Cybersecurity company WatchTowr has identified many abandoned Amazon S3 buckets that could have been leveraged by threat actors to deliver malware or backdoors to governments and big firms.
WatchTowr’s researchers discovered roughly 150 instances of abandoned S3 buckets that were at one point used for storage by various commercial and open source software products.
The researchers registered the abandoned S3 buckets and monitored them over a period of two months to see who requested files from them and what type of files were requested.
The abandoned S3 buckets received over eight million HTTP requests, including for software updates, VM images, JavaScript files, SSLVPN server configurations, CloudFormation templates, and pre-compiled binaries for Windows, Linux and macOS.
Had the 150 domains been registered by a malicious actor instead of the security firm, they could have been abused to deliver malicious software updates, VM images with backdoors, malware droppers, or CloudFormation templates that would provide the attackers access to AWS environments.
An analysis of the source of requests showed that they came from government networks in the United States, the UK, Australia, South Korea and other countries.
They also came from military networks, Fortune 100 companies, Fortune 500 companies, a major payment card network, an industrial solutions provider, banks and other financial organizations, universities, messaging software companies, casinos, and even cybersecurity firms.
“We believe that in the wrong hands, the research we have performed could have led to supply chain attacks that out-scaled and out-impacted anything we as an industry have seen so far – or put more clearly, we would’ve embarrassed Cozy Bear and made their SolarWinds adventures look amateurish and insignificant,” WatchTowr said in a blog post.
The security firm worked with AWS, which took control of the abandoned S3 buckets, as well as government agencies in the US and UK to prevent abuse.
Previously, WatchTowr researchers hijacked more than 4,000 backdoors deployed by threat actors by registering abandoned and expired infrastructure that the backdoors had been designed to use.
The company’s researchers also managed to become the administrator of the .mobi TLD by spending $20 to acquire a legacy Whois server.
UPDATE: an AWS spokesperson provided the following statement to SecurityWeek:
AWS services and infrastructure are operating as expected. The issues described in this blog occurred when customers deleted S3 buckets that were still being referenced by third-party applications. After conducting their research without notifying AWS, watchTowr provided the bucket names to AWS, and to protect our customers, we blocked these specific buckets from being re-created.
To support our customers’ security needs, we provide guidance on best practices, including using unique identifiers when creating bucket names to prevent unintended reuse, and ensuring applications are properly configured to reference only customer-owned buckets. In 2020 we launched the bucket ownership condition feature and encouraged customers to use this mechanism, specifically designed to prevent unintended reuse of bucket names. AWS requests that researchers engage with our security research program before conducting research involving AWS services. Learn more at aws.amazon.com/security/vulnerability-reporting/.
Related: Fortinet Confirms New Zero-Day Exploitation
Related: CISA Warns of Mitel MiCollab Vulnerabilities Exploited in Attacks
Related: Abandoned WordPress Plugin Abused for Backdoor Deployment
