SlideShare a Scribd company logo

AWS Cloud Account Hacked

A
Ali Raza

It's a information security use case in which I takeover an AWS cloud account of a company. This presentation includes my views information security and the lesson I learned from this use case.

Technology
1 of 15
Download to read offline
AWS Cloud Account Hacked! Lesson to learn
Agenda 1. Introduction 2. Security Breach Levels - My View 3. Security Breach Mindset - My Recipe 4. AWS Cloud Account Hack 5. Lesson to Learn 6. Conclusion
Introduction Now a days security is as import as development. Cybercrime is on its peak. I recently takeover an AWS cloud account of a company (I Will not reveal company due to ethical boundaries. Reporting is in process). Motivation and purpose to share this security breach use case is to highlight the lesson which I learn and the serious need of cyber security P.S: I didn’t hurt any infrastructure of company.
Security Breach Levels - My View I categorize security on three levels: 1. Customer facing applications (e.g: websites, mobile apps) 2. Networks (e.g: internet communication protocols like TCP, UDP) 3. Infrastructures (e.g: machines on which application has deployed) Security breach can be occur on any level and consequences can vary level to level
Security Breach Mindset - My Recipe (1) I always compare security research with crime case investigation. Broader steps of Crime investigation can be: ● Think like a criminal ● Find leads from crime spot ● Follow leads ● If you work smartly and you are bit lucky then you’ll get culprit
Security Breach Mindset - My Recipe (2) I follow same crime investigation steps and do following things: ● Think like a nerd software engineer ● Find leads from available views like websites, mobile apps, networks, secret keys (If I get from any source) ● Follow them and exploit every possible dimensions ● If I work smartly and I was lucky than I got vulnerability
AWS Cloud Account Hack : Lead A bad day for an eCommerce website that I visit them and inspired from their UI design. There was no intention as well as time to breach them but I want to check framework so that I can find that theme or template and that was the unlucky time for them that I spotted a “GET” query string and I just place a single inverted comma, BANG: SQL Injection
AWS Cloud Account Hack : Exploit So I take out some time and start my criminal case steps as I already get lead and I was think like a nerd software engineer. I use some SQL injection vectors and start digging into it but this takes time and vulnerability was confirmed by some SQL vectors so I decided to run my favorite tool: SQLMAP It gets all DB tables and I was like “Wow! It was too easy”.
AWS Cloud Account Hack : Curiosity But still I’m curious to know that either It’s a framework or custom web and HTML source code is indicating towards a framework because resources paths are like decorated framework (xyzwebsite.com/catalog/sites/images/xxx). So I search the part of URL after “.com” (/catalog/sites) and google leads me to three search results who has this path pattern and out them one has “Open Directory”. I started digging into it and hence find that It’s a private framework by a software company.
AWS Cloud Account Hack : A final lead After an hour of digging into folders, I found a folder containing settings XML file, as a cache, in that “Open Directory” vulnerable website and since it’s not my target I get back to that culprit website and try to open that settings and I got a real break through. Every secret key and settings was in that file including AWS S3 Key. I connect that AWS key with a software name S3Browser and I got their S3 bucket access which has CRUD rights.
AWS Cloud Account Hack : Takeover Since I’m unaware of AWS key management so I think S3 takeover as my success point which is actually not bad. A nightmare for that company arrives after 1 month when I was aware with AWS key management (thanks to Disrupt A.K.A GADITEK, my career kickstart employer). I test that AWS S3 key of that company with an open source tool (Nimbostratus) which I read on this link. This tool test the AWS access key rights on AWS resources and I got final takeover because that AWS access key has ROOT rights. BANG!
Lesson to Learn (1) I learn following lessons: Security Dimension: ● Never trust on framework blindly. ● Don’t add credentials on any file or INI instead use environment variables ● Don’t give extra access rights to any resource. ● Spend little bucks on security inspection at-least once specially in case of third party framework.
Lesson to Learn (2) Personal Dimension: ● Never give up until your own satisfaction ● Never take win as an END instead consider win as a NEW BEGINNING ● Always keep learning from circumstances (I didn’t learn AWS access key management when I got that S3 key. It was employer’s work which made me learn that part which strikes me with embarrassment that why I didn’t learn at that time)
Conclusion Never take cyber world for-granted and take every possible security majors on every level. You may face an unlucky day if somebody breach your product because: Security is not a product, but a process -Bruce Schneier
Thank You![Every opinion is solely my mindset and can be differ from others - Rational correction is highly appreciable] (Sorry for any english grammar or spelling mistakes)

