Black Hat USA 2024 is up and running at full pace as critical AWS vulnerabilities are exposed! Learn how attackers could exploit “shadow resources” to gain control of accounts in CloudFormation, Glue, EMR, SageMaker, Service Catalog, and CodeStar. Research reveals a unique “Bucket Monopoly” technique.
Cloud security firm Aqua Security’s research team, Nautilus, uncovered a set of critical vulnerabilities in six Amazon Web Services (AWS) offerings in February 2024. AWS services, including CloudFormation, Glue, EMR, SageMaker, ServiceCatalog, and CodeStar had these vulnerabilities.
The research, presented at Black Hat USA 2024 by Lead Security Researcher Yakir Kadkoda and Senior Security Researcher Ofek Itach, focused on the concept of “shadow resources.” These are resources created automatically behind the scenes when setting up certain AWS services.
One such shadow resource is an S3 bucket, a cloud storage container similar to file folders on a computer, used to store images, videos, and other data. Researchers discovered that the naming convention for these buckets was predictable, allowing attackers to guess or discover their names potentially.
According to the company’s blog post, When creating these services in a new region, an S3 bucket is automatically created with a name, that is divided into the service ID and region name. Attackers could discover the buckets’ names or guess predictable parts of the name using a method called “Bucket Monopoly.”
Bucket Monopoly allows attackers to “land grab” unclaimed S3 buckets on AWS. An AWS account ID is a resource plentiful on GitHub that can indicate bucket ownership. Adversaries could create these buckets in advance in all available regions, and store malicious code in the bucket.
When the targeted organization enables the service in a new region, the malicious code can be unknowingly executed, potentially leading to the creation of an admin user granting control to the attackers.
This would let attackers gain complete control of AWS accounts, steal sensitive data, or disrupt critical operations by claiming ownership of important S3 buckets on AWS before they are created.
“The vulnerabilities range from remote code execution, which could lead to full account takeover, to information disclosure, potentially exposing sensitive data, or causing denial of service,” researchers noted.
The good news is that Aqua Security responsibly disclosed these vulnerabilities to AWS, who promptly addressed them with patches. The full details of the research, including a method for checking past vulnerabilities and an open-source tool for exploring service internal API calls, will be released by Aqua Security following the DEF CON conference.
This research serves as a valuable reminder for both cloud providers and users to continuously improve security practices and explore new attack vectors within the ever-evolving cloud ecosystem.
RELATED TOPICS
- Phishing 3.0: Crooks Leverage AWS in Deceptive Email Campaigns
- “LeakyCLI” Vulnerability Leaks AWS and Google Cloud Credentials
- Criminal IP: Enhancing Security Solutions via AWS Market Integration
- Cybersecurity Firm Hacks Itself, Finds DNS Flaw Leak AWS Credentials
- Supply Chain Attack Targeting Telegram, AWS and Alibaba Cloud Users