Cloud Security, Cloud Security

‘Toxic permissions’ leave AWS S3 buckets vulnerable to ransomware

An Amazon logo is seen inside the Amazon corporate headquarters on June 16, 2017 in Seattle, Washington. (Photo by David Ryder/Getty Images)

Researchers on Thursday brought to light what they called the “toxic combination of overprivileged identities and poorly configured environments” that can potentially expose data.

In a blog post, Ermetic researchers said that the “dozens of environments” they surveyed had identities with a risk factor as well as the ability to perform ransomware on at least 90% of the buckets in an AWS account. They also reported that more than 70% of the environments had machines publicly-exposed to the internet and identities whose permissions let the exposed machines perform ransomware.

According to the researchers, more than 45% of the environments had third-party identities with the ability to perform ransomware by elevating their privileges to the admin level. And almost 80% of the environments had identity and access (IAM) users with enabled access keys that had not been used for 180 days or more and also had the ability to perform ransomware.

The Ermetic team sampled real-world cloud environments to discover all the identities and what they called "toxic permissions" combinations. They also reviewed the configurations of the potentially exposed S3 buckets and analyzed the security posture of the identities. To generate the data, the researchers used the Ermetic cloud analytics platform to automate the research process so they could gather and compile the relevant configurations.

Cloud services today are built almost 100% on third party tools, said Mohit Tiwari, co-founder and CEO at Symmetry Systems. “Think CI/CD roles, monitoring tools, platform-services for data stores, lambdas, and machine learning — all with a thin shim of a company’s specific identities,” Tiwari said. These identities can write to data and can evidently “ransomware” the data as well, which Tiwari said likely explains the number of risky sounding identities in the Ermetic report. 

“Howevever, third-parties alone are not risky because first-party identities can also be phished or exploited and be risky," Tiwari said. “Numbers will likely show that OWASP attacks and phished identities have been extremely durable threats. Reports that create fear, uncertainty, and doubt about cloud IAM belie the fact that by providing an open, programmable interface for permissions, the cloud enables the best security tools to scale organizationwide. Organizations that embrace security automation — and start with what matters, their data — will find the cloud to be far more secure than crusty on-premise environments.”

Saryu Nayyar, CEO of Gurucul, pointed out that identifies are the easiest doorway into a network, serving as the quickest pathway to the enterprise’s kingdom of valuable assets. An identity consists of the user or entity, their accounts, and entitlements and access privileges. Gaining access to these is the root cause of most data breaches and theft, Nayyar said.

“Part of the challenge facing organizations today lies in the functional gap that often exists between IAM and security teams,” Nayyar said. “While security is focused on malware detection, finding threats, and delivering responses, IAM teams focus on providing access, often in excess. They are too often working at cross-purposes regarding critical elements of the same access risk and threat plane. Herein lies the dilemma. For success to occur, IT and SOCs must agree that the compromise and misuse of identity are at the core of modern threats and they need to collaborate effectively. Identity is an access risk and threat plane that must have its surface area reduced and then monitored for compromise and abuse.”

Chad Anderson, senior security researcher at DomainTools, said from compromised identities to misconfigured cloud resources, object stores provide a dangerous attack vector for ransomware affiliates.

“Almost every cloud object store, S3 included, provides an encryption method with a self-provided key,” Anderson said. “Given a misconfigured bucket or stolen credentials and less than a few minutes, any knowledgeable attacker can encrypt a bucket’s resources and demand a ransom. This is where cloud tools and their ease of use and adoptability can truly bite teams using them to move fast in today's environments.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.