In this session, we’ll explore how allowing public access to AWS S3 Buckets, Azure Blobs and similar cloud storage services can risk exposing sensitive files in the cloud. Misconfigurations and legacy defaults are often to blame for this and can go unnoticed for years. A common way of dealing with this issue is indexing publicly accessible buckets and blobs. However, there are “holes in the bucket” that emerge from using this technique, as not all files are easily searched. Using examples from anonymous case studies, we will go through the ways that these “holes” in the form of the bucket, why discovering them is difficult, and how much risk they can create. Most of the analysis that is occurring with these API providers relies on manual analysis of file names. After initially manually searching and inspecting files, our Red Team developed tools to expedite this process and unearth sensitive credentials that had been inadvertently left exposed in the cloud for a client. These files exposed patient information, personally identifiable information (PII), IT administrative guides, system backups, and much more. We’ll discuss how the most difficult part of the analysis was attempting to hone in on files that were never supposed to be public. Many indexing tools do not make any filtering decisions. Instead, they use their own "wordlists" to generate a list of bucket names or Azure DNS filenames. They will also use common wordlists for Azure blob container names. This allows them to find companies that are very well-known along with well-known patterns of container names. What this does not include are lesser-known bucket names, lesser-used container names, and other cloud providers. This session will center on how we found these items, what the items were, and how the conversations with the organizations went. We will also provide ways to prevent these “holes” through defensive measures that would have protected against these vulnerabilities. We plan on releasing the tool that we used to discover these vulnerabilities to further the analysis and to share how we created our own wordlists to attempt other cloud providers, providing a strategy for others to do the same.

SANS HackFest Summit 2023
A Hole in the Bucket: The Risk of Public Access toCloud Native Storage
David Mayer, Instructor Candidate, SANS Institute

View upcoming Summits: http://www.sans.org/u/DuS