Thursday, February 6, 2025
HomeCyber Security NewsHundreds of Amazon RDS Instances Leaking User's Personal Data

Hundreds of Amazon RDS Instances Leaking User’s Personal Data

Published on

SIEM as a Service

Follow Us on Google News

Recently, the Mitiga Research Team found that hundreds of databases each month were exposed, with significant Personally Identifiable Information (PII) leakage.

An analysis found that the reputable Amazon Relational Database Service is leaking PII through exposed Relational Database Service (RDS) Snapshots.

Amazon Relational Database Service (Amazon RDS)

The Amazon Relational Database Service (Amazon RDS) is a Platform-as-a-Service (PaaS) that provides a database platform based on a few optional engines (e.g., MySQL, PostgreSQL, etc.).

In this case, you can use RDS snapshots, a storage volume snapshot of your database instance that backs up the entire database instance rather than just certain databases, while utilizing the RDS service in AWS.

Further, these snapshots can be shared between other AWS accounts, both inside and outside the on-premises company, as well as between AWS accounts that make the RDS snapshots available to the general public.

A Public RDS snapshot is a useful feature that allows a user to share public data or a template database with an application.

The report says when a user wishes to share a snapshot with co-workers without having to deal with permissions and restrictions, a Public RDS snapshot is a useful option. Hence the user can share the snapshot in this way for a short time with the public.

“Well… obviously, leaked snapshots might potentially be a very valuable asset for a threat actor — either during the reconnaissance phase of the cyber kill chain (databases can include sensitive technical data that can be used for exploitation, like API keys) or for extortion or ransomware campaigns”, Mitiga Research Team reported.

“We found a lot of snapshots that were shared publicly for few hours, days, and even weeks — either intentionally or by mistake”.

Unintentional Information Sharing is a Hazard to Enterprises

Researchers say unintentional information sharing via resources like Disk snapshots (EBS), or database snapshots, is a new hazard to enterprises that some cloud services that enable sharing of cloud resources widely to the globe expose (RDS).

They developed an AWS-native technique, using AWS Lambda Step Function and boto3, to scan, clone, and extract potentially sensitive information from RDS snapshots in scale.

Researchers discovered personally identifiable information has been exposed as a result of the investigation. One of the MySQL databases that were exposed is given below: This DB was created on 03/03/22, and the snapshot was taken on 31/08/22.

Extracted Data Example

The Israeli company, which carried out the research from September 21, 2022, to October 20, 2022, said it found 810 snapshots that were publicly shared for varying duration, starting from a few hours to weeks, making them ripe for abuse by malicious actors.

Over 250 of the 810 snapshots’ backups remained visible for 30 days or more, indicating that they were probably forgotten.

Recommendation

It is strongly advised not to make RDS snapshots accessible to the general public in order to guard against the potential leak or abuse of sensitive data or any other security issue. Where appropriate, it’s also advisable to encrypt snapshots.

Managed DDoS Attack Protection for Applications – Download Free Guide

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Hackers Exploit 3,000 ASP.NET Machine Keys to Hack IIS Web Servers Remotely

Microsoft has raised alarms about a new cyber threat involving ViewState code injection attacks...

Abyss Locker Ransomware Attacking Critical Network Devices including ESXi servers

The Abyss Locker ransomware, a relatively new but highly disruptive cyber threat, has been...

Weaponized SVG Files With Google Drive Links Attacking Gmail, Outlook & Dropbox Users

A new wave of phishing attacks is leveraging Scalable Vector Graphics (SVG) files to...

Flesh Stealer Malware Attacking Chrome, Firefox, and Edge Users to Steal Passwords

A newly identified malware, Flesh Stealer, is rapidly emerging as a significant cybersecurity threat...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Hackers Exploit 3,000 ASP.NET Machine Keys to Hack IIS Web Servers Remotely

Microsoft has raised alarms about a new cyber threat involving ViewState code injection attacks...

Abyss Locker Ransomware Attacking Critical Network Devices including ESXi servers

The Abyss Locker ransomware, a relatively new but highly disruptive cyber threat, has been...

Weaponized SVG Files With Google Drive Links Attacking Gmail, Outlook & Dropbox Users

A new wave of phishing attacks is leveraging Scalable Vector Graphics (SVG) files to...