A recent discovery has revealed that threat actors are taking advantage of expired Amazon S3 buckets to distribute rogue binaries while keeping the original modules intact. These malicious binaries enable attackers to exfiltrate stolen data by stealing user credentials, local machine environment variables, passwords, and local hostnames.
The attack came to light when an npm package called bignum, prior to version 0.13.0, relied on an Amazon S3 bucket to download pre-built binary editions of an addon called node-pre-gyp during installation. It was during this process that the attack occurred. Checkmarx, a cybersecurity company, reported that attackers injected malicious binaries into the S3 bucket that served the binaries needed for the npm package “bignum” without making any changes to the code.
According to a GitHub advisory posted on May 24, 2023, these malicious binaries were published on a now-expired S3 bucket that has since been claimed by a malicious third party. This party is now serving binaries containing malware that exfiltrates data from users’ computers.
What exactly are S3 buckets? They are a storage capability offered by Amazon Web Services (AWS) that allows for the storage and retrieval of large volumes of data online. S3 buckets provide a scalable and secure object storage service that can store various types of digital content, including files, documents, photos, and videos. These buckets are commonly used for purposes such as hosting websites, data backup and archiving, content distribution, and application data storage. They can be accessed through specific URLs.
The hijacking of an abandoned S3 bucket occurs when an unknown attacker notices that a previously operational AWS bucket has been abruptly abandoned. The attacker seizes the opportunity and takes control of the abandoned bucket. In this case, every time the Bignum package is downloaded or reinstalled, users unknowingly download the malicious binary file inserted by the attacker.
When an AWS S3 bucket is removed, its name becomes available and can be accessed. However, if a package used the bucket as its source, the deletion of the bucket does not affect the pointer. This anomaly allows the attacker to reroute the pointer to the hijacked bucket. Researchers clarify that “if a package pointed to a bucket as its source, the pointer would continue to exist even after the bucket’s deletion.” This abnormality allows the attacker to redirect the pointer towards the taken-over bucket.
Through reverse engineering, researchers discovered that the malware sample associated with the hijacked bucket has the ability to steal user credentials and environment information, which is then transferred to the same hijacked bucket.
Checkmarx reports that several programs were utilizing abandoned S3 buckets, making them vulnerable to this innovative attack vector. This finding highlights the fact that threat actors are constantly seeking new ways to infect the software supply chain.
The implications of this new attack vector can be significant. Organizations or developers using frozen versions or repositories are at higher risk since they may continue to access the original, now-hijacked bucket.
As the cybersecurity landscape continues to evolve, it is crucial for organizations and developers to stay vigilant and implement robust security measures to protect their systems and data from such attacks. Regular monitoring of unused or abandoned resources, such as S3 buckets, can help prevent their exploitation by malicious actors.