Universal bucket hijacking technique enables cloud data exfiltration across major CSPs
Researchers identified a bucket hijacking attack exploiting global namespace uniqueness in AWS, Google Cloud, and Microsoft Azure storage services, allowing attackers to silently redirect data streams to attacker-controlled accounts.
Attack Brief
TargetAWS S3, Google Cloud Storage (GCS), Microsoft Azure cloud storage; cloud logging and data streaming servicesVectorBucket hijacking via deletion and recreation of globally-unique storage bucket names combined with data stream misconfigurationAttributionresearcher disclosure
Technical Details
MITRE ATT&CKT1537T1020T1078AffectedAWS S3 bucket replication, Google Cloud Logging sinks, Google Cloud Pub/Sub, Google Cloud Storage Transfer Service, Microsoft Azure storage services
Impact
Affected OrganisationsunattributedSectorscloud infrastructuredata managementConfirmed DamagePotential silent data exfiltration of logs, telemetry, and sensitive data to attacker-controlled storage buckets; no real-world exploitation confirmed at time of publication
Mitigation
WorkaroundsImplement IAM restrictions limiting storage.objects.delete and storage.bucket.delete permissions; configure bucket ownership verification and immutable bucket naming policies; enable bucket versioning and access logging; restrict data stream destination modifications to authorized accounts only
Context
Previous CampaignsNo prior campaigns identified; this is a novel architectural vulnerability