Ermetic Finds Majority of AWS Accounts Surveyed are Vulnerable to Ransomware Due to Misconfigurations
High Risk Identities and Configuration Errors Expose At Least 90% of Amazon S3 Buckets to Compromise
PALO ALTO and TEL AVIV, Oct. 7, 2021 -- Ermetic, the cloud infrastructure security company, today announced the results of a study conducted by its research organization into the security posture of AWS environments and their exposure to ransomware attacks due to misconfigurations. In every organization studied, Ermetic found misconfigured identities that, if compromised, would place at least 90% of the S3 buckets in an AWS account at risk.
As more and more data moves to the cloud, platforms like AWS are becoming an attractive target for ransomware operators. While Amazon S3 is designed for high durability, misconfigured buckets accessed by a compromised identity with the right combination of entitlements can be exposed to ransomware. Ermetic researchers found that such combinations are extremely common due to misconfigurations. In fact, over 70% of the environments in the study had machines that were publicly exposed to the internet and were linked to identities whose permissions could be exploited to allow the machines to perform ransomware.
A full copy of the report is available here.
To help organizations identify and mitigate their exposure to ransomware attacks, Ermetic is offering a free ransomware risk assessment service for AWS environments. More information is available here.
“Very few companies are aware that data stored in cloud infrastructures like AWS is at risk from ransomware attacks, so we conducted this research to investigate how often the right conditions exist for Amazon S3 buckets to be compromised,” said Shai Morag, CEO of Ermetic. “We found that in every single account we tested, nearly all of an organization’s S3 buckets were exposed to ransomware due to misconfigurations. Therefore, we can conclude that it's not a matter of if, but when, a major ransomware attack on AWS will occur.”
Ermetic researchers identified the following findings in the organizations they evaluated which would allow ransomware to reach and execute on Amazon S3 buckets:
- Overall, every enterprise environment studied had identities with misconfigurations causing them to be at risk of being compromised and with sufficient permissions to be able to perform ransomware on at least 90% of the buckets in an AWS account. Even though the buckets themselves are not vulnerable by design; the potential attack is done through a compromised identity accessing a misconfigured bucket.
- Over 70% of the environments had machines that were publicly exposed to the internet and identities whose permissions allowed the exposed machines to perform ransomware
- Over 45% of the environments had third party identities with the ability to perform ransomware by elevating their privileges to admin level
- Almost 80% of the environments contained IAM Users with enabled access keys that had not been used for 180 days or more, and had the ability to perform ransomware
It’s important to note that these findings focus on single, compromised identities. In many ransomware campaigns, bad actors often move laterally to compromise multiple identities and use their combined permissions, greatly increasing their ability to access resources.
For this study we mapped out scenarios in which the right combination of permissions would allow an identity, if compromised, to perform a ransomware attack on a bucket. We then analyzed various S3 mitigation features and identified the instances in which they would (or would not) be effective. Next, we determined the most common risk factors due to configurations that make identities vulnerable to compromise. Finally, we performed an analysis of the environments to identify how frequently the following three conditions were present:
- An identity has access to a combination of permissions that would allow ransomware to execute
- Standard AWS mitigation features were not enabled on accessible buckets
- The misconfigured identity was exposed to one or more additional risk factors that could lead to compromise, such as public exposure to the internet
Here are several methods organizations can use to reduce the exposure of their AWS S3 buckets to ransomware:
- Implement Least Privilege - enforce a permission strategy that only allows the bare minimum of entitlements necessary for identities to perform their business function, which will dramatically reduce the exposure of buckets to ransomware
- Eliminate Risk Factors - apply best practices to avoid/remove common misconfigurations that can be exploited by ransomware to compromise identities and use their entitlements to execute malware
- Use Logging and Monitoring - use tools such as CloudTrail and CloudWatch to identify sensitive actions which can provide early detection and response if a ransomware attack is in progress
- Delete Prevention - use existing out-of-the-box features and configurations available for S3 buckets such as MFA-Delete or Object Locks to prevent malicious deletions
- Bucket Replication - configure sensitive buckets to automatically back up their contents to a separate, secure and dedicated bucket for restore