logo

Cloud Bucket Hijacking Lets Attackers Silently Exfiltrate AWS, Google Cloud Data

ID: 0c0c56b4-03e6-5e5c-81d0-003adf5535aa

STIX ID: report--0c0c56b4-03e6-5e5c-81d0-003adf5535aa

Feed Name: GBHackers

Threat Score
75/100

Date Published: 2026-06-27

Date Updated: 2026-06-27

Author: Eswar

...
...

Unit 42 researchers describe a cross-cloud technique dubbed 'cloud bucket hijacking' where attackers with bucket-deletion permissions delete a target bucket and immediately recreate a bucket with the identical globally-unique name in an attacker account, causing existing logging sinks, replication jobs, and transfer pipelines to continue delivering sensitive objects and audit telemetry to the attacker undetected; the method was validated across GCP, AWS, and Azure and mitigations include strict least-privilege for deletion APIs, organizational namespace controls (e.g., account-scoped S3 namespaces), VPC/Service Control boundaries, SCPs, soft-delete protections, and high-severity monitoring of bucket-deletion API calls.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.