A security researcher at Israel’s Wiz discovered thousands of exposed AWS customers’ databases, including a Kibana dashboard containing “everything about the R&D of the company”, by scanning for specific IP addresses (CIDR blocks) from within the cloud services provider and then simply port scanning them – an experiment that reveals that customer misconfiguration remains dangerously rife across cloud services.
Wiz’s Avi Lumelsky said in just one day he found thousands of exposed services and was able to harvest both personal information like emails, addresses, occupations, salaries, private wallet addresses, locations, bank accounts, as well as enterprise IT systems information like Kubernetes cluster data spanning full applications logs through to kernel and system logs, for Fortune 500 companies, startups and others.
Follow The Stack on LinkedIn
He was able to gain full cloud visibility “instance type, AMI, account ID… thanks to misconfigured clusters of K8 and ElasticSearch” into one AWS user, while another had streamed Jira tasks onto an exposed ElasticSearch dashboards “including customer data, code examples, accounts names” for all to see.
The issue is one for customers, not AWS, under a shared responsibility model. (And as he notes “if you open a service to the world, at least use decent authorization and authentication”.)
His scan was possible because cloud operators publish CIDR blocks, or IP address ranges used to create identifiers for networks and devices that can remain highly visible when customers are using them without making adjustments to ensure improved security. Lumelsky curated a public list of CIDR blocks to scan (for example for managed services like Kubernetes or ElasticSearch) along with the ports that are most likely to be open on the instances within these IP ranges. Running the free MASSCAN port scanner, he identified 337,801 open ports in AWS’s ElasticSearch service CIDR blocks — essentially exposed customer clusters — within hours.
Perhaps predictably, although many of the exposed companies were quick to respond and thank him, many of them were hard or impossible to contact about the exposed services. (Lumelsky encountered numerous databases apparently holding company backups that had already been hit by ransomware…)
Although some CIDR blocks are only accessible from within the cloud provider itself, the democratic nature of the public cloud means all a maliciously minded hacker needs to do is spin up an instance with internet connectivity inside the cloud provider that they want to scan, press play and start finding open ports.
As Wiz’s Avi Lumelsky noted in his blog: “We often sin and use the default VPC subnet when configuring instances. Hence, many instances are assigned with a public IP address automatically…
He added in a blog: “DevOps, Developers, and IT practitioners [also] often misconfigure some of the following: Binding the socket on the wrong network interfaces; listening to connections from 0.0.0.0/* — so it is visible to all network interfaces, instead of only the inner-network interface IP address (172.x.x.x); misconfigured security group for the cluster (allow all TCP and all UDP from broad CIDR blocks). “
Sometimes,” he added, “the security group is changed by others that are not aware of the consequences. The default network or subnet is used, subnet settings are derived, and a public IPv4 address is assigned silently…”