Recommended

Web2.0 : an introduction
Web2.0 : an introductionWeb2.0 : an introduction
Web2.0 : an introductionAnant Shrivastava
 
2600 Thailand #50 From 0day to CVE
2600 Thailand #50 From 0day to CVE2600 Thailand #50 From 0day to CVE
2600 Thailand #50 From 0day to CVEPongtorn Angsuchotmetee
 
Security - The WLF Principle
Security - The WLF PrincipleSecurity - The WLF Principle
Security - The WLF PrincipleMarco Gralike
 
Web Hacking Intro
Web Hacking IntroWeb Hacking Intro
Web Hacking IntroAditya Kamat
 
How i got my first cve
How i got my first cveHow i got my first cve
How i got my first cvenullowaspmumbai
 
Road map to getting your first cve
Road map to getting your first cveRoad map to getting your first cve
Road map to getting your first cveShreya Pohekar
 
GoSec 2015 - Protecting the web from within
GoSec 2015 - Protecting the web from withinGoSec 2015 - Protecting the web from within
GoSec 2015 - Protecting the web from withinIMMUNIO
 
RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities
RailsConf 2015 - Metasecurity: Beyond Patching VulnerabilitiesRailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities
RailsConf 2015 - Metasecurity: Beyond Patching VulnerabilitiesIMMUNIO
 

Recommended

Web2.0 : an introduction
Web2.0 : an introductionWeb2.0 : an introduction
Web2.0 : an introductionAnant Shrivastava
 
2600 Thailand #50 From 0day to CVE
2600 Thailand #50 From 0day to CVE2600 Thailand #50 From 0day to CVE
2600 Thailand #50 From 0day to CVEPongtorn Angsuchotmetee
 
Security - The WLF Principle
Security - The WLF PrincipleSecurity - The WLF Principle
Security - The WLF PrincipleMarco Gralike
 
Web Hacking Intro
Web Hacking IntroWeb Hacking Intro
Web Hacking IntroAditya Kamat
 
How i got my first cve
How i got my first cveHow i got my first cve
How i got my first cvenullowaspmumbai
 
Road map to getting your first cve
Road map to getting your first cveRoad map to getting your first cve
Road map to getting your first cveShreya Pohekar
 
GoSec 2015 - Protecting the web from within
GoSec 2015 - Protecting the web from withinGoSec 2015 - Protecting the web from within
GoSec 2015 - Protecting the web from withinIMMUNIO
 
RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities
RailsConf 2015 - Metasecurity: Beyond Patching VulnerabilitiesRailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities
RailsConf 2015 - Metasecurity: Beyond Patching VulnerabilitiesIMMUNIO
 
Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Michael Gough
 
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)Sam Bowne
 
State of Web Security RailsConf 2016
State of Web Security RailsConf 2016State of Web Security RailsConf 2016
State of Web Security RailsConf 2016IMMUNIO
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Michael Gough
 
OWASP Top 10 and Securing Rails - Sean Todd - PayNearMe.com
OWASP Top 10 and Securing Rails - Sean Todd - PayNearMe.comOWASP Top 10 and Securing Rails - Sean Todd - PayNearMe.com
OWASP Top 10 and Securing Rails - Sean Todd - PayNearMe.comSV Ruby on Rails Meetup
 
Don't Forget Your (Virtual) Keys: Creating and Using Strong Passwords
Don't Forget Your (Virtual) Keys: Creating and Using Strong PasswordsDon't Forget Your (Virtual) Keys: Creating and Using Strong Passwords
Don't Forget Your (Virtual) Keys: Creating and Using Strong Passwordsrmortiz66
 
Overview of information security
Overview of information securityOverview of information security
Overview of information securityAskao Ahmed Saad
 
Testers, get into security bug bounties!
Testers, get into security bug bounties!Testers, get into security bug bounties!
Testers, get into security bug bounties!eusebiu daniel blindu
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksCiNPA Security SIG
 
My AWS Access Key Nightmares... and Solutions
My AWS Access Key Nightmares... and SolutionsMy AWS Access Key Nightmares... and Solutions
My AWS Access Key Nightmares... and SolutionsEmilyGladstoneCole
 
Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriOWASP Delhi
 
Automated security analysis of aws clouds v1.0
Automated security analysis of aws clouds v1.0Automated security analysis of aws clouds v1.0
Automated security analysis of aws clouds v1.0CSA Argentina
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive SecurityAndy Hoernecke
 
