Attackers discovering exposed cloud assets within minutes

A six-month study from security vendor Orca Security that simulated exposed cloud assets found that threat actors discovered and breached the resources at surprisingly fast speeds.

In the research posted to the vendor's blog Tuesday, titled "2023 Honeypotting in the Cloud Report: Attackers Discover and Weaponize Exposed Cloud Assets and Secrets in Minutes," Orca deployed a series of honeypots on nine different cloud environments to simulate misconfigured resources and study the threat actors that attempt to compromise them.

The vendor said it deployed honeypots to AWS S3 buckets, Docker Hub, Amazon Elastic Container Registry, Elasticsearch, GitHub, HTTP, Amazon Elastic Block Storage, Redis and SSH. Moreover, each honeypot included an AWS secret access key and a number of "breadcrumbs" to lead threat actors to the instances.

The study found that cloud threat actors moved fast. Threat actors discovered GitHub assets within two minutes, HTTP within three minutes, SSH within four minutes and S3 buckets within an hour. As for time to compromise for the AWS keys, the GitHub honeypots' exposed keys were "basically compromised instantly," the report said, while S3 buckets took eight hours and Elastic Container Registry four months.

"In some ways, our study confirmed what is already widely known: attackers are constantly scanning the Internet for lucrative opportunities," the report read. "What did surprise us however was how fast this was happening in some cases. Depending on the resource, attackers sometimes just needed a few hours or even minutes to find and use the exposed keys in our honeypots."

For S3 buckets in particular, the report claimed that the more breadcrumbs that existed for threat actors to find, the faster said buckets were discovered and compromised. While this might sound obvious on its own, Orca said legitimate buckets would likely have had "many more breadcrumbs, such as references to bucket names, IDs, and links."

"Therefore accidentally exposed legitimate buckets are likely to be accessed even faster by attackers, meaning discovery would be expected in under one hour," the blog post read.

Orca security research tech lead Tohar Braun told TechTarget Editorial in an email that breadcrumbs were published on Pastebin, Twitter, GitHub and Reddit to simulate a legitimate setup.

"When companies have an established online presence like a website, such breadcrumbs are inevitable, resulting in bucket names, IDs and links being searchable on the internet -- for instance, in JavaScript files," Braun said. "Adversaries are using automated reconnaissance tools to find the domain names and web addresses used on the back end, which can include S3 bucket names. As we have seen in our research, once they find this information, they will immediately try to access the bucket and search its contents."

Orca concluded the research blog post by explaining why threat actors target some cloud resources more than others. A resource becomes more attractive, the vendor said, if it's easily discoverable and if it's exposed to the internet via a TCP port. Other factors include how much a resource is used -- an often-used resource would more likely contain information useful to a threat actor -- and how prone it is to contain secrets.

In the case of GitHub, which saw extremely quick discovery and compromise times, Orca said it is easy to discover public repos -- and by extension, new commits -- via the code platform. In addition, "GitHub is very prone to contain secrets since it contains all the source code of a project, sometimes even of an entire organization."

Orca Security also noted that attackers used the search engine Shodan to find exposed cloud assets through TCP ports, such as HTTP, Elasticsearch, Redis, SSH and Postgres. S3 buckets are more challenging, the vendor said, because without authentication, there's no way to query all of a targeted organization's buckets, which requires threat actors to conduct dictionary attacks to cycle through potential names of the exposed assets.

Orca cloud threat research team leader Bar Kaduri said the vendor observed more scanning activity in GitHub than S3 buckets.

"This is because GitHub is very easy to scan continuously since the code is accessible and it's easy to monitor new commits," she told TechTarget in an email. "This makes identifying interesting patterns in the code, like secret keys, a low-effort activity. In addition, GitHub is likely to contain sensitive information, so the potential rewards are high."

Exposed cloud resources have proven to be a major issue for enterprises in recent years. A now-infamous Uber data breach in 2016 occurred when threat actors stole an AWS access key exposed in a public GitHub repository. And on the S3 front, 14 million Verizon customers had their personal data exposed to the public in 2017 due to a misconfigured bucket. Both cloud providers have introduced security features and configuration settings to curb accidental exposures.

Alexander Culafi is a writer, journalist and podcaster based in Boston.