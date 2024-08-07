Aqua Security researchers disclosed six cloud vulnerabilities in AWS services, as well as a new attack vector they call "shadow resources," during a Black Hat USA 2024 session Wednesday.

The session, titled "Breaching AWS Accounts Through Shadow Resources," presented six critical flaws that Aqua researchers discovered earlier this year in AWS services such as CloudFormation, CodeStar and Service Catalog. While AWS promptly patched the vulnerabilities after Aqua reported them, the researchers say they illustrate new threats and attack techniques that could put customer data and resources at risk, and in some cases even lead to a full account takeover.

Yakir Kadkoda and Ofek Itach, security researchers with Aqua's Nautilus team, and former Aqua employee and current Microsoft researcher Michael Katchinskiy spoke during the Black Hat session about how they discovered both the AWS vulnerabilities and the shadow resource vector while using CloudFormation. The team observed that when customers create a CloudFormation service with the AWS Management Console for the first time in a new region, an AWS S3 bucket is automatically created so customers can store their CloudFormation templates.

The name of a customer's bucket is the same across all regions, except for the region name. The researchers showed that, for example, if a test account creates a CloudFormation service in the us-east-1 region, AWS will create an S3 bucket named, for example, "cf-templates-123abcdefghi-us-east-1." If that same account uses CloudFormation in another regio like eu-west-2, a new bucket called "cf-templates-123abcdefghi-eu-west-2" will be created.

The researchers wondered whether customers were aware that new S3 buckets or "shadow resources" were deployed on their behalf, and if threat attackers could somehow take advantage of these resources. The automatically deployed S3 buckets are named with random 12-character strings, which makes bucket names nearly impossible to guess.

However, the researchers found weak points in AWS' S3 bucket naming process that could allow threat actors to guess the name of a potential bucket prior to its creation. "In simpler terms, some AWS services create S3 buckets using predictable names," the researchers wrote in a report published Wednesday. "Instead of using a hash, they often use the AWS account ID as the unique identifier for these buckets."

The researchers used several reconnaissance techniques to find account IDs, such as using GitHub Regex Search or crawling AWS services. For buckets that are named with unique hashes, attackers can search the public internet to see if organizations' hashes have leaked. The research team members noted that they discovered numerous hashes for different AWS accounts by searching GitHub or using tools like Sourcegraph.

Once a threat actor discovers the potential names of unclaimed S3 buckets, they can engage in what the research team calls "Bucket Monopoly" by creating those buckets before AWS does. Attackers could make a bucket publicly accessible but configure the permission policy to allow access to only the targeted victim's account ID.

More importantly, the researchers found an additional problem with these shadow resources. In the case of CloudFormation, if a customer launches a service and AWS tries to create a bucket with a name that's already been claimed by an attacker, the cloud provider will identify that malicious bucket, trust it and add potentially sensitive data to it.

"This way, an attacker could actually create malicious S3 buckets and wait for the vulnerable AWS service to write something to this malicious bucket," Kadkoda told TechTarget Editorial prior to the session.

The research team members also found they could use AWS Lamba to read a victim's CloudFormations templates once they are dropped in a malicious S3 bucket and modify the template to add a new administrator role; this creates a backdoor in the template that could later be deployed in a CloudFormation stack.

"Essentially, we have an admin role in a targeted organization simply by knowing their CloudFormation unique hash," the researchers wrote. "This is the most severe vulnerability that we can achieve in the cloud, as it allows us to take over the victim's account."