Black Hat Critical flaws in at least six Amazon Web Services cloud services could have allowed attackers to execute remote code, steal data or even take over a user's account without their knowledge, according to research presented today at Black Hat.
How can I claim full control access to transfer objects across multiple accounts to my S3 bucket?
Aqua Security's Nautilus team detailed the vulnerabilities, which have since been patched by the cloud services giant, in a conference call titled: Breaching AWS Accounts Through Shadow Resources.
But first, they chatted with The Register about how sophisticated criminals, such as those backed by nation-states, could predict AWS S3 bucket names, and then also use a new method they call "Bucket Monopoly" to essentially preload malware into a bucket and wait for the target organization to unknowingly run it.
This, the researchers said, could have led to "catastrophic" attacks across all organizations in the world that have ever used the six cloud services in question.
