"AWS Ransomware Attacks: Not A Question Of If, But When"

Researchers at Ermetic announced the results of a study about the security posture of AWS environments and their vulnerability to ransomware attacks. For the study, researchers mapped out scenarios in which the right combination of permissions would allow an identity to perform a ransomware attack on a bucket. In virtually all of the participating organizations, identities were found that, if compromised, would place at least 90% of the S3 buckets in an AWS account at risk. Over 70% of the environments studied had machines that were publicly exposed to the internet and identities whose permissions allowed the exposed devices to perform ransomware.  The researchers also found that over 45% of the environments had third-party identities with the ability to perform ransomware by elevating their privileges to admin level (an astounding finding with far-reaching implications beyond the ransomware focus of this research).  Almost 80% of the environments contained IAM Users with enabled access keys that had not been used for 180 days or more, and had the ability to perform ransomware.  The researchers stated that it is important to monitor three things in the cloud.  Firstly, organizations should monitor the runtime activity of identities in terms of what they are doing and from where.  Secondly, organizations should monitor cloud storage (S3) in terms of not just the permissions and configurations but actually the read/write pattern and what is actually being stored in there.  And Lastly, organizations should monitor network activity.

Help Net Security reports: "AWS Ransomware Attacks: Not A Question Of If, But When"