New Bucket Hijacking Attack Allows Hackers to Reroute Cloud Data Streams to External Storage
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A critical cloud storage attack technique dubbed \u201cbucket hijacking\u201d a method that enables threat actors to silently redirect an organization\u2019s active cloud data streams, including audit logs and telemetry, into attacker-controlled external storage buckets across major cloud platforms.<\/p>\n
The technique has been confirmed to affect Google Cloud<\/a>, Amazon Web Services (AWS)<\/a>, and Microsoft Azure, with all three providers notified through responsible disclosure.<\/p>\n While no real-world threat actor has been observed exploiting this technique yet, researchers warn that detection would be extremely difficult once deployed.<\/p>\n The attack exploits a fundamental architectural flaw rooted in the global uniqueness of cloud storage bucket names. Because no two users can register an identical bucket name within a provider\u2019s namespace, the identity of a destination storage bucket is tied to its name alone, not to a specific account owner.<\/p>\n An attacker who compromises a cloud environment and gains bucket deletion permissions can execute the attack in a straightforward sequence:<\/p>\n The attack is particularly dangerous because it is self-sustaining. Once the hijack is complete, the legitimate sink or replication configuration continues to appear valid upon inspection, generating no obvious error states and triggering no native alerts. Logs, metrics, and sensitive telemetry flow silently into the attacker\u2019s environment indefinitely.<\/p>\n Unit 42 successfully simulated<\/a> bucket hijacking across multiple services on each major provider:<\/p>\n Researchers highlighted that broad storage administration roles commonly assigned in enterprise environments dramatically increase exposure.<\/p>\n In Google Cloud, the standard Storage Admin role grants Unit 42 recommends a two-pronged defense strategy combining least-privilege access controls and proactive monitoring:<\/p>\n Unit 42 highlighted that this technique is not limited to the three providers tested. Any cloud platform relying on globally unique, statically named storage resources for data stream routing could be vulnerable to the same methodology.<\/p>\n The research reinforces that shared design philosophies across cloud providers mean a flaw discovered in one ecosystem can serve as a direct blueprint for exploiting another, a critical reminder for security teams managing multi-cloud environments.<\/p>\n What Features Should AI SOC Have? \u2013 Download Free 2026 AI SOC Features Checklist<\/a><\/strong><\/p>\n The post New Bucket Hijacking Attack Allows Hackers to Reroute Cloud Data Streams to External Storage<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n\n
New Bucket Hijacking Attack<\/strong><\/h2>\n
\n
storage.buckets.delete<\/code> and storage.objects.delete<\/code>\n<\/li>\nstorage.buckets.delete<\/code> by default, bypassing the more restrictive logging.sinks.update<\/code> permission that would be required to legitimately reconfigure a data stream. This effectively allows attackers to reroute data streams without ever touching stream configurations directly.<\/p>\n\n
storage.buckets.delete<\/code>, DeleteBucket<\/code>, Microsoft.Storage\/storageAccounts\/delete<\/code>) to the minimum required administrative roles<\/li>\n