Advanced Security Automation Made Simple
Advanced Security Automation Made SimpleAdvanced Security Automation Made Simple
Advanced Security Automation Made SimpleMark Nunnikhoven
 
It's 10pm, Do You Know Where Your Access Keys Are?
It's 10pm, Do You Know Where Your Access Keys Are?It's 10pm, Do You Know Where Your Access Keys Are?
It's 10pm, Do You Know Where Your Access Keys Are?Ken Johnson
 
Securing AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriOWASP Delhi
 
Owasp joy of proactive security
Owasp joy of proactive securityOwasp joy of proactive security
Owasp joy of proactive securityScott Behrens
 
Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Yury Chemerkin
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security StrategyTeri Radichel
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016Chris Gates
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode reviewAnant Shrivastava
 
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]Websec México, S.C.
 

More Related Content

What's hot

Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Michael Gough
 
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)Sam Bowne
 
State of Web Security RailsConf 2016
State of Web Security RailsConf 2016State of Web Security RailsConf 2016
State of Web Security RailsConf 2016IMMUNIO
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Michael Gough
 
OWASP Top 10 and Securing Rails - Sean Todd - PayNearMe.com
OWASP Top 10 and Securing Rails - Sean Todd - PayNearMe.comOWASP Top 10 and Securing Rails - Sean Todd - PayNearMe.com
OWASP Top 10 and Securing Rails - Sean Todd - PayNearMe.comSV Ruby on Rails Meetup
 
Don't Forget Your (Virtual) Keys: Creating and Using Strong Passwords
Don't Forget Your (Virtual) Keys: Creating and Using Strong PasswordsDon't Forget Your (Virtual) Keys: Creating and Using Strong Passwords
Don't Forget Your (Virtual) Keys: Creating and Using Strong Passwordsrmortiz66
 
Overview of information security
Overview of information securityOverview of information security
Overview of information securityAskao Ahmed Saad
 
Testers, get into security bug bounties!
Testers, get into security bug bounties!Testers, get into security bug bounties!
Testers, get into security bug bounties!eusebiu daniel blindu
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksCiNPA Security SIG
 
My AWS Access Key Nightmares... and Solutions
My AWS Access Key Nightmares... and SolutionsMy AWS Access Key Nightmares... and Solutions
My AWS Access Key Nightmares... and SolutionsEmilyGladstoneCole
 

What's hot (10)

Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0
 
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)
 
State of Web Security RailsConf 2016
State of Web Security RailsConf 2016State of Web Security RailsConf 2016
State of Web Security RailsConf 2016
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0
 
OWASP Top 10 and Securing Rails - Sean Todd - PayNearMe.com
OWASP Top 10 and Securing Rails - Sean Todd - PayNearMe.comOWASP Top 10 and Securing Rails - Sean Todd - PayNearMe.com
OWASP Top 10 and Securing Rails - Sean Todd - PayNearMe.com
 
Don't Forget Your (Virtual) Keys: Creating and Using Strong Passwords
Don't Forget Your (Virtual) Keys: Creating and Using Strong PasswordsDon't Forget Your (Virtual) Keys: Creating and Using Strong Passwords
Don't Forget Your (Virtual) Keys: Creating and Using Strong Passwords
 
Overview of information security
Overview of information securityOverview of information security
Overview of information security
 
Testers, get into security bug bounties!
Testers, get into security bug bounties!Testers, get into security bug bounties!
Testers, get into security bug bounties!
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal Tricks
 
My AWS Access Key Nightmares... and Solutions
My AWS Access Key Nightmares... and SolutionsMy AWS Access Key Nightmares... and Solutions
My AWS Access Key Nightmares... and Solutions
 

Similar to AWS Cloud Account Hacked

Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriOWASP Delhi
 
Automated security analysis of aws clouds v1.0
Automated security analysis of aws clouds v1.0Automated security analysis of aws clouds v1.0
Automated security analysis of aws clouds v1.0CSA Argentina
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive SecurityAndy Hoernecke
 
Advanced Security Automation Made Simple
Advanced Security Automation Made SimpleAdvanced Security Automation Made Simple
Advanced Security Automation Made SimpleMark Nunnikhoven
 
It's 10pm, Do You Know Where Your Access Keys Are?
It's 10pm, Do You Know Where Your Access Keys Are?It's 10pm, Do You Know Where Your Access Keys Are?
It's 10pm, Do You Know Where Your Access Keys Are?Ken Johnson
 
Securing AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriOWASP Delhi
 
Owasp joy of proactive security
Owasp joy of proactive securityOwasp joy of proactive security
Owasp joy of proactive securityScott Behrens
 
Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Yury Chemerkin
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security StrategyTeri Radichel
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016Chris Gates
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode reviewAnant Shrivastava
 
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]Websec México, S.C.
 
