New Cross Account Attack Threat for Financial Institutions that use AWS

  • Or Azarzar, Co-Founder and CTO at Lightspin

  • 04.06.2021 09:45 am
  • #AWS #trading

Covid-19 led to a rapid and largely unplanned increase in homeworking and electronic trading resulting in a surge of cyberattacks on financial institutions. Almost all financial institutions have experienced a cyberattack in one form or another.   In March of 2020, misconfigured AWS (Amazon Web Services) S3 buckets belonging to two financial organizations made headlines after highly sensitive financial and business documents were exposed.   

This week, Lightspin  revealed that 42% of the AWS S3 buckets they inspected were potentially misconfigured. It’s an organizations responsibility to configure permissions effectively, but often buckets are misconfigured due to a lack of awareness of cloud security and policies and inadequate controls.  The research team discovered buckets open to the public, even though they were and believed to be ‘safe’ opening up an attack path.

An Amazon S3 bucket is a file hosting and data storage service that is popular among financial institutions and insurance companies. The service allows organizations to store and retrieve any file or dataset, at any time, from anywhere on the web. As organizations continue prioritizing rapid digital transformations, these types of services are gaining popularity.  A total of 69% of financial companies say they use AWS for fraud detection and communications and to reduce tech infrastructure costs by 30% to 50%.    AWS is especially useful for smaller banks and insurance companies to gain greater security and flexibility.

After inspecting 40,000 Amazon S3 buckets, Lightspin found that, on average, the “objects can be public” permission applies to 42% of an organization’s objects on AWS overall. During the research, Lightspin discovered that it’s possible for hackers using AWS Cloudtrail and Config to write to buckets held by other accounts even if those buckets aren’t public. This is due to the fact that even private buckets can have policies that allow access from any AWS account.  Cross-account attacks on AWS services are difficult to detect and thus can remain undetected for a long time.

This vulnerability is often hidden because AWS doesn’t provide the ability to drill down from a bucket to see the status of all the objects it contains. In order to be sure that objects are “safe”, its necessary to go through each object’s ACL  (access-control list) to check if it is open to the public.

Lightspin has created an open-source scanner which will inspect buckets to see if they contain objects which can be open, thereby making them accessible to hackers to launch cyberattacks.  To download the open-source scanner to see which objects are publicly accessible click here.  To read more about the vulnerability and the research findings, click here.    

AWS continues to be a valuable service for financial institutions.   However, with a rise in the volume and severity of cyberattacks, its imperative banks keep aware of the risks, and take action to keep their S3 buckets secure.

Other Blogs