I'm looking for advice on how to shut down an S3 bucket that has been exploited for unauthorized data transfers. One of our servers was compromised, and a PowerShell command appears to have created a connection to an S3 storage. Here's what I found in the environment variables:
- AWS_ACCESS_KEY_ID: (redacted)
- AWS_SECRET_ACCESS_KEY: (redacted)
- RESTIC_REPOSITORY: 's3:s3.eu-west-1.wasabisys.com/backvalue/(redacted)'
- RESTIC_PASSWORD: (redacted)
It seems like the modified winupdate.exe was used to hide this data transfer. I don't have any account information related to the S3 storage. What steps should I take to ensure this bucket is closed and what actions can I pursue?
5 Answers
If you have access to the creds, crafting a script to delete all the uploaded data could be a straightforward approach. Just make sure you act quickly!
If you've got valid credentials, you could try accessing the Wasabi storage to see if you can delete the data that was uploaded. Just keep in mind that if the credentials were compromised, that access might not work.
Definitely reach out to AWS support. They have specific pathways for abuse reports and could help get that bucket shut down. However, be prepared for a bit of back and forth—it might take some time.
Using the AWS CLI, you can execute a command like 'aws sts get-caller-identity' to find out the account number. This might help in notifying AWS about the illicit activity linked to that account. If you can access the bucket, document what's taken and consider deleting it. However, if your access is limited to only uploading, flooding the bucket with useless data could be a way to manage their costs.
It looks like you're dealing with a Wasabi bucket, not AWS. So, try reaching out to Wasabi directly instead of AWS. They might be able to help you shut down that bucket. Also, I recommend involving legal authorities since that could speed up the response. Check out their contact page for more details.

Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures