Sign in Subscribe
Cybersecurity

Cloud Hacking: When Clouds Turn Dark

Giuseppe Toscano

7 min read
Image Generated by ChatGPT

Hello world, today we’ll take a quick dive into the world of Cloud Security. Millions of companies use the cloud every day, but surprisingly, only a few truly secure their cloud environments. ☁️⚡

Cloud Computing has transformed business operations by offering scalable, on-demand access to computing resources via the internet. For those who are not familiar with this terminology, Cloud computing is a model that allows users to access computing resources, such as servers, storage, and databases, over the internet on demand, without managing physical infrastructure.

As shown below, AWS (Amazon Web Services), Azure, and GCP (Google Cloud Platform) were the three largest cloud services providers in Q4 2024.

Worldwide Market Share of Cloud Providers (Statista)

While the shift from On Premise to Cloud brings numerous advantages in flexibility and cost-efficiency, it also introduces serious security risks. Cloud Hacking, or attacks on cloud-based systems, is a growing concern that can cause significant damage to organizations.

In this blog post, I’ll briefly introduce you to cloud hacking, and together we’ll explore the most common entry points that hackers exploit without needing prior access or insider knowledge.

What is Cloud Hacking?

Cloud Hacking involves exploiting vulnerabilities in cloud infrastructure to gain unauthorized access, disrupt services, or steal sensitive data. These attacks can target various layers of cloud security, including network, data, and application levels. Ethical hacking, or penetration testing, plays a crucial role in identifying these vulnerabilities before malicious actors can exploit them.

If attackers manage to breach your cloud infrastructure, the consequences can be devastating. The collage below highlights four real-world attacks on cloud components, showing just how vulnerable these systems can be when not properly secured.

Headlines from Real-World Cloud Attacks

To describe the steps followed by hackers to attack this kind of systems, we can leverage the Cloud Infrastructure Kill Chain proposed by Hack The Box:

  • Recon (Reconnaissance): The goal is to gather intelligence about the target cloud infrastructure. The techniques used are: enumeration of public-facing services, OSINT on cloud assets, employee accounts, code repositories, and scanning for misconfigurations.
  • Infiltration: Based on the previous knowledge, the attacker gains initial access to the cloud environment. This can occur through exploiting weak credentials or leaked API keys, social engineering attacks, abuse of insecure endpoints, or exploiting some discovered misconfigurations.
  • Privilege Escalation: The attacker seeks to gain elevated permissions by exploiting overly permissive IAM policies, misconfigured roles, trust relationships, or vulnerabilities in cloud services that allow privilege upgrades.
  • Lateral Movement: With escalated privileges, the attacker moves across cloud services, regions, or accounts, accessing additional resources like storage buckets, databases, or compute instances, often leveraging service-to-service trust or shared credentials.
  • Exfiltration: Finally, the attacker extracts sensitive data from the environment by downloading files, dumping databases, or establishing covert channels, completing the objective while attempting to evade detection.
Cloud Infrastructure Kill Chain (HackTheBox)

In the following sections, we’ll focus on the first two steps of the kill chain outlined above, aiming to gain a deeper understanding of how attackers circumvent security measures and compromise your organization.

Entry Points for Hackers

It’s time to grab some popcorn and take a closer look at the three most common entry points for hackers to breach cloud environments. Understanding these vulnerabilities is essential for building secure, resilient cloud architectures and maintaining trust in cloud-based services.

The techniques described below are intended solely for educational purposes and ethical penetration testing. They should never be used for malicious activities or unauthorized access.

Public Storage Buckets

Cloud Storage Buckets are containers used to store objects (files, data, backups, etc.). By default, most providers implement private access controls. However, it’s surprisingly common for developers or administrators to either accidentally or intentionally set these buckets to be publicly accessible without proper authentication or access restrictions.

When cloud storage buckets are publicly accessible, anyone with the URL or path can access the files inside. This can expose: PII (Personally Identifiable Information), Credentials (API keys, access tokens, passwords in logs), Internal documentation or source code, and Sensitive media (e.g., medical images, customer videos, private documents).

The enumeration of these public buckets is extremely easy for attackers. There are a lot of available free tools which can help them for achieving this malicious task. These are the most popular ones:

  • Grayhat Warfare/Buckets Finder: A public search engine and tool that indexes open buckets, allowing users to search for potentially misconfigured or exposed cloud storage with file browsing capabilities.
  • S3Scanner: A Python-based tool used to scan for open Amazon S3 buckets and determine their accessibility, optionally listing files if public read permissions are enabled.
  • GCPBucketBrute: A tool designed to brute-force Google Cloud Storage (GCS) bucket names and check for publicly accessible buckets or misconfigured permissions.
  • cloud_enum: A multi-cloud reconnaissance tool focused on discovering public cloud assets (e.g., storage buckets, subdomains, services) across AWS, Azure, and GCP by enumerating metadata, services, and misconfigurations.
Grayhat Warfare Home Page

Curious to strengthen your knowledge even further? You can discover other useful tools here!

