Blog

RiskIQ continues to surface threat campaigns leveraging misconfigured Amazon S3 Buckets to insert malicious code into websites. 

Amazon S3 buckets are public cloud storage resources available in AWS Simple Storage Service (S3), an object storage offering similar to folders that consist of data and its descriptive metadata. These useful resources are ubiquitous in the developer world, but all too often misconfigured when deployed. Attackers, who can gain code-level access to a website by hacking these vulnerable web assets, have begun mass scanning for misconfigured buckets and ramping up attacks. 

Last year, RiskIQ identified a Magecart campaign leveraging misconfigured S3 buckets to insert JavaScript credit card skimmers on hundreds of websites. Around the same time, our researchers identified another strain of malicious code using the same S3 bucket attack vector, often appearing alongside the Magecart skimming code. After analysis, we discovered that this other malicious code, a redirector we refer to as ‘jqueryapi1oad,’ is related to a long-running malvertising campaign. 

In this research, we dissect the code and tactics used in these attacks, and, with RiskIQ’s unique data sets, determine the threat campaign’s scope. 

Misconfigured Amazon S3 Buckets: A launchpad for malicious code

On May 12th, RiskIQ observed more Magecart skimming code on three websites*, each related to one another and hosting content and chat forums catering to firefighters, police officers, and security professionals. 

Here, we see skimming code injected into img.firehouse[.]com/forums/fhc-ad-forums.js

RiskIQ continues to surface threat campaigns leveraging misconfigured Amazon S3 Buckets to insert malicious code into websites. 

And, here, we see it injected into img.securityinfowatch[.]com/forums/fhc-ad-forums.js:

RiskIQ continues to surface threat campaigns leveraging misconfigured Amazon S3 Buckets to insert malicious code into websites. 

We also observed a skimmer on img.officer[.]com/forums/ofcr-ad-forums.js. However, another strain of malicious code appears alongside the skimmer in this JavaScript—none other than jqueryapi1oad. This script loads content from gold.platinumus[.]top/track/awswrite. We’ll discuss this further later in this report.

RiskIQ continues to surface threat campaigns leveraging misconfigured Amazon S3 Buckets to insert malicious code into websites. 

*The sites identified above belong to Endeavor Business Media. Update: Endeavor Business Media has informed us it has remediated the misconfiguration and removed the skimmers and jquerapi1oad redirector from their websites. We have confirmed that the sites are now clean.

jqueryapi1oad is on 362 unique domains

We first identified the jqueryapi1oad malicious redirector—so named after the cookie we connected with it—in July of 2019. Our research team determined that the actors behind this malicious code were also exploiting misconfigured S3 buckets. Looking at RiskIQ data for the jqueryapi1oad cookie, we see that it first appeared on 2019-04-26 and is still in use, connected with 362 unique domains to date, including officer[.]com. 

RiskIQ continues to surface threat campaigns leveraging misconfigured Amazon S3 Buckets to insert malicious code into websites. 

The gold.platinumus[.]top hostname has resided on 185.180.196[.]4 since it was first registered.

RiskIQ continues to surface threat campaigns leveraging misconfigured Amazon S3 Buckets to insert malicious code into websites. 

The IP belongs to the well-known bulletproof hosting company King Servers. Fourteen other hosts also appear on this IP address.

RiskIQ continues to surface threat campaigns leveraging misconfigured Amazon S3 Buckets to insert malicious code into websites.

A series of other cookies that follow a uniform naming format are associated with these hosts. Several other cookies as well. Here are three examples below:

RiskIQ continues to surface threat campaigns leveraging misconfigured Amazon S3 Buckets to insert malicious code into websites. 

https://community.riskiq.com/search/gold.platinumus.top/cookies 

RiskIQ continues to surface threat campaigns leveraging misconfigured Amazon S3 Buckets to insert malicious code into websites. 

https://community.riskiq.com/search/b.5bnewbtrack.info/cookies 

RiskIQ continues to surface threat campaigns leveraging misconfigured Amazon S3 Buckets to insert malicious code into websites. 

https://community.riskiq.com/search/d.jtrackd.icu/cookies 

With the capability to perform a trailing wildcard search of cookie names in the RiskIQ platform, we can quickly identify 176 other hosts associated with these cookies. 

RiskIQ continues to surface threat campaigns leveraging misconfigured Amazon S3 Buckets to insert malicious code into websites. 

The code itself performs a bot check and sets the jqueryapi1oad cookie along with an expiration period based on the outcome of the check. It then creates a new element in the DOM of the page into which it’s injected and pulls the new content from the gold.platinumus[.]top/track/awswrite URL.

