Abandoned S3 buckets used to spread malware
Cybersecurity researchers at Checkmarx have warned that abandoned Amazon Simple Storage Service (S3) buckets can be used to spread malware.
It all started with an NPM package named “bignum” that had the ability to download files from an Amazon AWS S3 bucket when installing it. Unfortunately, those that got bignum unwittingly downloaded malicious files designed for critical users. Even if the bucket was inaccessible, the program would search for the data locally.
In a blog post, Checkmarx researcher, Guy Nachshon described how threat actors can take control of abandoned S3 buckets and use them to distribute malicious binaries. Nachshon explained that many open-source software packages rely on S3 buckets to distribute binary files. If an S3 bucket is abandoned, it can still be used as a distribution point for malicious binaries.
This is because when an open-source software package tries to download a binary file from an S3 bucket, it will continue to try to download the file even if the bucket has been abandoned. If the attacker has taken control of the abandoned S3 bucket, they can replace the legitimate binary file with a malicious one. This means that users who download the open-source software package will also download the malicious binary file.
According to CheckMarx, the problem arose because the file package’s source was an abandoned S3 bucket. Despite the fact that the bucket was finally destroyed, existing applications continued to use it to deliver data. When the malicious actor realized this, he created a new S3 bucket with the identical name. They did this by replacing the legitimate file package with a malicious one that harvested user data and transferred it elsewhere.
The malicious binary file can then be used to steal user data, such as login credentials and credit card numbers. Nachshon said that his team has found dozens of open-source software packages that are vulnerable to this attack.
He urged software developers to check their dependencies and make sure that they are not using any open-source software packages that are vulnerable to this attack. He also urged cloud service providers to take steps to secure abandoned S3 buckets.
The sources for this piece include an article in HackRead.