The 4TB time bomb when EYs cloud went public and what it taught us Neo Security Neo Security

pLets deep dive into cloud misconfigurations attack surface management and why responsible disclosure mattersppHere at Neo Security we dont just scan We practice a form of digital cartographyThe modern internet isnt a fixed map its a constantly shifting fluid landscape of assets relationships and dataTogether with our partners we map it understand it and find the parts that organizations have forgotten they ownppDuring one of these recent mapping expeditions our lead researcher found something that made him stop and doublecheck his workppOur engineers have real incident response experience Worked on breaches where attackers found their way in through database files that were briefly exposed We know the scenario well a BAK file leaked for five minutes An exposure window measured in seconds Thats all it takesppWe know what the theoretical looks like when it becomes realppOne of our hackers wasnt running a broad noisy scan No Instead he was doing focused lowlevel tooling work tweaking passive data sources stepping through raw network traffic Hours in staring at output buffers something caught his attentionppA 200 OK on a HEAD requestppFor contextppa HEAD request is like knocking on a door and asking Whos in there and how big is the room Youre asking a server for metadata about a file its size type lastmodified date without actually downloading it Its supposed to be a fast harmless queryppThe servers answer was anything but harmlessppHe sat backppFour terabytes Thats not a file Thats a data center Thats the entire collection of the British Library Thats massiveppHe stared at the screen The file names looked exactly like SQL Server backup files His mind went to the obvious if this is what he thinks it is its badppAn SQL Server BAK file is a complete database backup It contains everything the schema all the data stored procedures and critically every secret stored in those tablesAPI keys session tokens user credentials cached authentication tokens service account passwords Whatever the application stored in the databaseNot just one secret all the secretsppFinding a 4TB SQL backup exposed to the public internet is like finding the master blueprint and the physical keys to a vault just sitting there With a note that says free to a good homeppHed investigated breaches that started with less Way less He once traced an entire ransomware incident back to a single webconfig file that leaked a connection string That was 8 kilobytesppThis was four terabytesppHe Googled the bucket and file specifics A few unrelated results came up but nothing clicked immediately No obvious website Someone was paying for that Azure subscription though This was liveppTrying to confirm ownership can be hard He started digging Company name searches led to business merger documents In a southcentral European language He fed them through DeepL The translation revealed the company was acquired in 2020 by a larger entity but the parent company name wasnt immediately obviousppThen he ran an SOA record lookup A Start of Authority DNS query basically asking the internets phonebook whos really in charge of this domain The response came back pointing to an authoritative DNS server eycomppThats when everything clickedppHis stomach sankppThis wasnt some startup This was Ernst YoungOne of the Big Four accounting firms Global MassiveThe kind of organization that audits major corporations handles MA due diligence for multibillion euro deals and has access to financial records that could move marketsppBut he still had to be sure before reaching outppHe couldnt download 4 terabytes thats not research thats a felony So he did what an engineer would do he downloaded the first thousand bytesppMost file types have a signature in the start of the file the very first few bytes Its a digital fingerprint A PDF starts with PDFA ZIP with PK A JPEG with FF D8 FF An ELF binary with 7F 45 4C 46ppThese magic bytes are how the file command on Unix systems works It doesnt look at the file extension which anyone can fake It looks at the actual bytesppHe parsed the magic bytes sqlserver backup Confirmed This wasnt encrypted The file format was unmistakably a database backupppAnd that meant this was as bad as he thoughtppHe sat back and exhaled Hed been here before not personally discovering something this big but cleaning up after someone else had He remembered one incident in particularppA few years ago hed been called in to investigate a breach at a fintech company Theyd been hit with a ransomware attack with complete access to their customer database internal tools and cloud infrastructureppThe timeline investigation revealed the entry point a BAK file a full SQL database backup that had been publicly accessible in an Azure storage bucket For exactly five minutesppAn engineer working late under pressure needed to migrate a database between environments The VPN was flaky The firewall rules were complex So he made a decision Ill just set the bucket ACL to public for two minutes Ill download it then set it right back No one will notice What could possibly happen in two minutesppModern cloud platforms make it trivially easy to export and backup your database A few clicks select your database choose a destination bucket and youre done The export happens automatically in the backgroundppBut heres where it gets dangerous one wrong click one typo in a bucket name and suddenly your private data is sitting in a public bucket You meant to export to companyinternalbackups but accidentally typed companypublicassets Or you created a new bucket for the export forgot to set it to private and the cloud provider defaults to public OopsppIts that easy to accidentally leak terabytes of sensitive data The tools are designed for convenience not security They assume you know what youre doing They dont warn you that you just exported your entire customer database to a bucket thats readable by anyone on the internetppAn Access