Cloud Bucket Hijacking Lets Attackers Silently Exfiltrate AWS, Google Cloud Data

Severity

Medium 

Detail

Security researchers have identified a critical cloud storage attack technique known as cloud bucket hijacking, which affects all major cloud service providers, including Google Cloud Platform (GCP), Amazon Web Services (AWS), and Microsoft Azure. The attack exploits a fundamental architectural design in cloud storage services where bucket names must be globally unique. Since bucket identities are based solely on their names rather than being permanently linked to the owning account, attackers can take over deleted bucket names and redirect legitimate data flows to storage under their control.

As a result, automated services such as audit log exports, telemetry pipelines, replication jobs, and storage transfers may continue sending sensitive data to the attacker without interruption. Because the original data pipelines remain unchanged and appear to function normally, the attack is highly stealthy and can remain undetected until significant data exposure has occurred. Although there is currently no evidence of this technique being actively exploited in the wild, its low detection probability and broad impact make it a significant security concern for organizations operating cloud environments.

How?

The attack begins when a threat actor gains sufficient privileges within a cloud environment, particularly permissions that allow storage bucket deletion. After deleting the target bucket, the attacker quickly creates a new bucket with the exact same name in a separate cloud account or another accessible environment. Since many cloud services reference storage buckets only by name, existing automated processes continue writing data to the newly created bucket without requiring any configuration changes. This allows attackers to silently receive sensitive information such as audit logs, replicated objects, monitoring data, and backup files.

Researchers successfully demonstrated this attack across multiple cloud platforms:

• Google Cloud Platform (GCP): Hijacked Cloud Logging sinks, Pub/Sub subscriptions, and Storage Transfer Service jobs by exploiting bucket deletion permissions, without modifying the original logging or transfer configurations.
• Amazon Web Services (AWS): Redirected Amazon Data Firehose deliveries and Amazon S3 replication traffic to attacker-controlled buckets that reused the original bucket names.
• Microsoft Azure: Although Azure’s soft-delete mechanism prevents immediate cross-tenant bucket name reuse, researchers were able to reroute Azure Monitor diagnostic data to malicious storage accounts across subscriptions within the same tenant.

The research also found that commonly assigned storage administrator roles often include bucket deletion privileges, enabling attackers to perform this technique without requiring permissions to modify the associated logging or replication services.

Conclusion

Cloud bucket hijacking highlights a critical security weakness shared across major cloud platforms, where globally unique bucket names can be reclaimed after deletion. This architectural design allows attackers to redirect legitimate data streams without altering existing configurations, making the attack difficult to detect. Organizations should reduce this risk by applying the principle of least privilege, limiting bucket deletion permissions to only essential administrators, implementing data perimeter controls to prevent writes to unauthorized storage destinations, enabling account-scoped namespace protections where available, and monitoring all bucket deletion activities with high-priority alerts. A consistent security strategy across multi-cloud environments is essential, as architectural weaknesses in one platform can often be adapted to others.

Source

https://gbhackers.com/cloud-bucket-hijacking/