Cloud-Squatting: The Never-Ending Misery Of Deleted And Forgotten Cloud Assets

uh so I'm here to present a talk about the cloud squatting attack um let's start with on today's menu so we going to talk about what is the cloud because it's related like Cloud squatting it's related to the cloud security and what we're going to talk about the cloud squatting attack as the problem and I work at Tik Tok so I'm going to talk about the solution that we manag to fix this issue on scale and then we can to have some time for questions at the end of the session so let me first introduce myself so my name is Abdullah um I work as a security engineer at Tik Tok if you have problem

with Tik Tok account don't reach out to me please um I moved from Baghdad to London two years ago to work with Tik Tok basically uh I started my career in cyber security since I was 13 and I did ethical hacking when when I was 16 years old and since then I just like hooked with these things so the cloud what is that like um you know like like we had a time when there's like the right now it's like the AI kind of thing but back in the old day it was all about the cloud so basically instead of owning and managing physical hardware and software right now user can rent of subscri subscribe to resources

and servic from providers right now it's like um yeah just I said like it's become more you know become increasingly popular because it offers several advantages I have a friend who's still doing like the old way like he has a server in his own room basically you just rent someone's else computer to do whatever you want on it um there's a lot of like providers all over the world and there are like major ones we going to talk about them uh why people use the clown like sounds weird like why you want to use someone's else computer for so if you are not familiar with the cloud it's like has a lot of advantages such as on

demand resources so when you are buying you basically pay for what you use instead of you know like if you purchase like in the old way hosting you have to pay for you f year or something uh but here like basically it it suits your your needs so it's very I would say convenient scale scalability so if you want to scale down or scale up is very easy just like C bottoms to add more RAM add more resources to the to the system um and also you you scale down as well so sometimes you know you know sometimes it's you don't have in predictable traffic or whatever like you know demand for example e-commerce in

Black Friday they get a lot of requests so they need to scale up and after that they need to scale down so it's very easy to do it with the cloud there's a a lot of service models so like there's infrastructure as a as a service platform as a service uh these like uh it's kind of out of scope but you can like Google it deployment models as well there's a lot of like way to deploy your stuff so it's like if you want to make it accessible if you want to make it private contr work it's like everything going to be inside that cost efficiency is is like um you you I just we said you

use per like you pay for use so instead of buying a lot of stuff or you know purchasing servers you just can pay Amazon or Google and when you need like you know finish your work you just go through it it's accessible from everywhere like so doesn't matter where you live you can like use this Services security and compliance like it's very secure like these infrastructure are protected by you know big tech company and there's a lot of um you know like compliance out how store data and other stuff so but like as like 99% of the problems it's always a human error so so we what is this talk about and it's a human

error so what is the problem anyone here knows what is a cloud squatting oh that's good zero hands you know about it okay we have one that's that's really this going to be educational then like that's that's fine so when I I'm a visual learner I always like looking through stuff and through YouTube and when I put like my manager told me you want to do Cloud squatting research I okay yeah and this is what I found on YouTube to be honest and I was like so if you are a gy pro and you are here for this like it's not what we going to talk about so here is the cloud squatting this is the problem that we are facing

right now so when organization rent cloud service servers these servers get an signed an IP address we use it for a while you know like to host an application or log or whatever or like um do any kind of services like on host service on it then when we finish we just like release this IP address and someone else going to use so if you think about it like let's say Tik Tok had like a an IP address they used it for a while they just released it and some an evil actor like took it and he start like receiving the this like the intended to Tik to traffic so let's talk about this example

here like we have DNS so basically the DNS is kind of just like a phone book you ask about like you for the domain and it g gives you the IP address for it um we have like an issue here so there's like different type of DNS records so we're going to focus on a and C name here for this uh research the others like uh it's also could be included maybe in future research um yeah let's talk about the examples of this attack so let's say you are like running um an application or on app. example.com and you say like okay I'm register this in like in the DNS I'm registering app. example.com for this IP

address and this IP address is uh is is like um provided by cloud provider like like let's say AWS Google um or Azure and Tik Tok basically we're using this this IP address let's say after one year like the one like we don't need this IP address anymore and we released it but and someone took over it like they just asked Amazon like I want to you know like I'm I want an ec2 or whatever instance and they assigned this IP address for him or her um and the problem here is that we still pointing to this in our DNS record to this IP address so if we have a domain app. example is going to point to the

like to this server and like an attacker can do a lot of stuff um for example stealing cookies doing other like serving files from this domain and trick user for scams or whatever also we have a problem that we we like we saw in our codebase so if we are using let's say an IP address for a cloud provider and we are pointing to it in our code and after a while we deleted it from our like AWS U dashboard but people basically you know forget about it like it's still being pointed at um in our codebase and especially this happened in big tech company because you know people are leaving people are changing projects so

