Tuesday, November 12, 2024
HomeCyber AttackHackers Use New Exploit Technique to Hijack S3 Buckets

Hackers Use New Exploit Technique to Hijack S3 Buckets

Published on

Malware protection

It has been discovered that threat actors might take over expired Amazon S3 buckets to serve rogue binaries without changing the actual modules.

Malicious binaries exfiltrate the stolen data to the hacked bucket after stealing the user names, passwords, local machine environment variables, and local hostname.

The attack was initially noticed when an npm package called bignum, which, until version 0.13.0, relied on an Amazon S3 bucket to download pre-built binary editions of an addon called node-pre-gyp during installation, was subjected to it.

- Advertisement - SIEM as a Service

According to reports shared by Checkmarx, attackers injected malicious binaries into the S3 bucket that served the binaries needed for the NPM package “bignum” without changing a single line of code.

“These binaries were published on a now-expired S3 bucket which has since been claimed by a malicious third party which is now serving binaries containing malware that exfiltrates data from the user’s computer”, according to a GitHub advisory posted on May 24, 2023.

What are “S3 Buckets”? 

Large volumes of data may be stored and retrieved online using an S3 bucket, a storage capability offered by Amazon Web Services (AWS). 

It is a scalable, secure object storage service that can store any kind of digital content, including files, documents, photos, and videos. 

S3 buckets are frequently used for various purposes, including hosting websites, data backup and archiving, content distribution, and application data storage since they can be accessed using specific URLs.

Taking Control of an Abandoned S3 Bucket  

An unknown attacker observed the abrupt abandonment of a previously operational AWS bucket. The attacker grabbed the abandoned bucket after spotting an opening.

As a result, each time Bignum was downloaded or reinstalled, users unintentionally downloaded the malicious binary file that the attacker had put in.  

Every AWS S3 bucket needs a globally distinct name. The name becomes accessible after the bucket is removed. If a package used a bucket as its source, the bucket’s deletion would not affect the pointer.

Due to this anomaly, The attacker could reroute the pointer to the hijacked bucket.

“If a package pointed to a bucket as its source, the pointer would continue to exist even after the bucket’s deletion,” researchers said. 

“This abnormality allowed the attacker to reroute the pointer toward the taken-over bucket.”

The bucket is hijacked by the attack

The malware sample’s ability to steal user credentials and environment information and transfer it to the same hijacked bucket was discovered through reverse engineering.

According to Checkmarx, several programs were using abandoned S3 buckets, rendering them vulnerable to the inventive attack vector. The finding shows, if anything, that threat actors are continually looking for new methods to infect the software supply chain.

The cyber security news learned that this new assault vector could have many effects. However, if an attacker gets to use it as soon as this type of alteration takes place, the threat it poses might be quite high. 

Organizations or developers that use frozen versions or artifactories run a further danger since they will continue to access the original, now-hijacked bucket. 

Looking For an All-in-One Multi-OS Patch Management Platform – 

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting...