Thousands of databases hosted on Amazon Web Services Inc.’s Relational Database Service have been found to be leaking personally identifiable information, providing a potential treasure trove for threat actors.
Discovered by researchers at Mitiga Security Inc., the exposure comes through a snapshot feature in Amazon RDS that is used to back up the hosted databases. The feature allows users to share public data or a template database with an application, including creating a Public RDS snapshot for sharing without having to deal with roles and policies. The problem arises in that the snapshots can often sit exposed for anywhere between minutes to even days and weeks, full of PII that is desirable to threat actors.
“Leaked snapshots might potentially be [a] very valuable asset for a threat actor — either during the reconnaissance phase of the cyber kill chain (databases can include sensitive technical data that can be used for exploitation, like API keys) or for extortion or ransomware campaigns,” the researchers note. “Making a snapshot public, even for a very short amount of time, can have unwanted outcomes.”
To highlight how a threat actor could access the data, the researchers developed an AWS-native technique using AWS Lambda Step Function and boto3 to scan, clone and extract sensitive information from RDS snapshots at scale. Over a month through to Oct. 20, the researchers observed 2,783 RDS snapshots, of which 810 were exposed publicly throughout the entire month. Additionally, 1,859 snapshots of the 2,783 were exposed for one to two days, enough time for an attacker to obtain them easily.
Information in the exposed snapshots included addresses, passwords, credit card details, tokens, phone numbers, passport numbers and more, all information that could and can be used by hackers.
The fault here does not lie with AWS, which the researchers note not only makes RDS users aware of publicly exposed snapshots but also provides tools such as AWS Trusted Advisor that detects security issues and recommends steps to remediate them.
Surprisingly, there is a simple way to still share RDS snapshots without exposing PII – encrypting them. The researchers note that AWS enables users to encrypt a snapshot with a shared KMS key, negating the issue.
Commenting on the news, Erich Kron, security awareness advocate at security awareness training company KnowBe4 Inc., told SiliconANGLE that “for organizations that store or process data within the cloud, processes should be in place to ensure that data remains protected even after making changes.
“The practice of having a second person confirm the permissions on data, while it can be inconvenient, can potentially save a lot of labor and the potential for fines, especially in heavily regulated industries,” Kron added.