it's very easy like to for this stuff to get lost um so think about it if you are sending log server like log U request to to an IP address that belongs to a cloud provider you have to make sure that you can it's configurable in a way that is not really hardcoded in the code um why we started doing this basically we got um a lot of hacker one reports about it is anyone here doing buck hunting or like knows about buck hunting concept can you raise your hand so okay that's fair for you but so basically hacker one is a platform that companies it's basically you open a profile as a as a company and you say if

you ha us and Report us the issue we're going to give you money for it so we start receiving reports from ethical hackers uh saying hey I took you know subdomain takeover of this this domain of this domain and we start like basically noticing a pattern in these reports um so these domains pointing to I just we just we describe it they are pointing to any claimed IP address for cloud provider sometime AWS sometime Google Cloud some sometime um Yandex or whatever like cloud provider that we are using so we said okay you know what let's start research about this problem um and we got also a report from I think the University of Berkeley or something

about like um an issue with one of our main domains that were pointing to also like deleted assets um so we said okay you know what let's start working on it and we while we working on on this we had like to ex to create an extension for it because we have another problem here so sometimes we not using an IP address we're using a service from a third party for example here we're using S3 to store like whatever we want and it's also the same thing so log. example.com um returns this it's a c name record so it's instead of an IP address return a c name you can read about it like uh what's the

differ between these records and let's say you know like blog. example.com belongs to Tik Tok at this time and then like they used it for marketing they used it for whatever and then they say you know what we don't need this anymore this is um this campaign has ended and they deleted it from their account AWS um but our DNS still pointing to this domain so someone can like just find the name of the of the S3 bucket and they Cana you know like create the same name and basically he going to take an over of blog. example.com so what did we do we created like we just had one of the interesting Friday meetings

um we said like you know let's start working on this so we had kind of like a to-do list for the stuff that we want to work on okay um so we kind of narrow it down to these requirements so first we need our domains that basically all of our records like to find it uh to find which one actually pointing to a cloud provider also we needed to know that which IP addresses that belong to cloud provider um so if we have we have a lot of IP addresses like for our domains like we're going to like talk about it's a lot of stuff so it's really hard to wrap your head around it so we need to

know which IP address also like we are taken from cloud providers and we need cloud of providers IP ranges to know which one is like you know falling into this criteria and we need to also understand all the service third party services that vulnerable to the take over attack like we talked about um S3 bucket but there are a lot of examples so our domains too many to count it's like it's so huge like when you look at the database crazy like how the amount of domains that we are running sometimes really hard to track every one of them and even like very simpol where you're going to take like a long to return something um we tried to look over the

internet if we can you know like uh because in big tech companies sometimes it's very hard to find you know like these kind of Records we try to scan the internet there was like a good data set by Rabbid 7 um but I don't think they going to give it to you yeah just for scientific purposes um and then like out of the blue it turns out like we have like in the accom like a DNS record so it was really saved us so for the DNS record we we have every domain and subdomain and all the like DNS record for it like the a records or C Name Records or whatever so we just like got our domains that's

like the first thing we finished um so now right now we need to work on the I addresses that belongs to Cloud providers it's also like too many I addresses that we are using and you know project pops up out of the blue they can they got you know like removed after a while so it was really hard also to track these things um after like searching through the company we we found out that we have two systems that have similar I would say data data set that we can use so let's call them system one and system two so system one is kind of like called visibility third party assets or something like that and

basically it uses apis from all the cloud provider that we are using this is roughly localist I think we have more or less um but basically it use the IPS from these providers to pull all the current instances all the current uh IP addresses that we are using by this cloud provider um for system 2 it's a security system that has doing scanning on external resources so the thing is we Face the problems when we we look to to these days that coming from these two sources like there's a lot of redundancy between these two sources like because basically there's a lot of common data that we don't need and the data set is already huge so we just did did like

that duplication so we removed every kind of duplication between these sources and we kep only the unique ones and there was also like different format and stuff from properties from each one so took a while to understand the business needs and to you know clarify what we need from these like um from these sources took a while but eventually we find a way to resolve this and it's like I just said it's sometimes it's very hard to decide what kind of data you need because in the future and you know like asking for permission is very different from Big tech companies um now we want to collect the providers IP ranges so the good thing is that for big

cloud providers such as Google AWS um and I think aure they gives you a Json file that has all the subnets that belongs that belong to them um and also like there's a token so you can check it if it's like there's new stuff has been added but also like there's a problem that there's no formal format for these files so you have to do it by yourself and for other providers like I think Alibaba Yandex and others uh have only like HTML taable so you need to bars it by yourself and you have to keep looking and pulling data from these sources all the time to check if there is a new subnets that has been

added so we finished all these stuff and we then we had to go to the third party services that ver to like the take over attacks there is a good um GitHub preo that maintained by the community it's basically a table telling you which service is vulnerable to this attack what is the fingerprint that you need and what is the domains that you need to look for so you can see here um which one to ignore which one you need to look for and sometimes there's also new services like coming up all the time so you have three basically stuff like varable not varable and stuff we don't know about yet so you need to detect

