It has been discovered that threat actors might take over expired Amazon S3 buckets to serve rogue binaries without changing the actual modules.

Malicious binaries exfiltrate the stolen data to the hacked bucket after stealing the user names, passwords, local machine environment variables, and local hostname.

The attack was initially noticed when an npm package called bignum, which, until version 0.13.0, relied on an Amazon S3 bucket to download pre-built binary editions of an addon called node-pre-gyp during installation, was subjected to it.

According to reports shared by Checkmarx, attackers injected malicious binaries into the S3 bucket that served the binaries needed for the NPM package “bignum” without changing a single line of code.

“These binaries were published on a now-expired S3 bucket which has since been claimed by a malicious third party which is now serving binaries containing malware that exfiltrates data from the user’s computer”, according to a GitHub advisory posted on May 24, 2023.

What are “S3 Buckets”? 

Large volumes of data may be stored and retrieved online using an S3 bucket, a storage capability offered by Amazon Web Services (AWS). 

It is a scalable, secure object storage service that can store any kind of digital content, including files, documents, photos, and videos. 

S3 buckets are frequently used for various purposes, including hosting websites, data backup and archiving, content distribution, and application data storage since they can be accessed using specific URLs.

Taking Control of an Abandoned S3 Bucket  

An unknown attacker observed the abrupt abandonment of a previously operational AWS bucket. The attacker grabbed the abandoned bucket after spotting an opening.

As a result, each time Bignum was downloaded or reinstalled, users unintentionally downloaded the malicious binary file that the attacker had put in.  

Every AWS S3 bucket needs a globally distinct name. The name becomes accessible after the bucket is removed. If a package used a bucket as its source, the bucket’s deletion would not affect the pointer.

Due to this anomaly, The attacker could reroute the pointer to the hijacked bucket.

“If a package pointed to a bucket as its source, the pointer would continue to exist even after the bucket’s deletion,” researchers said. 

“This abnormality allowed the attacker to reroute the pointer toward the taken-over bucket.”

The malware sample’s ability to steal user credentials and environment information and transfer it to the same hijacked bucket was discovered through reverse engineering.

According to Checkmarx, several programs were using abandoned S3 buckets, rendering them vulnerable to the inventive attack vector. The finding shows, if anything, that threat actors are continually looking for new methods to infect the software supply chain.

The cyber security news learned that this new assault vector could have many effects. However, if an attacker gets to use it as soon as this type of alteration takes place, the threat it poses might be quite high. 

Organizations or developers that use frozen versions or artifactories run a further danger since they will continue to access the original, now-hijacked bucket. 

Looking For an All-in-One Multi-OS Patch Management Platform –