Subdomain hack associated with a removed S3 bucket
tldr; If you delete an S3 bucket with a subdomain name, you need to delete the DNS record that points to it, or the missing bucket may be recreated by someone else, and used to host bad content at your subdomain.
Timeline:
- Received a message from Google Search Console that a new user has been verified for to-be-hacked.my-company.com.
- Looked in Google Search Console, but no new users exist. However, a new site map was submitted for:
to-be-hacked.my-company.com/sitemap.xml
This is filled with spam pages. The hacker apparently recreated the missing S3 bucket in their own account, and used this to verify the domain ownership with Google Search Console and then host the sitemap.xml filled with spam content. The spam content is also hosted in the bucket at to-be-hacked.my-company.com. Interesting, thanks. I guess I didn't consider it because I've never deleted a S3 bucket. We've got a few S3 buckets used in that way, I'll make sure our guys know never to delete them. Yeah, apparently it's a known vector:
https://hackerone.com/reports/121461 Very common attack. It's called a subdomain takeover.