Control List ACL is the access control for your cloud data Its a list of rules that determines who can access whatppThat engineer flipped the bouncers list from Rule 1 to Rule 2 Just for a second Im not dealing with VPC whitelisting and ISO docs tonightppBoomppWhat he didnt know is that attackers dont just casually scan They deploy thousands of automated scanners across every corner of the internetCompromised IoT device Botnet Hacked home router Botnet Pwned cloud instance BotnetppThis distributed scanning infrastructure doesnt browse casuallyThey sweep the entire IPv4 space thats 43 billion addresses in minutesTheyre massively parallel geographically distributed hyperoptimized for one thing finding exposed datappIts an automated gold rush A constant race to find the next open S3 bucket the next public Azure blob the next misconfigured GCS bucket The window between misconfigured and exfiltrated isnt measured in hours or minutes Its measured in secondsppIn that fintech breach the engineer changed it back to private at the 5minute mark thinking he was safe He wasnt The entire database PII credentials trade secrets was already goneppHeres the weird part their homepage traffic spiked 400 during that window Wonder why that is Automated scrapers hitting every endpoint probing every path looking for more Not humans browsing Bots Thousands of themppOur researcher had watched that company go under He was in the room when they made the breach notification to their customers All because of five minutesppSo when he saw that 4TB SQL Server backup sitting there publicly accessible belonging to EY he didnt think interesting security finding He thought about that fintech company He thought about the timeline He thought about the fiveminute windowppBut heres the thing the question isnt even which hacker took it The question is who didntppThat file was sitting there publicly accessible for an unknown amount of time Could have been hours Could have been days In that window with the scanning infrastructure that exists its not a question of if someone found it Its a question of how manyppWhen something this big sits exposed on the public internet you dont get to ask did someone find it You have to assume everyone found itppWe immediately stopped all investigation The clock was ticking Every second that file was exposed was another chance for someone else to find it Someone who wouldnt responsibly discloseppThe hard part we scrambled to find a security mailbox a vulnerability disclosure program anything Nothing It was the weekendppThis is the uncomfortable reality of responsible disclosure Our researcher went to LinkedIn and started coldmessaging people Hi Im a security researcher I think Ive found something critical can you please get me to your security team After 15 attempts he found someone who understood and connected him to the CSIRTppFrom that moment on Textbook perfect Professional acknowledgment No defensiveness no legal threats Just Thank you Were on itppClear technical communication Engineer to engineer No jargonfilled corporate speak Just solid incident responseppOne week later the issue was triaged and fully remediatedppA huge shoutout to EYs security teamppThey handled it exactly as youd hope This is what mature security response looks like And frankly its rare Weve had companies threaten us with lawsuits for telling them their database was public Weve had companies ghost us for months Weve had companies claim its not a bug its a featureppEY They just fixed it No drama No bullshit Just professionalismppHeres what concerns our researcher if EY with all their resources security teams compliance frameworks ISO certifications and Big Four budget can have a 4TB SQL Server backup sitting publicly accessible on the internet then anyone canppThe modern cloud is too complex Too fastmoving Too ephemeralTraditional security assessments cant keep up Youre not manually racking servers anymore Youre clicking buttons in a web UI running Terraform scripts deploying with CICD pipelinesInfrastructure is code Infrastructure is fast And fast means mistakes happen at scaleppThat 4TB file It might have been exposed for an hour a day a week We dont know That fintech BAK Five minutes was enoughppThe risk isnt some shadowy hacker specifically targeting you The risk is the automation The massive distributed scanning infrastructure that never sleeps never blinks and finds everything within seconds of it being exposedppYou cannot defend what you do not know you ownppYou need the same continuous automated adversarial visibility that the attackers have You need to be the first to find your own 4TB SQL Server backup You need to scan like they scanppThis is why Attack Surface Management isnt optional anymoreppWe can help you look into your posture and perform an OSINT assessment to show you exactly whats visible from the outside from an attackers perspective Not what your vulnerability scanner says Not what your penetration test found Whats actually exposed on the public internet right nowppUsing the cloud but not 100 sure how many backups or sensitive files might be one temporary ACL change away from leaking Deployed any database backups lately Got snapshots floating around Using Azure AWS GCP All threeppLets get on a callppWere engineers not salespeople Well skip the pitch and just show you the data Well help you find your exposures before someone else doesppBecause our researcher has seen what happens when you dont Hes seen the fiveminute leak Hes seen what happens when you ask which hacker took it instead of who didntppSo lets really find out whats exposedppContinuous external attack surface monitoring to find exposures before attackers doppDeep technical testing of your infrastructure applications and cloud environmentspp247 emergency response for data breaches ransomware and security incidentsppOnderdeel van Korper ICTDe engineers die uw systemen begrijpen en beveiligenppWillem de Zwijgerlaan 1371056 JK Amsterdampp 2025 Neo Security Alle rechten voorbehoudenp