New research from Ermetic finds the majority of AWS accounts surveyed are vulnerable to ransomware, citing high risk identities and configuration errors that expose Amazon S3 buckets to compromise:
Ermetic researchers identified the following findings in the organizations they evaluated which would allow ransomware to reach and execute on Amazon S3 buckets:
- Overall, every enterprise environment studied had identities at risk of being compromised and that could perform ransomware on at least 90% of the buckets in an AWS account
- Over 70% of the environments had machines that were publicly exposed to the internet and identities whose permissions allowed the exposed machines to perform ransomware
- Over 45% of the environments had third party identities with the ability to perform ransomware by elevating their privileges to admin level (an astounding finding with far-reaching implications beyond the ransomware focus of this research)
- Almost 80% of the environments contained IAM Users with enabled access keys that had not been used for 180 days or more, and had the ability to perform ransomware
It’s important to note that these findings focus on single, compromised identities. In many ransomware campaigns, bad actors often move laterally to compromise multiple identities and use their combined permissions, greatly increasing their ability to access resources.
That’s not trivial given how popular using Amazon S3 buckets happen to be. Saumitra Das, CTO and Cofounder, Blue Hexagon had this to say:
“This report highlights the urgent need to “detect threats” in the cloud and not just focus on misconfigurations. Research from Cloud Security Alliance shows that even if misconfigurations are detected in S3 buckets or IAM access keys not being used for a long time, it takes a while for these to get detected and remediated – sometimes days, weeks and even months. It also highlights that ransomware is not just an on-premises problem but as the pandemic has accelerated cloud migration of workloads it has also accelerated cloud migration for attackers and ransomware criminal operators.”
“It is critical to monitor 3 things in the cloud:
- Runtime activity of identities in terms of what they are doing and from where
- Cloud storage (S3) in terms of not just the permissions and configurations but actually the read/write pattern and what is actually being stored in there.
- Network activity which can highlight when instances either inadvertently or deliberately opened to the Internet are brute-forced and then identities stored on those instances are used for lateral movement.”
“You cannot guarantee that mistakes like identities being enabled for too long, too permissive, leaked in code will not happen. They can only be reduced. On the other hand, keeping an eye on active attacks on the cloud infrastructure can thwart attackers from gaining enough privilege and access to ransom the data.”
It’s clear that companies need to up their threat detection efforts to extend to the cloud to ensure that they are fully secure.