A study conducted by security vendor Orca Security has revealed that threat actors are able to discover and breach exposed cloud assets at an alarmingly fast pace. The research, titled “2023 Honeypotting in the Cloud Report: Attackers Discover and Weaponize Exposed Cloud Assets and Secrets in Minutes,” involved the deployment of honeypots on nine different cloud environments to simulate misconfigured resources and analyze the tactics utilized by threat actors.
Orca deployed these honeypots on various platforms including AWS S3 buckets, Docker Hub, Amazon Elastic Container Registry, Elasticsearch, GitHub, HTTP, Amazon Elastic Block Storage, Redis, and SSH. Each honeypot was designed to include an AWS secret access key and breadcrumbs that would lead threat actors to the instances.
The study found that threat actors wasted no time in exploiting these exposed cloud assets. GitHub assets were discovered within two minutes, HTTP within three minutes, SSH within four minutes, and S3 buckets within an hour. In terms of compromising the AWS keys, the report stated that the exposed keys on GitHub were essentially compromised instantly, while S3 buckets took around eight hours and Elastic Container Registry took four months to be compromised.
The report noted that the findings confirmed the fact that attackers are constantly scanning the internet for lucrative opportunities. However, it also highlighted the surprising speed at which these attacks occurred in some cases. Depending on the resource, threat actors only needed a few hours or even minutes to find and exploit the exposed keys in the honeypots.
The report emphasized that the more breadcrumbs available for threat actors to find, the faster they could discover and compromise S3 buckets. Legitimate buckets with even more breadcrumbs, such as references to bucket names, IDs, and links, were likely to be accessed even faster by attackers. Orca recommended that companies with an online presence should be cautious about their bucket names, IDs, and links being easily searchable on the internet, as adversaries are constantly using automated reconnaissance tools to find such information.
Orca Security’s research tech lead, Tohar Braun, explained that breadcrumbs were published on platforms like Pastebin, Twitter, GitHub, and Reddit to simulate a legitimate setup. Adversaries use automated tools to find domain names and web addresses used on the back end, which can include S3 bucket names. Once this information is discovered, threat actors will immediately attempt to access the bucket and search its contents.
The report concluded by outlining why threat actors tend to target certain cloud resources more than others. Factors that make a resource more attractive include its discoverability, exposure to the internet via a TCP port, its frequency of usage, and the likelihood of it containing valuable secrets. GitHub, for example, is easily discoverable and prone to containing secrets, as it contains all the source code of a project or organization.
Orca also noted that attackers used the search engine Shodan to find exposed cloud assets through TCP ports such as HTTP, Elasticsearch, Redis, SSH, and Postgres. However, S3 buckets posed more challenges for threat actors as they require authentication for querying all of an organization’s buckets. This forces attackers to conduct dictionary attacks to cycle through potential names of the exposed assets.
Bar Kaduri, the leader of Orca’s cloud threat research team, emphasized that more scanning activity was observed in GitHub compared to S3 buckets. GitHub is more easily scanned continuously due to its accessible code and the ability to monitor new commits. This makes the identification of interesting patterns, such as secret keys, a low-effort activity. Additionally, GitHub is likely to contain sensitive information, making it a high-value target for threat actors.
The exposure of cloud resources has become a major concern for enterprises in recent years. Notable incidents include the 2016 Uber data breach, where threat actors stole an AWS access key exposed in a public GitHub repository, and the misconfigured S3 bucket that exposed the personal data of 14 million Verizon customers in 2017. In response to these incidents, cloud providers have introduced security features and configuration settings to mitigate accidental exposures.
As the threat landscape continues to evolve, organizations must remain vigilant in their efforts to secure their cloud assets. Implementing security best practices and regularly reviewing and updating configurations can help minimize the risk of exposure.