Hackers Use New Exploit Technique to Hijack S3 Buckets

It has been discovered that threat actors might take over expired Amazon S3 buckets to serve rogue binaries without changing the actual modules.

Malicious binaries exfiltrate the stolen data to the hacked bucket after stealing the user names, passwords, local machine environment variables, and local hostname.

The attack was initially noticed when an npm package called bignum, which, until version 0.13.0, relied on an Amazon S3 bucket to download pre-built binary editions of an addon called node-pre-gyp during installation, was subjected to it.

According to reports shared by Checkmarx, attackers injected malicious binaries into the S3 bucket that served the binaries needed for the NPM package “bignum” without changing a single line of code.

“These binaries were published on a now-expired S3 bucket which has since been claimed by a malicious third party which is now serving binaries containing malware that exfiltrates data from the user’s computer”, according to a GitHub advisory posted on May 24, 2023.

What are “S3 Buckets”?

Large volumes of data may be stored and retrieved online using an S3 bucket, a storage capability offered by Amazon Web Services (AWS). 

It is a scalable, secure object storage service that can store any kind of digital content, including files, documents, photos, and videos. 

S3 buckets are frequently used for various purposes, including hosting websites, data backup and archiving, content distribution, and application data storage since they can be accessed using specific URLs.

Taking Control of an Abandoned S3 Bucket

An unknown attacker observed the abrupt abandonment of a previously operational AWS bucket. The attacker grabbed the abandoned bucket after spotting an opening.

As a result, each time Bignum was downloaded or reinstalled, users unintentionally downloaded the malicious binary file that the attacker had put in.  

Every AWS S3 bucket needs a globally distinct name. The name becomes accessible after the bucket is removed. If a package used a bucket as its source, the bucket’s deletion would not affect the pointer.

Due to this anomaly, The attacker could reroute the pointer to the hijacked bucket.

“If a package pointed to a bucket as its source, the pointer would continue to exist even after the bucket’s deletion,” researchers said. 

“This abnormality allowed the attacker to reroute the pointer toward the taken-over bucket.”

The bucket is hijacked by the attack

The malware sample’s ability to steal user credentials and environment information and transfer it to the same hijacked bucket was discovered through reverse engineering.

According to Checkmarx, several programs were using abandoned S3 buckets, rendering them vulnerable to the inventive attack vector. The finding shows, if anything, that threat actors are continually looking for new methods to infect the software supply chain.

The cyber security news learned that this new assault vector could have many effects. However, if an attacker gets to use it as soon as this type of alteration takes place, the threat it poses might be quite high. 

Organizations or developers that use frozen versions or artifactories run a further danger since they will continue to access the original, now-hijacked bucket. 

Looking For an All-in-One Multi-OS Patch Management Platform – 

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS devices.…

1 hour ago

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch Experts…

2 days ago

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan exploits…

2 days ago

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on organizations…

2 days ago

Google Chrome Security, Critical Vulnerabilities Patched

Google has updated its Chrome browser, addressing critical vulnerabilities that posed potential risks to millions…

2 days ago

Notorious WrnRAT Delivered Mimic As Gambling Games

WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games…

3 days ago