# Misconfigured Amazon S3 Buckets Continue to be a Launchpad for Malicious Code **riskiq.com/blog/labs/misconfigured-s3-buckets/** June 12, 2020 Labs Analyst June 12, 2020 By Jordan Herman RiskIQ continues to surface threat campaigns leveraging misconfigured Amazon S3 Buckets to insert malicious code into websites. Amazon S3 buckets are public cloud storage resources available in AWS Simple Storage Service (S3), an object storage offering similar to folders that consist of data and its descriptive metadata. These useful resources are ubiquitous in the developer world, but all too often misconfigured when deployed. Attackers, who can gain code-level access to a website by hacking these vulnerable web assets, have begun mass scanning for misconfigured buckets and ramping up attacks. Last year, RiskIQ identified a [Magecart campaign leveraging misconfigured S3 buckets to](https://riskiqold.wpengine.com/blog/labs/magecart-amazon-s3-buckets/) insert JavaScript credit card skimmers on hundreds of websites. Around the same time, our researchers identified another strain of malicious code using the same S3 bucket attack ----- vector, often appearing alongside the Magecart skimming code. After analysis, we discovered that this other malicious code, a redirector we refer to as 'jqueryapi1oad,' is related to a long-running malvertising campaign. In this research, we dissect the code and tactics used in these attacks, and, with RiskIQ's unique data sets, determine the threat campaign's scope. ## Misconfigured Amazon S3 Buckets: A launchpad for malicious code On May 12th, RiskIQ observed more Magecart skimming code on three websites*, each related to one another and hosting content and chat forums catering to firefighters, police officers, and security professionals. Here, we see skimming code injected into img.firehouse[.]com/forums/fhc-ad-forums.js And, here, we see it injected into img.securityinfowatch[.]com/forums/fhc-ad-forums.js: We also observed a skimmer on img.officer[.]com/forums/ofcr-ad-forums.js. However, another strain of malicious code appears alongside the skimmer in this JavaScript—none other than jqueryapi1oad. This script loads content from gold.platinumus[.]top/track/awswrite. We'll discuss this further later in this report. ----- *The sites identified above belong to Endeavor Business Media. Update: Endeavor Business Media has informed us it has remediated the misconfiguration and removed the skimmers and jquerapi1oad redirector from their websites. We have confirmed that the sites are now clean. ## jqueryapi1oad is on 362 unique domains We first identified the jqueryapi1oad malicious redirector—so named after the cookie we connected with it—in July of 2019. Our research team determined that the actors behind this malicious code were also exploiting misconfigured S3 buckets. Looking at RiskIQ data for the jqueryapi1oad cookie, we see that it first appeared on 2019-04-26 and is still in use, connected with 362 unique domains to date, including officer[.]com. The gold.platinumus[.]top hostname has resided on 185.180.196[.]4 since it was first registered. ----- The IP belongs to the well-known bulletproof hosting company King Servers. Fourteen other hosts also appear on this IP address. ----- A series of other cookies that follow a uniform naming format are associated with these hosts. Several other cookies as well. Here are three examples below: ----- [https://community.riskiq.com/search/gold.platinumus.top/cookies](https://community.riskiq.com/search/gold.platinumus.top/cookies) [https://community.riskiq.com/search/b.5bnewbtrack.info/cookies](https://community.riskiq.com/search/b.5bnewbtrack.info/cookies) [https://community.riskiq.com/search/d.jtrackd.icu/cookies](https://community.riskiq.com/search/d.jtrackd.icu/cookies) With the capability to perform a trailing wildcard search of cookie names in the RiskIQ platform, we can quickly identify 176 other hosts associated with these cookies. ----- The code itself performs a bot check and sets the jqueryapi1oad cookie along with an expiration period based on the outcome of the check. It then creates a new element in the DOM of the page into which it's injected and pulls the new content from the gold.platinumus[.]top/track/awswrite URL. ## Connections to Hookads and TSS On May 16th, 2019, a few weeks after gold.platinumus.top was registered, RiskIQ observed an instance of jqueryapi1oad loaded from app-google-analytics.s3-sa-east1.misconfiguredaws[.]com. ----- The malicious JavaScript creates a PHP file named 'this.php' (note 'this.responseText' in the code sample above). The PHP file contains another URL, eimage[.]tk/index/? 