As the cloud increasingly becomes the de-facto source of computing and storage resources for websites and applications, we are seeing new types of exposures and attack vectors we would not have imagined before. In recent months we have heard of a number of stories of data breach from cloud services due to misconfigurations that allowed public read of data.
And now we see a related issue, dubbed ‘GhostWriter’, whereby data owners misconfigure S3 Buckets allowing public writes. In such cases a 3rd party, unbeknownst to either the data owner or the data consumer, can launch a surreptitious man-in-the-middle (MITM) attack. GhostWriter underscores the fact that security is just not the responsibility of the cloud service providers, but also the customer, and often it is a customer misconfiguration that exposes their data to threat.
McAfee MVISION Cloud has identified that, on average, more than 1,600 S3 Buckets (many referenced from web sites that leverage S3 for delivering content) are accessed from within enterprise networks, of which about 4% are exposed to GhostWriter due to mis-configuration by Bucket owners rather than due to any exposure in the storage service provider. McAfee MVISION Cloud has identified thousands of such Buckets being accessed from enterprise networks and has shared these affected Buckets with AWS for remediation.
These exposed 3rd party Buckets are wide ranging and have a long tail distribution that includes Buckets owned by leading national news/media sites, large retail stores, popular cloud services, and leading advertisement networks. The breadth of this exposure necessitates both enterprises accessing this content from their networks and owners of this data resident in S3 to take actions to protect themselves from malicious actors.
What Can Bucket Owners Do About GhostWriter?
With the shared security responsibility model associated with using AWS, comes the critical need for customers to understand and own the ramifications of their configuration choices. In the context of GhostWriter, we have noticed that Bucket owners have either carelessly allowed public writes or have not fully understood the ramifications of read and write ACL controls, or the semantics of AWS “Authenticated Users” – all of which contribute towards a wide open environment for 3rd parties to exploit the trusted interactions.
Enterprises leveraging S3 to store their own data (for internal or external consumption) own the responsibility to set and monitor ACLs and permissions, and to validate that all use is compliant with the enterprise’s S3 access policies on a continuous basis.
Skyhigh for AWS specifically features a comprehensive set of policy checks for GhostWriter that will immediately call out issues related to this major security misconfigurations. In addition, Skyhigh for AWS integrates via S3’s rich API set to perform scans of S3 buckets for malware or DLP violations on a continuous basis – both of which can help catch unexpected file changes in the S3 Bucket.
What Can Enterprises Do About GhostWriter?
Unlike publicly readable Buckets that may harm only the Bucket and data owner, publicly writable Buckets can be conduits of malware or other malicious data/code due to a potential MITM attack. Hence GhostWriter becomes an issue that has ramifications on the security posture of the consumer of the data as well. This issue needs to be addressed in a manner similar to how enterprises control web traffic – leverage knowledge of each S3 Bucket’s security posture that could impact the enterprise and only allow access to S3 Buckets that are not exposed to GhostWriter.
Skyhigh for Shadow IT, which monitors and controls enterprise cloud usage, has been extended to be GhostWriter aware – so Skyhigh now enables enterprises to enforce policy-based controls at an individual Bucket basis based on whether or not it is susceptible to GhostWriter.
What Is Next?
There are two aspects to protecting an enterprise from GhostWriter for S3:
1) Trust but Verify: Ensure that data is only downloaded into an enterprise network from 3rd party Buckets that are not susceptible to GhostWriter. Skyhigh helps customers achieve this by:
- Identifying all 3rd party Buckets accessed from an enterprise network
- Rating each 3rd party Bucket based on its exposure to GhostWriter
- Taking policy-based action to block access to higher risk Buckets in the enterprise perimeter
2) Trust but Audit: Ensure that an enterprise’s own business use of AWS S3 is not susceptible to GhostWriter. AWS provides many native best-practices and tools to manage and validate policies for configuring S3. On top of it, Skyhigh provides an ability to perform a deeper and periodic audit of S3 configurations (as well as a broader AWS audit) to ensure that these Buckets are not susceptible to GhostWriter. In addition, Skyhigh enables customers to perform DLP and malware scans on data stored in their S3 Buckets to detect and remediate misuse.
Skyhigh has reached out to all its customers to help identify GhostWriter-affected Buckets accessed from the enterprise network, with an ability to block those at the enterprise perimeter via closed-loop-remediation with existing egress devices. Skyhigh continues to monitor Buckets in use for this exposure and continues to share this information with both its customers and AWS.
Skyhigh believes that it is our responsibility to help the cybersecurity community eliminate the GhostWriter exposure. If you would like Skyhigh to perform a free GhostWriter exposure assessment for your organization, please register here.