Validating Your Security Controls Against Threat Actors Using AWS S3 Buckets to Deliver Malicious Payloads

Threat actors are constantly developing new techniques to bypass security controls and deliver malicious payloads. Amazon Web Services (AWS), a leading provider of cloud services, has recognized this challenge and recently announced the general availability of Amazon GuardDuty Malware Protection for Amazon Simple Storage Service (Amazon S3). This new feature is designed to enhance the security of S3 buckets, a widely used storage service, by detecting and mitigating malware threats. 


Amazon GuardDuty Malware Protection for Amazon S3: What It Means

Amazon GuardDuty Malware Protection is a new capability within Amazon GuardDuty that automatically scans objects stored in S3 buckets for malware. It leverages machine learning, anomaly detection, and integrated threat intelligence to identify malicious files and alert administrators. This feature aims to provide an additional layer of security, helping organizations detect and respond to threats before they can cause significant damage. 


How Attackers Use S3 Buckets to Deliver Malware

S3 buckets are often targeted by threat actors due to their widespread use and potential for misconfiguration. Attackers exploit these vulnerabilities in several ways: 

  1. Malware hosting: Attackers can upload malicious files to their own S3 buckets and share links to these files. Unsuspecting users who download the files from what appears to be a trusted AWS domain can inadvertently execute malware.
  2. Exploiting public buckets: Misconfigured S3 buckets set to public access can be exploited by attackers to upload malicious payloads. These public buckets are then used to distribute malware to a wide audience.
  3. Direct attacks on S3 buckets: In some instances, attackers gain unauthorized access to a victim’s S3 bucket and upload malware directly. This can occur through compromised credentials, exploiting application vulnerabilities or social engineering tactics. 


Real-world examples of recent attacks on S3 buckets: 

  1. Tesla’s Cryptojacking incident (2018): In one notable case, attackers exploited a Kubernetes console that was not password protected to gain access to Tesla’s AWS environment. They found an S3 bucket with sensitive information, which they used to deploy a cryptocurrency mining script.
  2. Capital One data breach (2019): A former AWS employee exploited a misconfigured web application firewall to access Capital One’s AWS environment, including S3 buckets, which contained sensitive customer data. This breach exposed the need for better security configurations and monitoring.
  3. Matanbuchus malware (2021): This malware used AWS S3 buckets to host payloads. The attackers uploaded the malicious files to S3 and then distributed links to these files through phishing emails. When recipients clicked the links, they unknowingly downloaded and executed the malware. 


3 Best Practices to Validating Security Measures Against AWS S3 with Cymulate 

To ensure your security controls are effective against such threats, it is crucial to validate them regularly. Cymulate, a Breach and Attack Simulation (BAS) platform, offers several ways to test and enhance your defenses against malware in S3 buckets: 

  1. Upload known malicious malware sample to your S3: By simulating the upload of malware to your S3 buckets, you can assess whether your security controls, including Amazon GuardDuty Malware Protection, can detect and delete the malicious files. This helps in understanding the effectiveness of your current security posture and identifying areas for improvement.

  2. Download malware from S3 buckets: Many organizations allow S3 downloads widely, posing a significant challenge. Using Cymulate, you can simulate the download of malicious files from trusted S3 sources to see if your firewall or web gateway can prevent the download. This test is critical, as it mimics real-world scenarios where employees might download files from S3, assuming they are safe.

  3. Validate detection of privileged activities: It is essential to detect unauthorized access and configuration changes in your S3 buckets. Cymulate can simulate privileged activities such as unauthenticated exposure of a bucket to assess if your security controls can detect and alert on these critical changes. This validation helps ensure that any unauthorized configuration changes are promptly identified and mitigated. By leveraging Cymulate’s comprehensive testing capabilities, you can proactively identify vulnerabilities in your security controls and take corrective actions to strengthen your defenses against malware threats. 


Key Takeaways

The introduction of Amazon GuardDuty Malware Protection for Amazon S3 is a significant step forward in securing cloud storage services. However, to stay ahead of sophisticated attackers, continuous validation of your cloud security controls is essential.  

Using tools like Cymulate, organizations can simulate real-world attacks, test their defenses, and ensure they are well-prepared to counteract any threats targeting their S3 buckets. Stay vigilant, stay secure.