Hacker Groups Exploit Misconfigured AWS S3 Buckets to Inject Malicious Code into Websites
In a stark reminder of ongoing cybersecurity threats, various hacking groups are increasingly exploiting vulnerabilities in misconfigured Amazon S3 data storage buckets to infiltrate websites with malicious code. This tactic is primarily aimed at capturing sensitive information, particularly credit card details, and facilitating malvertising campaigns.
Recent analysis by cybersecurity firm RiskIQ has shed light on this alarming trend. The firm reported identifying three compromised websites operated by Endeavor Business Media that are currently hosting JavaScript skimming code. This approach is characteristic of the Magecart group, which is known for targeting vulnerable online shopping cart systems to extract payment information in real-time.
The affected sites, which include platforms dedicated to emergency services — specifically for firefighters, police officers, and security personnel — have yet to implement necessary patches, raising serious concerns among experts. Despite RiskIQ’s attempts to engage with Endeavor Business Media to rectify these issues, the company has not responded.
RiskIQ has initiated collaboration with the Swiss nonprofit cybersecurity organization Abuse.ch to sinkhole the malicious domains associated with these attacks. This proactive measure aims to mitigate the risks posed by these threats and disrupt the activities of the hackers involved.
Amazon S3, or Simple Storage Service, remains a critical infrastructure for scalable data storage and retrieval. However, the exploitation of its misconfigurations represents a troubling vulnerability. In the case of formjacking attacks, such as those deployed by Magecart, cybercriminals embed JavaScript into compromised sites, capturing customer payment details and transmitting them to remote servers controlled by attackers.
The pattern observed by RiskIQ is not unprecedented. Last July, a similar Magecart campaign reportedly involved the exploitation of misconfigured S3 buckets to inject skimmers on approximately 17,000 domains. This highlights an ongoing trend that presents a persistent threat to online commerce and other sectors.
Further examination revealed additional malicious code linked to a longstanding malvertising effort dubbed “jqueryapi1oad.” First identified in July 2019, this code facilitates redirects to scam ads and exploits misconfigured S3 buckets, demonstrating the evolving tactics used by cybercriminals.
RiskIQ emphasizes a dire need for businesses to take proactive measures to safeguard their digital assets. Employing appropriate access permissions, utilizing Access Control Lists (ACLs), and establishing rigorous bucket policies can significantly fortify defenses against such threats.
The persistent risk posed by misconfigured S3 buckets underscores the importance of understanding and managing digital assets effectively. As these vulnerabilities create avenues for malicious actors to exploit, businesses must remain vigilant, ensuring that cybersecurity measures are not an afterthought but an integral component of their digital strategy.
In terms of the likely tactics employed in these attacks, they align with multiple categories from the MITRE ATT&CK framework. Techniques such as initial access via exploitation of misconfigurations, persistence through injected malicious scripts, and data theft underscore the sophisticated approach taken by the attackers.
As the digital landscape evolves, so too must the strategies businesses use to protect themselves from these multifaceted threats. It is clear that organizations must prioritize a comprehensive cybersecurity posture to safeguard against the rampant risks associated with vulnerabilities like those found in AWS S3 storage solutions.
