, and so on, said Rago.

“The hijacked S3 threat serves as a reminder that organizations must understand and check that all software dependencies, their sub-dependencies, and any repositories or hosting resources they rely on are properly vetted and then documented in a software bill of material so that the assets can be monitored,” said Rago. “Once an open source threat gets identified, it’s crucial that an organization has the ability to know if that threat applies to any of their systems.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.