Deleted or disused Amazon S3 buckets are proving to be a significant attack vector for cybercriminals. Security specialist watchTwr Labs showed in its recent research findings how attackers can easily re-register these forgotten storage instances and use it to spread malware, for example, or even mount large-scale supply chain attacks.
The attacks this weakness enables could be similar to the infamous SolarWinds attack. The watchTwr Labs researchers scanned the Internet looking for abandoned or otherwise inactive Amazon S3 buckets used in code or software updates in the past. They checked whether these buckets were still receiving unsecured and unverified requests.
In the end, they discovered 150 forgotten S3 buckets previously owned by government agencies, large enterprises, IT and security companies. These buckets were once in use for open source projects, software deployment, updates and configurations, among other things, but later abandoned.
8 million requests
For just $400, the researchers re-registered these 150 S3 buckets and analyzed which files were requested. In two months, the re-registered buckets received as many as 8 million requests from governments (US, UK and Australia), a major credit card provider, international banks and cybersecurity companies, among others. Frequently requested files included unsigned Windows, Linux and macOS binaries, VM images, JavaScript files, SSL VPN configurations and CloudFormation templates.
According to the researchers, malicious actors could have easily answered these requests with malicious files, which could potentially turn into large-scale cyberattacks.
Easy to abuse
WatchTwr Labs’ experts emphasize how simple it is to realize a supply chain attack through this forgotten infrastructure. Moreover, this vulnerability applies not only to Amazon S3 buckets, but to any abandoned cloud environment. All criminals need to do is re-register the original name of the bucket and then abuse it to spread malware.
Response from AWS
AWS has since removed the S3 buckets detected and re-registered by watchTwr Labs. The hyperscaler advises customers to adhere to best practices, including using unique names for buckets to prevent re-registration. In addition, extensive documentation is available to ensure that applications are properly configured and use only proprietary, valid buckets.
Also read: What are the security risks in the age of cloud adoption?