BSides London 2021 BSides London 2021

Saturday, November 13, 2021

Big data lake, big data leak

AWS has a service for data scientists called Elastic MapReduce (EMR) which runs a Hadoop cluster. A company I used to work at received an email from AWS saying our account was performing DDoS. From there we discovered that our data scientists had opened ports to certain EMR services which besides showing information also allow RCE as a service. I decided to look for other victims. Shodan isn't great for this so I built a scanner over a few iterations to exploit YARN, Livy and Zeppelin. I get RCE on some random cluster but so what... I'm not into cryptomining or DDoSing. I need to figure out who owns this AWS account I now have access to so I can report it.