New research from Ermetic The Urgent Threat of Ransomware to S3 Buckets. Researchers detail how compromised identities could easily deliver ransomware into the system.
Here’s the overview of the research.
AWS S3 buckets are regarded as highly reliable, so have come to be used with great confidence. What most cloud security stakeholders don’t realize is that S3 buckets face a great security risk, from an unexpected source: identities. A compromised identity with a toxic combination of entitlements can easily perform ransomware on an organization’s data.
In recent research, we used the Ermetic analysis engine on a sampling of real environments to uncover toxic scenarios in which all the following factors were true:
- An identity had a permissions combination that enabled it to perform ransomware
- Effective mitigation features were not enabled on the S3 buckets to which the identity had access
- The identity was exposed to one or more risk factors, such as public exposure to the internet, that could lead to its being compromised
The study revealed very high potential for ransomware in organizations’ environments. Key findings included:
- Overall, every environment surveyed had identities with a risk factor as well as the ability to perform ransomware on at least 90% of the buckets in an AWS account
- Over 70% of the environments had machines publicly exposed to the internet and identities whose permissions allowed the exposed machines to perform ransomware
- Over 45% of the environments had third-party identities with the ability to perform ransomware by elevating their privileges to admin level (an astounding finding with potentially harmful implications far beyond ransomware that we will explore another time)
- Almost 80% of the environments had IAM users with enabled access keys that had not been used for 180 days or more, and that had the ability to perform ransomware
These findings, which focus on “smash and grab” operations involving a single, compromised identity, reveal a grave situation. In targeted campaigns, bad actors may move laterally to compromise multiple identities and use their combined permissions, greatly improving their ability to execute ransomware.