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?Ken Johnson
 
Scaling security in a cloud environment v0.5 (Sep 2017)
Scaling security in a cloud environment v0.5 (Sep 2017)Scaling security in a cloud environment v0.5 (Sep 2017)
Scaling security in a cloud environment v0.5 (Sep 2017)Dinis Cruz
 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugLewis Ardern
 
Serverless in production, an experience report (NDC London, 31 Jan 2018)
Serverless in production, an experience report (NDC London, 31 Jan 2018)Serverless in production, an experience report (NDC London, 31 Jan 2018)
Serverless in production, an experience report (NDC London, 31 Jan 2018)Domas Lasauskas
 
Serverless in production, an experience report (NDC London 2018)
Serverless in production, an experience report (NDC London 2018)Serverless in production, an experience report (NDC London 2018)
Serverless in production, an experience report (NDC London 2018)Yan Cui
 
AWS re:Invent 2016: Automating Security Event Response, from Idea to Code to ...
AWS re:Invent 2016: Automating Security Event Response, from Idea to Code to ...AWS re:Invent 2016: Automating Security Event Response, from Idea to Code to ...
AWS re:Invent 2016: Automating Security Event Response, from Idea to Code to ...Amazon Web Services
 
DIY guide to runbooks, incident reports, and incident response
DIY guide to runbooks, incident reports, and incident responseDIY guide to runbooks, incident reports, and incident response
DIY guide to runbooks, incident reports, and incident responseNathan Case
 
Comment choisir entre Parse, Heroku et AWS ?
Comment choisir entre Parse, Heroku et AWS ?Comment choisir entre Parse, Heroku et AWS ?
Comment choisir entre Parse, Heroku et AWS ?TheFamily
 

Similar to AWS Cloud Account Hacked (20)

Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit Giri
 
Automated security analysis of aws clouds v1.0
Automated security analysis of aws clouds v1.0Automated security analysis of aws clouds v1.0
Automated security analysis of aws clouds v1.0
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive Security
 
Advanced Security Automation Made Simple
Advanced Security Automation Made SimpleAdvanced Security Automation Made Simple
Advanced Security Automation Made Simple
 
It's 10pm, Do You Know Where Your Access Keys Are?
It's 10pm, Do You Know Where Your Access Keys Are?It's 10pm, Do You Know Where Your Access Keys Are?
It's 10pm, Do You Know Where Your Access Keys Are?
 
Securing AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit Giri
 
Owasp joy of proactive security
Owasp joy of proactive securityOwasp joy of proactive security
Owasp joy of proactive security
 
Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security Strategy
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
 
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
 
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?
 
Scaling security in a cloud environment v0.5 (Sep 2017)
Scaling security in a cloud environment v0.5 (Sep 2017)Scaling security in a cloud environment v0.5 (Sep 2017)
Scaling security in a cloud environment v0.5 (Sep 2017)
 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A Bug
 
Serverless in production, an experience report (NDC London, 31 Jan 2018)
Serverless in production, an experience report (NDC London, 31 Jan 2018)Serverless in production, an experience report (NDC London, 31 Jan 2018)
Serverless in production, an experience report (NDC London, 31 Jan 2018)
 
Serverless in production, an experience report (NDC London 2018)
Serverless in production, an experience report (NDC London 2018)Serverless in production, an experience report (NDC London 2018)
Serverless in production, an experience report (NDC London 2018)
 
AWS re:Invent 2016: Automating Security Event Response, from Idea to Code to ...
AWS re:Invent 2016: Automating Security Event Response, from Idea to Code to ...AWS re:Invent 2016: Automating Security Event Response, from Idea to Code to ...
AWS re:Invent 2016: Automating Security Event Response, from Idea to Code to ...
 
DIY guide to runbooks, incident reports, and incident response
DIY guide to runbooks, incident reports, and incident responseDIY guide to runbooks, incident reports, and incident response
DIY guide to runbooks, incident reports, and incident response
 
Comment choisir entre Parse, Heroku et AWS ?
Comment choisir entre Parse, Heroku et AWS ?Comment choisir entre Parse, Heroku et AWS ?
Comment choisir entre Parse, Heroku et AWS ?
 