Employees

As always, people are the weakest link in the chain. This timeless axiom remains painfully true in the age of cloud computing. No matter how robust your technical defenses may be, the human element remains an open flank. Hackers know this. In fact, they count on it.

Social Engineering, Credential Stuffing due to Reused Passwords, and Misconfigurations introduced by overwhelmed or undertrained staff are not only common; they’re often the most efficient entry points. When targeting cloud environments, attackers frequently bypass complex technical safeguards by exploiting human behavior: a misplaced click, an over-permissioned IAM role, or a well-crafted phishing email. In this landscape, your cloud security is only as strong as your least cautious user.

Even in this case, numerous tools are available to assist attackers in crafting sophisticated social engineering attacks (e.g., phishing) aimed at deceiving employees and compromising system access. Let's see some of them:

  • Evilnginx: It is a proxy-based phishing tool that allows attackers to capture session cookies and bypass 2FA. It acts as a relay between the victim and the legitimate cloud service provider, making phishing pages indistinguishable from real login portals.
  • Modlishka: It is a powerful MiTM phishing framework that dynamically relays content from the target site to the victim. Unlike static phishing pages, it serves real-time content, which greatly improves credibility.
  • GoPhish: It is designed for managing phishing campaigns, typically in awareness training—but it can also be used maliciously. It allows attackers to design and send phishing emails targeting cloud service credentials, track clicks, and monitor submitted data.
  • King Phisher: Similar to GoPhish but more advanced, King Phisher provides social engineering capabilities such as email spoofing, credential harvesting, and template-based email creation. It supports dynamic email content, making it ideal for cloud credential phishing.
  • LOLBins (Living Off the Land Binaries): LOLBins are legitimate binaries and scripts present in OSes that attackers repurpose for stealthy operations. In a social engineering context, attackers may trick users into executing commands or scripts that use these binaries to extract credentials, set up persistence, or interact with cloud APIs without raising alarms.
GoPhish Home Page

Infrastructure Vulnerabilities

Last but not least, hackers exploit infrastructure vulnerabilities, a broad and critical category of weaknesses that often serve as the final and most impactful entry point into cloud environments. Once attackers have exhausted other avenues such as phishing, credential stuffing, or exploiting misconfigured services (e.g., public storage buckets), they turn their attention to systematically enumerating the entire cloud infrastructure associated with a target organization. This enumeration phase is meticulous and methodical, aiming to map out every exposed component and service in use across cloud providers like AWS, Azure, or GCP.

The initial step involves passive and active reconnaissance. Hackers begin by identifying your organization’s cloud footprint, which includes public-facing IPs, DNS records, cloud-hosted applications, S3 buckets, virtual machines, APIs, serverless functions, and more. These are the main tools used during this step:

  • theHarvester: It is commonly used in the early reconnaissance phase to collect emails, subdomains, IPs, and employee names associated with a cloud-based organization. When targeting cloud infrastructures, attackers use it to: discover cloud-specific subdomains and uncover employee emails that may be linked to cloud portals or management consoles.
  • Amass: This is a powerful tool for mapping the external cloud surface of an organization. It combines DNS enumeration, scraping, brute forcing, and passive sources to enumerate subdomains.
  • Sublist3r: Though more lightweight than Amass, Sublist3r is effective for quickly identifying subdomains tied to cloud-hosted environments. It pulls data from search engines like Google, Bing, Yahoo, and others.
  • Shodan: It is immensely valuable in cloud reconnaissance. It indexes services, ports, and banners from internet-facing systems, including cloud VMs and containers. Attackers use filters like org, port, and cloud tags to focus on specific targets or providers.

Once the surface area is mapped, attackers pivot to identifying exploitable vulnerabilities and misconfigurations. At this stage, they combine cloud-specific reconnaissance with traditional attack methodologies to probe for weaknesses, often leveraging standard offensive tools such as Nmap for network scanning and Metasploit for exploiting identified vulnerabilities..

Some interesting resources:

Is cloud hacking the biggest threat to modern infrastructure? Share your thoughts below! Let’s dive into the challenges, solutions, and what you’re seeing out there!  🤝

Share this article: