Malicious data exfiltration using AWS S3 Replication Service

The AWS S3 Service has grown in complexity and now has many features and integrations making it difficult to secure all of its capabilities. One of those capabilities is to create and manage backups across regions and accounts. Cross-account replication can assist organizations in recovery from a data-loss event such as a ransomware attack. In the wrong hands, the replication service can allow threat actors to exfiltrate data to untrusted locations. Vectra, a threat detection and response company, describes in detail this type of „feature abuse“.

The issue is compounded by lack of visibility: to control costs, organizations will often enable S3 data-plane logs on their high-value buckets only rather than paying for logging on "all current and future buckets". In such cases, S3 only logs a write event (i.e. putObject event) to the destination bucket controlled by the malicious user exfiltrating data. CloudTrail, the AWS monitoring and logging framework, will log only a read event (i.e. getObject) on the source bucket, thereby leaving the victim blind to the fact that there was a "remote" write or exfiltration to a remote malicious destination.

This selective logging will result in a gap in S3 exfiltration visibility (and, as mentioned, go undetected) since the putObject event will not be written in the Source Account.

Defenders need to broaden the events they monitor to include the updating of replication rules so they can ensure they are comprehensively monitoring their data perimeter.

This and similar issues show how important it is to extend visibility into servers and cloud services, much in the same way as is done to control endpoint devices with XDR and behavior monitoring capabilities. Amazon, Azure and Google cloud infrastructure services grow in complexity and are bound to be abused by actors seeking novel ways to subvert IT systems.

Read more about exfiltrating data with the AWS S3 Replication Service in the Vectra blog.