Since its inception in March 2006, AWS cloud storage option, also referred to as S3 (Simple Storage Service), has generated keen interest due to its low maintenance and configuration, high availability and “pay as you go” accessible pricing. Microsoft jumped on the bandwagon by formally launching its own cloud services in 2010, maintaining ever since a distant second position in the cloud computing market while closing in on AWS faster than other rivals.
Cloud buckets ease of use creates risk
AWS S3 buckets or Azure Blob storage use cases have increased, as they can store almost any type of file, even allowing a drag & drop method for non-technical users.
This introduces a set of potential security related issues, often driven by user misconfiguration. This would make files available to anyone over the internet. When uploading a file in a bucket, the default option is set for private, meaning no one else has access to it. That, however, has not prevented mistakes from happening, even by consultants working for cloud computing companies. This is something GoDaddy learned the hard way in 2018.
Anyone following this “leaked bucket” phenomenon is already aware of events related to this type of mistakes that resulted in data being leaked on the internet (otherwise, visit this github repository for a list of incidents). Important to note, however, is that these examples are not limited to firms mistakenly leaking their own information, but to third-party data leaks, as was the case in the 2019 Attunity leak. The israeli IT firm mistakenly leaked customer information , including Netflix and TD Bank.
Mitigating leaky buckets through monitoring
Fortunately, many tools have been developed to keep track of publicly accessible “buckets”. S3 Scanner, AWS Bucket Dump and others have been released as open source tools. However Grayhat Warfare stands out of the crowd as users query a database that is already (and continuously) filled with publicly accessible buckets found on AWS and Azure. Grayhat also lists all the files present in a public bucket and allows to download the content of the files, although this action in itself is inching away from the legal side of intelligence gathering. The team at Grayhat lets users request bucket or file removal from their database if they think it might expose them.
As you might have guessed by now, this tool can be very useful for malicious actors looking for information about a targeted company. Knowing that firms now use cloud buckets to store private information, source code and sometimes database backups, many in the community consider these leaky buckets a gold mine for malicious actors, and a serious threat to firms that use them or that have suppliers and vendors using them.
Integrating Grayhat monitoring in security workflows
The team at Grayhat Warfare has done an amazing job in indexing and finding new leaky buckets on AWS and Azure. However, as with most tools, a last layer of automation is required for companies to make sure they continuously monitor whether new private buckets or files are available on the public internet.