BSidesTLV 2023

The dark side of cloud-based database engines
2023-06-29, 12:45–13:10 (Europe/Oslo), Smolarz

Cloud migration has revolutionized the way we work with databases, But the cloud provider's changes to popular database engines have created new attack vectors. Our presentation will explore the evolving database attack landscape in the cloud, showcasing a case study of a critical CloudSQL (GCP) vulnerability we recently found and advanced lateral movement and PE techniques.

[Introduction: The evolving landscape of database attacks in cloud environments.]

  • A brief explanation on sensitive data in cloud environments with an overview of the different ways of how the database attack landscape has changed in the last years with the transformation to managed DBs in CSP.

  • Changing perspective: . How the cloud makes the attacker's life easier with data flows, managed migrations and other features across multiple services in a single and multiple cloud accounts.

[From a single permission to lateral movement]

  • An overview of the evolution of tactics employed by attackers to exploit new vulnerabilities in cloud-based database engines.

  • Redshift Use-case1: Attack surface, examination of Redshift IAM, gaining an initial foothold.

  • Redshift Use-case 2: How a single privilege in AWS allowed us to perform reconnaissance & data exfiltration on S3 buckets and DynamoDB documents.
    ** Privilege escalation technique using the CREATE EXTERNAL SCHEMA command to bypass previous restrictions on S3 and access more data on Kinesis, managed Kafka, and RDS.

[Vulnerability Disclosure on GCP CloudSQL]

  • Follow our journey where we disclose a new vulnerability in GCP's CloudSQL service and demonstrate new privilege escalation techniques, including accessing the host container

  • A detailed walkthrough of exploitation guidelines for cloud-based databases

  • Understanding the unique features of how GCP customized SQL engine, including customized functions, users, and permissions, and learn how to navigate these features while staying within ethical boundaries

  • How we utilized automatic operations, audit logs, triggers, SQL Agent, and external operations to enhance your exploitation efforts

  • Post-exploitation tactics

Ofir Balassiano is the head of security research at Dig security and a seasoned security researcher, specializing in low-level OS internals research and cloud security, with over 8 years of experience in the field. He is passionate about understanding how things work and enjoys applying his skills and knowledge to CTFs. During his time in the IDF intelligence unit, Ofir led a team of researchers working on critical technologies, honing his expertise in the security domain.

Ofir Shaty is a Senior Security Researcher at Dig Security, bringing over 6 years of experience in Data Security and Web Application Security to the team. 
Prior to joining Dig, Ofir worked as a Senior Security Researcher at Imperva, where he specialized in researching database attacks. He has published groundbreaking research in the field of data security databases security attack techniques from both an offensive and defensive perspective.