Connections to Hookads and TSS

On May 16th, 2019, a few weeks after gold.platinumus.top was registered, RiskIQ observed an instance of jqueryapi1oad loaded from app-google-analytics.s3-sa-east-1.misconfiguredaws[.]com. 

RiskIQ continues to surface threat campaigns leveraging misconfigured Amazon S3 Buckets to insert malicious code into websites. 

The malicious JavaScript creates a PHP file named ‘this.php’ (note ‘this.responseText’ in the code sample above). The PHP file contains another URL, eimage[.]tk/index/?4021528806835, which was loaded by the compromised page.

RiskIQ continues to surface threat campaigns leveraging misconfigured Amazon S3 Buckets to insert malicious code into websites. 

The eimage[.]tk URL loads a cookie associated with the Keitaro traffic distribution system (TDS). 

RiskIQ continues to surface threat campaigns leveraging misconfigured Amazon S3 Buckets to insert malicious code into websites. 

RiskIQ tracking of Keitaro associates 47,077 unique domains with this TDS:

RiskIQ continues to surface threat campaigns leveraging misconfigured Amazon S3 Buckets to insert malicious code into websites. 

The eimage[.]tk page also loads a second redirection script, which we associate with the Hookads malvertising campaign. This campaign has historically been connected to exploit kits and other malicious behavior.

RiskIQ continues to surface threat campaigns leveraging misconfigured Amazon S3 Buckets to insert malicious code into websites.  

Within the redirection code is the URL take-prize-here2[.]life, yet another redirector ultimately landing on a scam page at best6650.ttxsrl38[.]agency.

RiskIQ continues to surface threat campaigns leveraging misconfigured Amazon S3 Buckets to insert malicious code into websites. 

Here’s what the page looks like:

RiskIQ continues to surface threat campaigns leveraging misconfigured Amazon S3 Buckets to insert malicious code into websites. 

RiskIQ also captured instances of jqueryapi1oad on popular websites. The domain futbolred[.]com is a Colombian soccer news site that’s in the top 30,000 of global Alexa rankings. It also misconfigured an S3 bucket, leaving it open to jqueryapi1oad.

RiskIQ continues to surface threat campaigns leveraging misconfigured Amazon S3 Buckets to insert malicious code into websites. 

Here we see the sequences where the S3 bucket loaded content from gold.platinum[.]us, creating the redirection through cermageratin[.]tk to wosemdesyane[.]site.

RiskIQ continues to surface threat campaigns leveraging misconfigured Amazon S3 Buckets to insert malicious code into websites. 

RiskIQ continues to surface threat campaigns leveraging misconfigured Amazon S3 Buckets to insert malicious code into websites. 

The wosemdesyane.site URL then redirects to a fake flash download page.

RiskIQ continues to surface threat campaigns leveraging misconfigured Amazon S3 Buckets to insert malicious code into websites. 

RiskIQ has so far identified 277 unique hosts directly affected by jqueryapi1oad. 

Conclusion

Misconfigured Amazon S3 buckets that allow malicious actors to insert their code into numerous websites is an ongoing issue. Here, we have identified three sites belonging to the same company that currently host instances of Magecart. One of these is also hosting jqueryapi1oad, a malicious redirector we connect to the Hookads campaign, which has been historically associated with exploit kits and other malicious behavior.

As attacks involving misconfigured S3 buckets continue, knowing where your organization is using them across its digital attack surface is imperative. In today’s threat environment, businesses cannot move forward safely without having a digital footprint, an inventory of all digital assets, to ensure they are under the management of your security team and properly configured. 

Amazon S3 Bucket Mitigation: Logs, Review & Investigation

A compromised S3 bucket is a painful moment for an organization, but it’s also a pivotal one. Once the compromise comes to light, it is essential to assess the full scope of the incident. While the exact list of questions may differ depending on the type of organization, we recommend first answering these basic questions when performing your investigation:

Some compromises might only result in external damage such as to the brand, or no damage at all, but it’s still essential for the security team to get answers. Groups like Magecart and those behind are always on the prowl and will be back to compromise you again if you don’t fix your exposures. Next time, the damage could be catastrophic. 

Once these questions are answered, the next step is mitigation. The basics of most, if not all, S3 bucket compromises we observe come down to improper access control. We suggest cleaning out the bucket and performing a new deployment of resources or simply setting up a new bucket. Customers can also enable versioning on their buckets to “rollback” objects to a known good version. As for the policies to secure your bucket, we recommend the following approach:

IOCs:

For the IOCs used in this attack, check out the RiskIQ PassiveTotal Public Project here: https://community.riskiq.com/projects/df970082-5cd5-49ab-b595-ef3fa79d8bce 

Share:

Connect with us
Featured Post

Full(z) House: A Digital Crime Group Using a Full Deck to Maximize Profits