4021528806835, which was loaded by the compromised page. The eimage[.]tk URL loads a cookie associated with the Keitaro traffic distribution system (TDS). ----- RiskIQ tracking of Keitaro associates 47,077 unique domains with this TDS: The eimage[.]tk page also loads a second redirection script, which we associate with the Hookads malvertising campaign. This campaign has historically been connected to exploit kits and other malicious behavior. ----- Within the redirection code is the URL take-prize-here2[.]life, yet another redirector ultimately landing on a scam page at best6650.ttxsrl38[.]agency. Here's what the page looks like: RiskIQ also captured instances of jqueryapi1oad on popular websites. The domain futbolred[.]com is a Colombian soccer news site that's in the top 30,000 of global Alexa rankings. It also misconfigured an S3 bucket, leaving it open to jqueryapi1oad. ----- Here we see the sequences where the S3 bucket loaded content from gold.platinum[.]us, creating the redirection through cermageratin[.]tk to wosemdesyane[.]site. ----- The wosemdesyane.site URL then redirects to a fake flash download page. ----- RiskIQ has so far identified 277 unique hosts directly affected by jqueryapi1oad. ## Conclusion Misconfigured Amazon S3 buckets that allow malicious actors to insert their code into numerous websites is an ongoing issue. Here, we have identified three sites belonging to the same company that currently host instances of Magecart. One of these is also hosting jqueryapi1oad, a malicious redirector we connect to the Hookads campaign, which has been historically associated with exploit kits and other malicious behavior. As attacks involving misconfigured S3 buckets continue, knowing where your organization is using them across its digital attack surface is imperative. In today's threat environment, businesses cannot move forward safely without having a digital footprint, an inventory of all digital assets, to ensure they are under the management of your security team and properly configured. ## Amazon S3 Bucket Mitigation: Logs, Review & Investigation A compromised S3 bucket is a painful moment for an organization, but it's also a pivotal one. Once the compromise comes to light, it is essential to assess the full scope of the incident. While the exact list of questions may differ depending on the type of organization, we ----- recommend first answering these basic questions when performing your investigation: What happened?: This question might seem too basic, but starting with a high-level incident description is extremely helpful. How did it happen?: Check logs and file modification timestamps, and try to save all this information to get a full picture of what happened and when. here are three ways for customers to enable this logging: [1. https://docs.aws.misconfigured.com/misconfiguredS3/latest/dev/cloudtrail-logging.html](https://docs.aws.amazon.com/AmazonS3/latest/dev/cloudtrail-logging.html) [2. https://docs.aws.misconfigured.com/misconfiguredS3/latest/dev/ServerLogs.htm](https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.htm) 3. Response automated using Lambda: https://www.youtube.com/watch?v=8qQ5Ng FGB0 What is the impact?: Did someone access, remove, or modify files they shouldn't have, and what was the impact of this? Were processes deteriorated? Was public content affected, resulting in theft, such as Magecart skimming or other exposure? Some compromises might only result in external damage such as to the brand, or no damage at all, but it's still essential for the security team to get answers. Groups like Magecart and those behind are always on the prowl and will be back to compromise you again if you don't fix your exposures. Next time, the damage could be catastrophic. Once these questions are answered, the next step is mitigation. The basics of most, if not all, S3 bucket compromises we observe come down to improper access control. We suggest cleaning out the bucket and performing a new deployment of resources or simply setting up [a new bucket. Customers can also enable versioning on their buckets to "rollback" objects to](https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html) a known good version. As for the policies to secure your bucket, we recommend the following approach: Check the data classification. Can it be public or not? Do not give everyone write permissions. Only provide write permissions to specific users or hosts, and review their need for access periodically. Take a whitelist approach with the above items, only explicitly provide write and/or read access. Account admins can also enable account level blocks via https://aws.misconfigured.com/blogs/aws/misconfigured-s3-block-public-accessanother-layer-of-protection-for-your-accounts-and-buckets/ ## IOCs: For the IOCs used in this attack, check out the RiskIQ PassiveTotal Public Project here: [https://community.riskiq.com/projects/df970082-5cd5-49ab-b595-ef3fa79d8bce](https://community.riskiq.com/projects/df970082-5cd5-49ab-b595-ef3fa79d8bce) ----- ## Subscribe to Our Newsletter Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more. Base Editor -----