Recently uploaded

Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 

Recently uploaded (20)

Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 

AWS Cloud Account Hacked

  • 1. AWS Cloud Account Hacked! Lesson to learn
  • 2. Agenda 1. Introduction 2. Security Breach Levels - My View 3. Security Breach Mindset - My Recipe 4. AWS Cloud Account Hack 5. Lesson to Learn 6. Conclusion
  • 3. Introduction Now a days security is as import as development. Cybercrime is on its peak. I recently takeover an AWS cloud account of a company (I Will not reveal company due to ethical boundaries. Reporting is in process). Motivation and purpose to share this security breach use case is to highlight the lesson which I learn and the serious need of cyber security P.S: I didn’t hurt any infrastructure of company.
  • 4. Security Breach Levels - My View I categorize security on three levels: 1. Customer facing applications (e.g: websites, mobile apps) 2. Networks (e.g: internet communication protocols like TCP, UDP) 3. Infrastructures (e.g: machines on which application has deployed) Security breach can be occur on any level and consequences can vary level to level
  • 5. Security Breach Mindset - My Recipe (1) I always compare security research with crime case investigation. Broader steps of Crime investigation can be: ● Think like a criminal ● Find leads from crime spot ● Follow leads ● If you work smartly and you are bit lucky then you’ll get culprit
  • 6. Security Breach Mindset - My Recipe (2) I follow same crime investigation steps and do following things: ● Think like a nerd software engineer ● Find leads from available views like websites, mobile apps, networks, secret keys (If I get from any source) ● Follow them and exploit every possible dimensions ● If I work smartly and I was lucky than I got vulnerability
  • 7. AWS Cloud Account Hack : Lead A bad day for an eCommerce website that I visit them and inspired from their UI design. There was no intention as well as time to breach them but I want to check framework so that I can find that theme or template and that was the unlucky time for them that I spotted a “GET” query string and I just place a single inverted comma, BANG: SQL Injection
  • 8. AWS Cloud Account Hack : Exploit So I take out some time and start my criminal case steps as I already get lead and I was think like a nerd software engineer. I use some SQL injection vectors and start digging into it but this takes time and vulnerability was confirmed by some SQL vectors so I decided to run my favorite tool: SQLMAP It gets all DB tables and I was like “Wow! It was too easy”.
  • 9. AWS Cloud Account Hack : Curiosity But still I’m curious to know that either It’s a framework or custom web and HTML source code is indicating towards a framework because resources paths are like decorated framework (xyzwebsite.com/catalog/sites/images/xxx). So I search the part of URL after “.com” (/catalog/sites) and google leads me to three search results who has this path pattern and out them one has “Open Directory”. I started digging into it and hence find that It’s a private framework by a software company.
  • 10. AWS Cloud Account Hack : A final lead After an hour of digging into folders, I found a folder containing settings XML file, as a cache, in that “Open Directory” vulnerable website and since it’s not my target I get back to that culprit website and try to open that settings and I got a real break through. Every secret key and settings was in that file including AWS S3 Key. I connect that AWS key with a software name S3Browser and I got their S3 bucket access which has CRUD rights.
  • 11. AWS Cloud Account Hack : Takeover Since I’m unaware of AWS key management so I think S3 takeover as my success point which is actually not bad. A nightmare for that company arrives after 1 month when I was aware with AWS key management (thanks to Disrupt A.K.A GADITEK, my career kickstart employer). I test that AWS S3 key of that company with an open source tool (Nimbostratus) which I read on this link. This tool test the AWS access key rights on AWS resources and I got final takeover because that AWS access key has ROOT rights. BANG!
  • 12. Lesson to Learn (1) I learn following lessons: Security Dimension: ● Never trust on framework blindly. ● Don’t add credentials on any file or INI instead use environment variables ● Don’t give extra access rights to any resource. ● Spend little bucks on security inspection at-least once specially in case of third party framework.
  • 13. Lesson to Learn (2) Personal Dimension: ● Never give up until your own satisfaction ● Never take win as an END instead consider win as a NEW BEGINNING ● Always keep learning from circumstances (I didn’t learn AWS access key management when I got that S3 key. It was employer’s work which made me learn that part which strikes me with embarrassment that why I didn’t learn at that time)
  • 14. Conclusion Never take cyber world for-granted and take every possible security majors on every level. You may face an unlucky day if somebody breach your product because: Security is not a product, but a process -Bruce Schneier
  • 15. Thank You![Every opinion is solely my mindset and can be differ from others - Rational correction is highly appreciable] (Sorry for any english grammar or spelling mistakes)