it so we had all the requirements now let's see the workflow so from these systems like we have the DNS record the system one and system two we got the data to the data preparation stage so in this like stage we just pull data continuously because um you know like Tik Tok has like like a team in every time zone so there's a lot of stuff happening all the time and also the people who are working on the finding these kind of issue they automate all their process so they are maybe like trigger it every one minute so you have to keep an eye on this data all the time and we just remove the duplication

between these two the sources that we talked about before to make it like very you know like U search in the data analyzing stage we start atting through the domains so we said if the domain has a varable c name from the cames that we talked about in the the repo you have to keep an eye on it so if it's a vulnerable C name we going to send an HTTP request or a DNS request based on which C name like uh because there are different cases for every provider that you need to cover by yourself um so we're going to say request to find the fingerprint so if the fingerprints was founded then we're

going to get a request saying hey you know what we can talk about the communication of the result in the in the other slide um also if the domain has an IP that belongs to a cloud provider check if it's in our records and it's not expired so when we go through the domains we going to get the a record and we going to see like it has like different IP addresses sometimes it return one but sometime it's returns multiple IP addresses so we have to check all of them see like if any of them is uh not in our records or expired expired I mean like we we deleted it from our system because we

are basically always with every data pool like in the data preparation we check if we are you know like if there is a new or deleted assets um also we atate not just through domains we do it like through the because if you if you let's say we don't like point to any DNS record but we use this IP address for Rus or other service um so if it's expired like we check you know like we do at rate through IPS that we have so if it's expired or deleted from our record we're going to check our codebase or configuration files to see if we are pointing to this IP address anywhere in case it does we just need like you know

Traer and alarm so this is for the communication um it's kind of an urgent thing because sometimes these domains are very you know critical and serving files or other stuff and uh especially if it's like small to medium business it's also like very threat to have like someone take over a subdomain or stealing data from from you so it needs to be really fast so we we have a l like a like system for our company uh we use it to create these Bots to you continuously checking for these stuff you can send it over slack email or whatever Channel like Channel you really like but it need to be like you know taken an urgent action about

it um so what you going to do for the same thing so just like you know it's a DIY project like do it yourself so it's good for your performance review to do this project so you're so basically you need like data for for domains you just can use your domain management system that you're using if you are you know like ethical hacker and trying to find this kind of stuff you just need to use scrubbing and Brute Force attack but Brute Force like the domain names on um there's a lot of tools to do that so you can't find all these subdomains um also you need to check for C name take over with tools so there's a

lot of tools also to take this kind of uh attack so it's will tell you if this is you can take over this or not um to check like check if an IP address is not alive so sometimes when you do like if you do dig and you write the domain name so you're going to get the um and like in the terminal you're going to get the DNS record for that you can see the IP addresses you can take one of them and try to Ping it if it's not alive and it belongs to a cloud provider so maybe you can take cover this IP address and basically as I just said you need to automate everything because the

people who are doing this automated everything already so you're not going to do this manually it's it's a huge data set and it's going to take a while if you do that like um I'm sure you will find some good result eventually so if you're in protector side or attacker side it will pay off um so these are references for this because I just said the cloud squatting term is not really popular and basically I even for me like I learned it when I started working on the project but there are like quite few resources that mention it like so I'm I'm included in my my slides so just like give it a visit the first one is really

interesting one because it's a white paper uh about this attack and it's very detailed as well so if you want to if you are interested in this um go for it same for like this is a research by the university if you want to take a look about it and for the third one is like the subdomain Takeover so if you are interested in subdomain takeover attacks um give it a look um through our research there's a lot of stuff that we read that helped us maybe we didn't include it here but yeah so it's not like all these resources are found um do you have any questions

anyone

okay excuse me often would the alerts off I I can't hear how often do the alerts go off huh the alerts go off uh it never goes off man like we keep like hey delete this delete this delete this so especially yeah you know like for it's also like depend on the when we DET we say okay this domain was has been taken over or something so we need to create you know like an investigation about where is this how you know like severe it is so if it's really you know like an important asset that serving file you're pointing to it because it happens sometime that we delete resources that we don't need and the DNS

record or other like Dom is pointing to it but is not used anywhere so it's I would say it's less severe and it's less really you know so you can like take your time to fix this but we try to do it as soon as possible anyone else I hope I answer your

question I have hearing problem like I should like mention

that uh we we everything we used like we developed in house like we didn't use any third party and I don't think like when we searched the this problem we didn't find any third party that providing this and also it's a kind of um I would say it's kind of critical data to be exposed to a third party so we did everything that we I mentioned here like in house and that we didn't use any third party Services anyone else that's it basically okay um so yeah I I just forget that I just remember like I forgot the hiring like slides uh so we are hiring so if you are interested just talk to me like after the after the

conference I'm usually a nice person so don't worry about it usually thank you [Music] everyone