Researchers at Unit 42 have uncovered a serious cloud attack technique called bucket hijacking, confirmed to work across Google Cloud, AWS, and Microsoft Azure. The method exploits a simple but fundamental flaw: cloud storage bucket names are globally unique, meaning whoever owns the name owns the destination.
An attacker with bucket deletion permissions can delete a target's active storage bucket, immediately re-register the same name under their own account, and watch the original data stream — audit logs, telemetry, metrics — flow silently into their environment. No alerts fire. No errors appear. The pipeline just keeps running.
Unit 42 recommends restricting deletion permissions, enforcing data perimeter controls, and monitoring bucket deletion API calls closely.
Source: Cybersecurity News