Skip to main content

Misconfigured Amazon S3 buckets act as launchpad for malicious code

(Image credit: Shutterstock)

Hackers are using misconfigured Amazon S3 buckets as launch pads for the distribution of various malware. This is according to a new report from RiskIQ, which digs into how the practice works and what businesses can do to protect themselves.

Amazon S3 buckets are public cloud storage resources used by developers across the world but which, according to RiskIQ, are all too often misconfigured.

RiskIQ researcher Jordan Herman said the team identified Magecart instances skimming code on three separate sites owned by the same operator.

It also found malicious redirector jqueryapi1oad, linked historically with Hookads malvertising campaigns, on 277 unique domains as a result of misconfigured S3 buckets - including a popular Columbian football news site.

For businesses, Herman suggests, it is vital to understand where S3 buckets are in use, because it allows them to better track their digital attack surface.

“In today’s threat environment, businesses cannot move forward safely without having a digital footprint, an inventory of all digital assets, to ensure they are under the management of your security team and properly configured,” Herman said.

This is not the first time RiskIQ warned webmasters about the dangers of misconfigured S3 buckets. A year ago, the firm issued a warning that criminals were actively searching for such instances in order to distribute skimmers and other malicious code.

"[Attackers] are always on the prowl. Next time, the damage could be catastrophic," the report concludes.

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.