At the beginning of the year, some Ransomware cases made the news as well, where data hosted in publicly writable buckets was encrypted or copied and removed and where that data was then basically held for ransom. It turns out these publicly writable buckets are surprisingly common. Security researcher “Random Robbie,” wrote a script that scans accessible buckets and leaves a POC.txt file in the vulnerable folders. If you find one of these files amongst your data, you are advised to lock down access controls of the relevant services immediately. The security issue around cloud data is not new. Over the years, many tools such as S3Scanner and AWSBucketDump have been developed and updated, which scan the cloud platforms address ranges, looking for any publicly accessible buckets. Once such a bucket is found, most tools can even scan or dump the contents of the bucket, providing the interested party with an easy and automated way to access the data. More and more of these tools have become available, and the latest trend is the use of certificate transparency logs for scanning efficiency. No longer do these tools need to brute force all entries on a predefined wordlist, the use of domain name permutations of certificate transparency logs makes the process much more targeted and with that, much quicker. As mentioned before, the security issues around these buckets are not new. Vendors have now started to accept some of the responsibility, however, and some interesting, more proactive measures have been made available to cloud users recently. Of course, the traditional security controls and processes still apply, but as can be observed, they often fail due to human error or a lack of understanding of the platform. Access rights need to be properly set and reviewed on a regular basis. Proactive scans using the mentioned enumeration scripts or broader vulnerability scans against the customers own environment need to be performed and monitored. Nothing new there. These policies simply need to be in place already. Of course, the monitoring of public access and API calls is also critical. Alerts should be set (and actioned) covering the dumping of large amounts of files or large files in general. A SIEM can assist in correlating the required security event data for these alerts via rules and set thresholds.
