How Enterprises Remediate AWS S3 Buckets Exposed to GhostWriter

By on Dec 07, 2017

McAfee (formerly Skyhigh Networks) recently announced the discovery of a critical exposure, dubbed GhostWriter, whereby data owners misconfigure S3 buckets, allowing public write permissions. As soon as McAfee discovered GhostWriter, we teamed up with Amazon Web Services (AWS) to notify all customers impacted by GhostWriter exposure with detailed recommendations of how they could eliminate their risk.

Analysis of Customer Actions to Eliminate GhostWriter

McAfee analyzed a total of 67,000 third party S3 buckets accessed from within our customers’ networks and discovered that more than 10% (7,135) of these buckets were exposed to GhostWriter across more than 95% of our customers who were impacted. Upon notifying our customers, we identified that on average, 30 third party S3 buckets per tenant were modified to disallow world write permissions, thereby remediating the GhostWriter exposure.

Total number of third party S3 buckets modified each day over last seven days Figure: Total number of third party S3 buckets modified each day over last seven days

Ever since we announced the GhostWriter exposure, we have seen a steady decline in the number of buckets whose permissions have been modified to eliminate the world write access allowed either through bucket policies or through access control lists (ACLs). This is largely due to customers having remediated their most critical buckets as highest priority. The chart above shows the total number of buckets which were modified to eliminate the vulnerability over the last few days.

Definitive Guide to Securing Workloads on AWS EBOOK

Definitive Guide to Securing Workloads on AWS

Download to learn about AWS security challenges and best practices, and how CASBs can enforce your security and compliance requirements for AWS.

Download Now

We also see that impacted companies across major industry verticals were quick to spring to action in eliminating the GhostWriter exposure. The chart below shows a rough sampling of the industry verticals of top 10 customers based on most number of vulnerable buckets. The industry vertical distribution below is also indicative of modern mid-market and large enterprise customer’s increasing collaboration with third party vendors sub-contracted for a wide variety of business requirements. For e.g. McAfee identified a number of third party S3 buckets accessed from within a large U.S. based pharmaceutical company that were used to host job applicants’ personally identifiable information (PII).

Industry Verticals of companies with most no of GhostWriter eliminations

Why do Data Leaks from AWS S3 Continue to Happen?

Despite the fact that AWS S3 buckets are private by default, they have become synonymous with massive data leaks in the recent past as a result of some of the largest and high-profile organizations leaving them open for the world to read or write to them. This often happens as a result of changing the default permissions before starting to use these buckets. S3 buckets can be created either manually or programmatically and misconfigurations are either an oversight on the part of admins or the relevant scripts granting excessive permissions. Default permissions on S3 buckets, once changed for temporary use, never get audited, thus leaving the door open for bad actors to exfiltrate sensitive corporate data.

What compounds the problem when it comes to exposures like GhostWriter in cloud storage services is the lack of security controls enterprises have over the third-party owned vendor buckets. Employees from within the enterprise access these vulnerable S3 buckets, freely downloading and/or uploading information. This type of misconfiguration serves as an easy mechanism for bad actors to tamper S3 buckets with malicious content, thus exposing the corporate network to potential ransomware or other malware attacks.

In this way, an enterprise’s risk becomes a function of its vendor’s risk, underscored by the fact that most of the recent high-profile breaches such as Verizon were a result of misconfigurations of resources owned by the partner and not the enterprise. Since the data is owned by the enterprise, in the minds of end-users, the enterprise will be held accountable for any data exposure. Hence, it is very important to assess third party vendor security practices and understand their risk profile.

Number of exposed and non-exposed buckets each day over last seven daysFigure: Number of exposed and non-exposed buckets each day over last seven days

As shown above, despite the aggressive outreach by AWS and McAfee, as well as actions taken by customers to eliminate the GhostWriter exposure, the problem continues to persist. McAfee’s analysis shows a total of 2,396 third party S3 buckets accessed across all customers that are still vulnerable to GhostWriter.

Key Takeaways

While cloud storage services such as AWS S3 provide tremendous agility and cost-efficiency to enterprises, they also present serious security risks in cases of misconfigured settings. It is important for DevSecOps teams to utilize solutions that help monitor, protect, and remediate security risks in cloud infrastructure platforms like AWS.

McAfee is the only CASB who can provide visibility into third party risk through our Shadow IT capability, and identify S3 buckets exposed to GhostWriter. We also provide visibility into enterprise-owned S3 buckets that allow world read/write permissions, and monitor and audit the entire AWS infrastructure against checks recommended in CIS AWS Foundations Benchmark. Click here to learn more about how McAfee can help you assess third party vendor risk as well as perform a free security audit of your AWS infrastructure.

About the Author

McAfee Cloud BU

Learn about cloud threats, the latest cloud security technologies, and the leading approaches for protecting data in cloud services.

Read more posts from McAfee Cloud BU

Categories: Cloud Security

Subscribe to McAfee Securing Tomorrow Blogs