Cloud Bucket Hijacking Technique Lets Attackers Reroute Logs and Sensitive Data
ID: b5c791a7-b4dd-5ad6-983a-bbff5805ebc6
STIX ID: report--b5c791a7-b4dd-5ad6-983a-bbff5805ebc6
Feed Name: Cyber Press
Unit 42 researchers describe a cross-cloud “bucket hijacking” technique that leverages globally unique bucket names: an attacker with delete permissions can remove a target bucket and immediately recreate it under their account, causing existing logging sinks, replication pipelines, and transfer jobs to continue delivering sensitive data to the attacker. The report demonstrates successful simulations on Google Cloud (logging sinks, Pub/Sub, Storage Transfer), AWS (S3 replication, Firehose), and an Azure cross-subscription variant, warns that common admin roles grant the needed delete permissions, and recommends least-privilege controls, monitoring of bucket deletions, and provider-specific mitigations to prevent silent exfiltration.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
