Listen to this Post
The recent Bybit hack, which resulted in $1.5 billion being stolen, underscores the importance of monitoring S3 write actions on publicly accessible S3 buckets. Attackers compromised a Safe{Wallet} developer’s machine and injected malicious JavaScript into an S3-hosted web app, ultimately exploiting Bybit’s multisig cold wallet. This incident highlights the critical need to monitor S3 write actions in CloudTrail, even for buckets that are publicly accessible or served via CloudFront.
Key Commands and Practices for Monitoring S3 Write Actions
1. Enable CloudTrail Logging for S3:
Ensure that CloudTrail is enabled to log S3 data events. This can be done using the AWS CLI:
aws cloudtrail put-event-selectors --trail-name MyTrail --event-selectors '[{"ReadWriteType": "All", "IncludeManagementEvents": true, "DataResources": [{"Type": "AWS::S3::Object", "Values": ["arn:aws:s3:::"]}]}]'
2. Monitor S3 Write Actions:
Use CloudWatch to set up alarms for specific S3 write actions. For example, to monitor `PutObject` events:
aws cloudwatch put-metric-alarm --alarm-name S3-PutObject-Alarm --metric-name PutObject --namespace AWS/S3 --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --dimensions Name=BucketName,Value=MyBucket --evaluation-periods 1 --alarm-actions arn:aws:sns:us-east-1:123456789012:MyTopic
3. Restrict Public Access to S3 Buckets:
Use the following command to block public access to an S3 bucket:
aws s3api put-public-access-block --bucket MyBucket --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
4. Audit S3 Bucket Permissions:
Regularly audit S3 bucket permissions to ensure they are not overly permissive:
aws s3api get-bucket-acl --bucket MyBucket
5. Use AWS Config for Compliance Monitoring:
Enable AWS Config to monitor and enforce compliance policies for S3 buckets:
aws configservice put-configuration-recorder --configuration-recorder name=default,roleARN=arn:aws:iam::123456789012:role/AWSConfigRole --recording-group allSupported=true,includeGlobalResourceTypes=true
What Undercode Say
The Bybit hack serves as a stark reminder of the importance of securing S3 buckets, especially those that are publicly accessible. Monitoring S3 write actions through CloudTrail and setting up appropriate alarms in CloudWatch can help detect unauthorized modifications before they cause significant damage. Additionally, restricting public access to S3 buckets and regularly auditing permissions are essential practices to mitigate risks.
In the context of Linux and Windows systems, similar principles apply. For instance, on a Linux server, you can monitor file changes using inotify:
inotifywait -m /path/to/directory -e create,modify,delete
On Windows, you can use the `Get-EventLog` cmdlet to monitor security events:
Get-EventLog -LogName Security -InstanceId 4663 -After (Get-Date).AddHours(-1)
For further reading on securing S3 buckets, refer to the AWS S3 Security Best Practices.
In conclusion, the Bybit hack highlights the need for continuous monitoring and robust security practices. By leveraging tools like CloudTrail, CloudWatch, and AWS Config, organizations can better protect their data and infrastructure from similar attacks. Regularly updating and auditing security policies, both in the cloud and on-premises, is crucial to maintaining a strong security posture.
References:
Hackers Feeds, Undercode AI


