One researcher found thousand-fold openly accessible Elastic Block Store volumes of confidential data on the web, where they could be searched arbitrarily.
Tons of confidential source code, databases with personal data including admin password, VPN login data, AWS keys, Google OAuth tokens, SSH private keys, Bitcoin wallets including private keys: All this was a researcher freely accessible on the net. Because Amazon Web Services users intentionally set their virtual disks from “private” to “public.”
The good news: The hacker Ben Morris, who came across ten or even hundreds of thousands of freely accessible Elastic Block Store (EBS) volumes, gives concerned users two weeks to spare. Only then will he publish on Github his dufflebag called software for searching the public EBS volumes.
Consequential shift to “public”
Virtual disks are created automatically when an Elastic Compute Cloud (EC2) instance requires storage. As Morris explained during his speech in the context of the DEF CON 27, Amazon sets the EBS memory by default to “private”, ie not freely accessible from the Internet. The volumes discovered by the hacker must therefore have been deliberately set to “public” by their users.
The problem here is that public, unencrypted EBS memory can be searched arbitrarily. In contrast to Amazon S3 buckets, which can only be accessed if you know their exact name. Since, according to Ben Morris, virtually anyone can search for confidential data stored on EBS volumes, they must be considered compromised in the case of a “public” volume. The hacker advises to immediately remove EBS volumes that are stored with confidential data from the network and to immediately change login data that has been disclosed in this way.
Rich loot: Confidential data of all kinds
The list of confidential data discovered by Morris is long. He found among other things: Web applications including source code, API keys and database passwords; AWS keys used to navigate a bot programmed by a service provider that crawls the social media activities of the terrorist organization Islamic State on behalf of the US government; User credentials of a “root” account that would have taken over the associated AWS account completely; a Jenkins installation of a major software company that works as a supplier to Apple and Salesforce, including confidential source code and login information; Connection files of OpenVPN; WordPress installations including password hashes; Bitcoin wallets including private keys and SQL databases containing tens of thousands of personal data including email addresses and hashed passwords.
Morris treated all discoveries according to the motto “just look, do not touch”. He did not use login credentials and deleted all collected data after evaluation.
Dufflebag tool soon publicly available
He discovered the volumes using Dufflebag, which simply uses the functions provided by the AWS EBS API to duplicate public volumes, copy the copy to the hacker’s EC2 instance, browse through white and blacklists, and then log off again. to produce no unnecessary costs. It took between two and five minutes per volume.
Overall, the hacker claims to have paid well over $ 300 to Amazon to search about 20,000 EBS volumes. He has selected the volumes on the basis of filter criteria in order to keep the effort reasonably acceptable. He did not search volumes larger than 100 gigabytes and none that belonged to the top 5 volume creators. According to Morris, Amazon was among the Top 5 and Github. Their publicly available data has quickly made Ben Morris uninteresting.
image by Shutterstock