[German]The compromised Amazon AWS S3 Buckets, which I addressed in the blog post Warning: Infected Cookie Consent logo delivers Ransomware seems delivering constantly new payloads via compromised files.
Within the blog post Warning: Infected Cookie Consent logo delivers Ransomware I had compiled some background information on this topic. But it looks like the abuse of the compromised Amazon AWS S3 bucket has been going on for years and new payloads are being delivered all the time.
Former misuse of the AWS S3 Bucket
After I posted some details on Twitter and on social networking sites, there was feedback from security researchers and other people. The Amazon AWS S3 Bucket has been abused for years. Daniel Ruf pointed out on Facebook that there are three documented cases of abuse in the past that involve malicious files from the Amazon AWS S3 Bucket.
Mobile browser redirection in September 2019
The first case Daniel Ruf pointed out on Facebook used a manipulated script file from the Amazon AWS S3 Bucket. The following tweet refers to a case from September 2019 where a script was compromised.
If the user browse from a mobile device and the back button is pressed, it replaces the current page with a URL that refers to the fraudulent page. pic.twitter.com/y1rcje8wTc
— tike (@tiketiketikeke) September 24, 2019
There, using the back button on a mobile device will redirect the user to a fraudulent website. The details are described in more detail in this Italian article.
Cases from July 2017
Another case from July 2017 was briefly documented in this forum post. It also talks about a redirect on mobile devices, which is based on manipulated files of the Cookie Consent Plugin from Silktide. The post describes the situation at that time. The next case from 2017 is discussed in this GitHub post by Phil E. Taylor. The manipulated script files pursued the goal of redirecting users to porn sites.
Attack on Portuguese websites (January 2020)
In the blog post Warning: Infected Cookie Consent logo delivers Ransomware I had already mentioned the hint from Lawrence Abrams that the compromised Amazon AWS S3 Buckets had been an issue in January 2020.
— Lawrence Abrams (@LawrenceAbrams) May 21, 2020
At that time the focus was on Portuguese websites. Lawrence Abrams from Bleeping Computer sent me an earlier link to Virus Total, where a lot of virus scanners on Virus Total recognized a payload as dangerous. But that can change at any time.
Current payloads change daily
Since I wrote the first article a few hours ago, people have been having people check the URL with the logo file. When I called it a few hours ago, only two (Fortinet and Kaspersky) of 80 virus scanners on VirusTotal detected malware. There is a community article about it, where someone discusses this malware.
Suddenly WannaPeace Ransomware
Based on my blog post and the discussion on Twitter, security researcher Kevin Beaumont has posted the following tweet
— Kevin Beaumont (@GossiTheDog) May 21, 2020
On May 21, 2020 he received the WannaPeace ransomware as a ‘payload’ from the compromised Amazon AWS site, disguised as a software update. But the payload was broken, as a check of the .png file with VirusTotal revealed.
What you can do
Administrators in enterprise environments can to block the URL *https[:]//s3-eu-west-1.amazonaws[.]com/assets.cookieconsent.silktide.com/ completely for access from the net. Webmasters of websites, on the other hand, should check if the Cookie Content solution of SilkTide is in use. If so, the code should be removed and switched to another solution.
Addendum: Amazon has closed the offending account and suspended the bucket according to their support team so none of those S3 bucket items are any longer available on the Internet.
Warning: Infected Cookie Consent logo delivers Ransomware
Compromised SilkTide Cookie-Consent Logo – Part 2
Compromised SilkTide Cookie-Consent Logo – Part 3