Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Abandoned Amazon S3 Buckets Could Have Enabled Attacks Against Governments, Big Firms

150 abandoned Amazon S3 buckets could have been leveraged to deliver malware or backdoors to governments and Fortune companies.

Cybersecurity company WatchTowr has identified many abandoned Amazon S3 buckets that could have been leveraged by threat actors to deliver malware or backdoors to governments and big firms.

WatchTowr’s researchers discovered roughly 150 instances of abandoned S3 buckets that were at one point used for storage by various commercial and open source software products. 

The researchers registered the abandoned S3 buckets and monitored them over a period of two months to see who requested files from them and what type of files were requested. 

The abandoned S3 buckets received over eight million HTTP requests, including for software updates, VM images, JavaScript files, SSLVPN server configurations, CloudFormation templates, and pre-compiled binaries for Windows, Linux and macOS.

Had the 150 domains been registered by a malicious actor instead of the security firm, they could have been abused to deliver malicious software updates, VM images with backdoors, malware droppers, or CloudFormation templates that would provide the attackers access to AWS environments.

An analysis of the source of requests showed that they came from government networks in the United States, the UK, Australia, South Korea and other countries. 

They also came from military networks, Fortune 100 companies, Fortune 500 companies, a major payment card network, an industrial solutions provider, banks and other financial organizations, universities, messaging software companies, casinos, and even cybersecurity firms.

“We believe that in the wrong hands, the research we have performed could have led to supply chain attacks that out-scaled and out-impacted anything we as an industry have seen so far – or put more clearly, we would’ve embarrassed Cozy Bear and made their SolarWinds adventures look amateurish and insignificant,” WatchTowr said in a blog post

Advertisement. Scroll to continue reading.

The security firm worked with AWS, which took control of the abandoned S3 buckets, as well as government agencies in the US and UK to prevent abuse. 

Previously, WatchTowr researchers hijacked more than 4,000 backdoors deployed by threat actors by registering abandoned and expired infrastructure that the backdoors had been designed to use.

The company’s researchers also managed to become the administrator of the .mobi TLD by spending $20 to acquire a legacy Whois server.

UPDATE: an AWS spokesperson provided the following statement to SecurityWeek:

AWS services and infrastructure are operating as expected. The issues described in this blog occurred when customers deleted S3 buckets that were still being referenced by third-party applications. After conducting their research without notifying AWS, watchTowr provided the bucket names to AWS, and to protect our customers, we blocked these specific buckets from being re-created.

To support our customers’ security needs, we provide guidance on best practices, including using unique identifiers when creating bucket names to prevent unintended reuse, and ensuring applications are properly configured to reference only customer-owned buckets. In 2020 we launched the bucket ownership condition feature and encouraged customers to use this mechanism, specifically designed to prevent unintended reuse of bucket names. AWS requests that researchers engage with our security research program before conducting research involving AWS services. Learn more at aws.amazon.com/security/vulnerability-reporting/.

Related: Fortinet Confirms New Zero-Day Exploitation

Related: CISA Warns of Mitel MiCollab Vulnerabilities Exploited in Attacks

Related: Abandoned WordPress Plugin Abused for Backdoor Deployment

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

Cynet announced the appointment of Jason Magee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.