Thursday, 15 June 2023 11:38

Hygiene Matters as Abandoned S3 Buckets Used in New Supply Chain Attack

Written by

Reading time is around minutes.

If there is one thing you can say about modern threat groups, it is that they are clever. The new tactics and techniques they identify, and implement are impressive. A recent technique identified is the use of abandoned S3 buckets. The attackers search for and locate S3 buckets that are no longer in use and claim them as their own. If the bucket happens to be part of an existing or previous deployment workflow, so much the better. Checkmarx recently identified a supply chain attack that involved this type of scenario. The attackers took claimed an abandoned S3 bucket for an NPM package called bignum.

According to researchers from Checkmarx, older versions of bignum used to grab components from sn S3 bucket during installation/deployment. Versions v0.12.2 to v0.13.0 use node-pre-gyp to download optional components from an S3 bucket. However, the developers of bignum no longer use this function. What they did not do was clean up the S3 bucket. This has allowed attackers to claim it as their own and inject malware into the legitimate installation process by leveraging the node-pre-gyp function. Bignum v0.13.1 no longer uses node-pre-gyp and does not support downloading any additional pre-built binaries.

Once the attackers had control over the S3 bucket they uploaded their own binary that mimicked the functions of the original, but with a malicious component. The attacker component was able to gather usernames and passwords which were sent back to the abandoned S3 bucket using the user-agent GET request.

Abandoned S3 buckets are nothing new, nor are supply chain attacks. The combination of the two is something new, but to be entirely honest, the combination of the two is not surprising once you think about it. After all, we have seen shovelware installer repos compromised to inject malware during the installation of freeware, why not find a way to inject malware into an existing package. Supply chain attacks on commonly used open-source packages is something that we expect to become more and more sophisticated. Attackers know too well how much these items are used in the development of software (even enterprise software). This is such a lucrative target in its current form that attack groups are unlikely to stop targeting it.

This means that developers of open-source packages need to step up their game when it comes to security. I know that is not what developers think about when building these packages, but there does need to be a focus on it with clean up of unused functions etc. happening to prevent abuse of these by attackers.

Likely there are other packaged out there which use similar functions meaning there is a potential for injection of malicious code into them as well. Software developers that leverage the use of these open-source packages really need to be aware of this potential and check to see what might be happening in the background. Purchasers of closed source software should know what open source packages are used in the build of a particular application (SBOM) so they can also assess the risks of installation and either pass on the software, or put proper mitigating controls in place to minimize the risks of use.
Stay safe out there

Read 786 times

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.