Abusing the Replicator; Silently Exfiltrating Data with the AWS S3 Replication Service
2022-07-25 , Room 1

A comprehensive backup strategy is a cornerstone of any DR plan.
But how would you distinguish between legitimate backup activity and malicious data exfiltration?

Cyber attackers are increasingly gaining access to backup services, even those in the cloud, and leveraging them to exfiltrate data from across an organization’s production environment. In this talk, we will look closely at how an attacker can abuse S3 Replication to efficiently migrate your data out of your environment.

The AWS S3 Service is no longer the 'Simple Storage Service' it was made out to be. With dozens of features and integrations, it has become the data store of choice for enterprise AWS customers. It’s also so complicated that it is difficult to understand and thus secure all its capabilities.

One of S3's numerous features is the capability to create and manage backups, across regions and accounts. Cross-account replication can assist organizations in recovery from a data-loss event. In the wrong hands, the replication service allows threat actors to siphon off data to untrusted locations.

In this talk, we’ll demonstrate the techniques an adversary can employ to abuse the S3 Replication Service to exfiltrate data. I’ll also highlight how the authorized movement of data via the S3 Replication Service is less than transparent making it especially difficult to hunt for data exfiltration, enabling an attacker to hide their activity in plain sight within your cloud environment.

Kat Traxler the Principal Security Researcher for Public Cloud at Vectra AI with a primary focus on AWS, GCP and Cloud-Native infrastructure, and calls the Twin Cities home. She has spent her career performing penetration testing, security architecture design, and research in the areas of web Security, IAM, payment technologies, and Cloud Native Technologies.

She has presented at various conferences including SANS Security Summit and and fwd:CloudSec on topics such as privilege escalation in GCP, and bug-hunting in the cloud. In addition to her work at Vectra AI, she is also the author of the SANS SEC549 - Enterprise Cloud Security Architecture and currently multiple GIAC certifications.

Kat Traxler is obsessed with the attack surface at the confluence of Identity and Cloud Platform APIs and thinks you should be too.