This is the scenario that TikTok security engineer Abdullah Al-Sultani presented at the DefCamp security conference in Bucharest recently. He referred to the attack as “cloud squatting.” It goes beyond just DNS records as the type and number of cloud services that do resource and name reallocation once an account is closed is very broad. The bigger the company, the bigger this shadow cloud records issue is.
Identifying cloud squatting risk harder for large enterprises
Al-Sultani came across cloud squatting after TikTok received reports through its bug bounty program that involved the reporters taking over TikTok subdomains. His team quickly realized that trying to find all stale records was going to be a serious undertaking because TikTok’s parent company ByteDance has over 100,000 employees and development and infrastructure teams in many countries around the world. It also has thousands of domains for its different apps in different regions.
To tackle this issue, the TikTok security team built an internal tool that iterated through all the company’s domains, automatically tested all CNAME records by sending HTTP or DNS requests to the; identified all domains and subdomains that pointed to IP ranges belonging to cloud providers like AWS, Azure, Google Cloud, and other third-party services providers; and then checked if those IP records were still valid and were assigned to TikTok. Luckily the company was already tracking IP addresses assigned to its assets by cloud providers inside an internal database, but many companies might not do this type of tracking.
Al-Sultani is not the first to highlight the dangers of cloud squatting. Last year, a team of researchers from Pennsylvania State University analyzed the risk of IP reuse on public clouds by deploying 3 million EC2 servers in Amazon’s US East region that received 1.5 million unique IP addresses or around 56% of the available pool for the region. Among the traffic coming into those IP addresses the researchers found financial transactions, GPS location data, and personally identifiable information.
“We identified four classes of cloud services, seven classes of third-party services, and DNS as sources of exploitable latent configurations,” the researchers said in their research paper. “We discovered that exploitable configurations were both common and in many cases extremely dangerous […] Within the seven classes of third-party services, we identified dozens of exploitable software systems spanning hundreds of servers (e.g., databases, caches, mobile applications, and web services). Lastly, we identified 5,446 exploitable domains spanning 231 eTLDs-including 105 in the top 10,000 and 23 in the top 1,000 popular domains.”
Cloud sqatting risks inherited from third-party software
The risk from cloud squatting issues can even be inherited from third-party software components. In June, researchers from Checkmarx warned that attackers are scanning npm packages for references to S3 buckets. If they find a bucket that no longer exists, they register it. In many cases the developers of those packages chose to use an S3 bucket to store pre-compiled binary files that are downloaded and executed during the package’s installation. So, if attackers re-register the abandoned buckets, they can perform remote code execution on the systems of the users trusting the affected npm package because they can host their own malicious binaries.