When did you last check your AWS S3 security? Here's four scary words: 17k Magecart infections
Card-slurping malware hits thousands upon thousands of unprotected cloud storage silos
If you're in charge of your organization's Amazon Web Services S3 buckets, here's some fresh motivation to check your security settings: the notorious payment-card-stealing Magecart malware is romping through unprotected storage silos.
Infosec detectives at San Francisco-based RiskIQ reported this week that as many as 17,000 websites have been seeded with the software nasty, after the storage buckets hosting the sites were accidentally left open with public write access enabled.
These misconfigurations were exploited by miscreants to sneak the crimeware into webpages, where it would siphon off people's bank card details as they typed them into payment pages and pass the details back to its masterminds.
According to RiskIQ, since April the Magecart operators have been using Shodan or a similar scanning tool to automatically hunt for open S3 buckets on the public internet that would allow anyone to view and edit files.
Obviously, this technique is not very precise, and the success rate is low, but since the process can be automated, the costs of mass attacks are also low.
"Although the attackers have had lots of success spreading their skimmer code to thousands of websites, they sacrificed targeting in favor of reach," Klijnsma noted.
"The actors used this technique to cast as wide a net as possible, but many of the compromised scripts do not load on payment pages."
Ticketmaster tells customer it's not at fault for site's Magecart malware pwnageREAD MORE
With so many vulnerable S3 buckets to be had, however, the scattershot approach allows the criminals to get Magecart onto thousands of sites far faster than by probing individual sites.
Fortunately, the problem is easy to solve, provided admins have a full picture and access to all of their firm's S3 buckets. Buckets that contain private information should have public access disabled, and those that do need to be accessible to the open internet should have write permissions strictly limited.
Those that fear their sites may be infected are advised (after doing a thorough investigation and reporting to authorities) to clean out and refill their S3 silos from known clean backups.
"We suggest cleaning out the bucket and performing a new deployment of resources or simply setting up a new bucket," said Klijnsma.
"Customers can also enable versioning on their buckets to roll back objects to a known good version." ®