Finds that the majority of AWS accounts surveyed are vulnerable to ransomware
Combination of high-risk identities and configuration errors exposes 90% or more of Amazon S3 buckets to compromise
Ermetic, the cloud infrastructure security company, today announced the study results conducted by its research organization on the security posture of AWS environments and their vulnerability to ransomware attacks. In virtually all of the participating organizations, Ermetic found identities that, if compromised, would put at least 90% of the S3 buckets of an AWS account at risk.
As more data moves to the cloud, platforms like AWS are becoming an attractive target for ransomware operators. While Amazon S3 is considered extremely reliable, a compromised identity with the right combination of rights can expose data objects to ransomware. Ermetic researchers have found that such ransomware-vulnerable combinations are extremely common. In fact, over 70% of the environments in the study had machines that were publicly exposed to the internet and were linked to identities whose permissions could be exploited to allow the machines to execute ransomware.
A full copy of the report is available here.
To help organizations identify and mitigate their exposure to ransomware attacks, Ermetic offers a free ransomware risk assessment service for AWS environments. More information is available here.
“Very few companies are aware that data stored in cloud infrastructures like AWS is threatened by ransomware attacks, so we conducted this research to determine how often the right conditions exist for Amazon S3 buckets to be compromised.” said Shai Morag, CEO of Ermetic. . “We found that in every account we tested, almost every S3 bucket in an organization was vulnerable to ransomware. Therefore, we can conclude that it is not a question of if, but when, a major ransomware attack on AWS will occur.
Ermetic researchers identified the following results in the organizations they evaluated, which would allow ransomware to reach and run on Amazon S3 buckets:
Overall, each enterprise environment studied had identities that could be compromised and could run ransomware on at least 90% of the compartments of an AWS account.
Over 70% of environments had machines that were publicly exposed to the internet and identities whose permissions allowed exposed machines to run ransomware
Over 45% of environments had third-party identities with the ability to run ransomware by elevating their privileges to administrator level (a startling finding with far-reaching implications beyond the ransomware focus of this research)
Almost 80% of environments contained IAM users with enabled access keys that had not been used for 180 days or more, and had the ability to run ransomware
It is important to note that these results focus on unique and compromised identities. In many ransomware campaigns, bad actors often move sideways to compromise multiple identities and use their combined permissions, dramatically increasing their ability to access resources.
For this study, we defined scenarios where the right mix of permissions would allow an identity to perform a ransomware attack on a bucket. We then analyzed various S3 mitigation features and identified cases where they would (or would not) be effective. Next, we determined the most common risk factors that make identities vulnerable to compromise. Finally, we performed an environmental scan to identify how often the following three conditions were present:
An identity has access to a combination of permissions that would allow ransomware to run
Standard AWS mitigation features were not enabled on accessible buckets
Identity has been exposed to one or more additional risk factors that could lead to compromise, such as public exposure to the internet
Here are several methods that organizations can use to reduce the exposure of their AWS S3 buckets to ransomware:
- Implement any privilege – apply an authorization strategy that authorizes only the strict minimum of rights necessary for identities to perform their commercial function, which will considerably reduce the exposure of compartments to ransomware
- Eliminate risk factors – apply best practices to avoid / remove common configuration errors that can be exploited by ransomware to compromise identities and use their rights to run malware
- Use logging and monitoring – use tools such as CloudTrail and CloudWatch to identify sensitive actions that can provide early detection and response if a ransomware attack is in progress
- Remove prevention – use existing out-of-the-box features and configurations available for S3 buckets such as MFA-Delete or Object Locks to prevent malicious deletions
- Bucket replication – configure sensitive compartments to automatically save their contents in a separate, secure and dedicated compartment for catering
Ermetic helps prevent breaches by reducing the attack surface of cloud infrastructure and enforcing least privilege at scale in the most complex environments. The Ermetic SaaS platform is an identity-driven security solution that provides holistic, multi-cloud protection using advanced analytics to continuously analyze and remediate risks associated with permissions, configurations and behavior across the entire cloud infrastructure stack. The company is led by proven technology entrepreneurs whose previous companies were acquired by Microsoft, Palo Alto Networks and others. Ermetic has received funding from Accel, Glilot Capital Partners, Norwest Venture Partners and Target Global. Visit us at https://ermetic.com/ and follow us on LinkedIn, Twitter and Facebook.