About 90% of Amazon S3 buckets are vulnerable to ransomware attacks due to a combination of high-risk identities and configuration errors, a survey by Ermetic has revealed.
With organizations moving a bulk of their data to the cloud, platforms like AWS are at risk of falling prey to ransomware attacks. A recent surveyOpens a new window conducted by Ermetic found that organizations used cloud identities that, if compromised, would place at least 90% of the S3 buckets in an AWS account at risk.
The survey by Ermetic was an attempt to study the security posture of AWS environments and their vulnerabilities to ransomware attacks and help organizations identify the loopholes in the system to mitigate the risks eventually.Â
Even though AWS S3 buckets are highly reliable, very little protects the data they contain from identities that have permissions to control them. Once compromised, these identities can become the soft underbelly that puts organizations at substantial risk of ransomware exposure, potentially enormous and costly business impact.
â€œVery few companies are aware that data stored in cloud infrastructures like AWS is at risk from ransomware attacks, so we conducted this research to investigate how often the right conditions exist for Amazon S3 buckets to be compromised,â€ said Shai MoragOpens a new window , CEO of Ermetic.
â€œWe found that in every single account we tested, nearly all of an organization’s S3 buckets were vulnerable to ransomware. Therefore, we can conclude that it’s not a matter of if, but when, a major ransomware attack on AWS will occur.â€Â
See More: How the Cloud Defeats Ransomware Attacks
The research findings were alarming, expressed Morag. The company’s exposure to ransomware is much greater than we expected. The results reveal that a malicious actor can perform a simple â€œsmash and grabâ€ operation: using one compromised identity to execute ransomware immediately. But in reality, many ransomware campaigns are much more sophisticated.Â
â€œIt is likely that an attacker will seek to move laterally, compromising more than one identity and exploiting additional, less straightforward risk factors to carry out an attack of much greater scope,â€ he added.
The survey by Ermetic revealed the following factors which would enable ransomware actors to infiltrate and operate on Amazon S3 buckets:
- Overall, every corporate environment investigated had identities at threat of being compromised, with the ability to conduct ransomware operations on almost 90% of AWS account buckets.
- About 70% of the environments included computers that were openly accessible on the internet and identities whose permissions enabled exposed workstations to run ransomware.
- Third-party identities with the potential to conduct ransomware by escalating their privileges to the admin level were found in over 45% of the settings (an amazing result with far-reaching ramifications beyond the ransomware focus of this research).
- IAM Users with activated access keys that had not been used in 180 days or more were discovered in over 80% of the settings, giving them the potential to execute ransomware attacks.
It’s worth noting that these results are limited to single, hacked identities. Bad actors frequently migrate laterally in ransomware operations to breach several identities and leverage their aggregated rights, substantially boosting their capacity to gain access.
Ways to Mitigate
The research sample indicates that millions of organizations currently using S3 for data storage are vulnerable to ransomware attacks. The high possibility of exposure to even simple ransomware operations is a clear call for cloud security stakeholders to take mitigating steps.Â
Steps that organizations can take to mitigate the exposure of their AWS S3 buckets to ransomware:
- Deploy Minimum Privilege â€“ implement an authorization approach that only enables the bare minimum of entitlements required for identities to execute their business function, thus reducing the risk of ransomware infecting buckets.
- Reduce Potential Risks â€“ Utilize best practices to avoid/remove common malfunctions that ransomware can use to corrupt identities and run malware.
- Implement logging and monitoring technologies like CloudTrail and CloudWatch to identify sensitive behaviors that can lead to early discovery and reaction in the event of a ransomware attack.
- Delete Prevention â€“ To prevent malicious deletions, leverage current out-of-the-box features and settings available for S3 buckets, such as MFA-Delete or Object Locks.
- Setup critical buckets to securely store data automatically to a different, safe, and dedicated bucket for restore.
The findings are a wake-up call for every cloud security stakeholder to improve the ransomware protection of their environment. AWS S3 buckets are frequently used as a backup location for sensitive data. If not properly protected, these â€˜safety’ buckets can, unfortunately, impair the defense capabilities of an organisation by adding to the number of buckets available for dangerous targeting.Â
The good news is that cloud-native mechanisms are readily available that, if applied correctly, can help protect cloud environments from ransomware by reducing the exposure of AWS S3 buckets and mitigating potential risks, Morag suggested.