Cloud Bucket Hijacking Lets Attackers Silently Exfiltrate AWS, Google Cloud Data
ID: 0c0c56b4-03e6-5e5c-81d0-003adf5535aa
STIX ID: report--0c0c56b4-03e6-5e5c-81d0-003adf5535aa
Feed Name: GBHackers
Unit 42 researchers describe a cross-cloud technique dubbed 'cloud bucket hijacking' where attackers with bucket-deletion permissions delete a target bucket and immediately recreate a bucket with the identical globally-unique name in an attacker account, causing existing logging sinks, replication jobs, and transfer pipelines to continue delivering sensitive objects and audit telemetry to the attacker undetected; the method was validated across GCP, AWS, and Azure and mitigations include strict least-privilege for deletion APIs, organizational namespace controls (e.g., account-scoped S3 namespaces), VPC/Service Control boundaries, SCPs, soft-delete protections, and high-severity monitoring of bucket-deletion API calls.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
