Recent research has shed light on the significant threat posed by abandoned cloud storage buckets to Internet security, highlighting a danger that has been largely overlooked until now. According to a study by researchers from watchTowr, bad actors can exploit these neglected digital repositories by re-registering them under their original names and then using them to distribute malware or carry out other malicious activities against unsuspecting users.
The vulnerability of abandoned cloud storage buckets was recently brought to attention by the team at watchTowr, who conducted an investigation following their previous research on expired and abandoned Internet domain names. In their latest study, the researchers identified around 150 Amazon AWS S3 buckets that had been used by various government organizations, Fortune 500 companies, technology firms, cybersecurity vendors, and major open-source projects for software deployment, updates, configurations, and similar purposes, before being abandoned.
To test the potential risks associated with these abandoned S3 buckets, watchTowr decided to register them using their original names and enable logging to monitor the requests made to these resources. Over a two-month period, the researchers were stunned to observe a staggering 8 million file requests coming from a variety of entities, including government agencies, Fortune 100 companies, financial institutions, cybersecurity firms, and more. These requests ranged from software updates to SSL VPN configurations, creating a ripe opportunity for malicious actors to infiltrate these organizations.
The simplicity with which these abandoned S3 buckets were exploited highlights a “terrifyingly simple” cloud cyberattack vector, as pointed out by Benjamin Harris, the CEO of watchTowr. While the study focused on AWS buckets, the underlying risks extend to any abandoned cloud storage resource that can be re-registered under its original name. Harris emphasized the need for cloud service providers like AWS to implement measures preventing the re-registration of such resources using previously used names, thus addressing the vulnerability associated with abandoned infrastructure.
AWS took swift action in response to the identified threat, sinkholing the S3 buckets highlighted by watchTowr to prevent further exploitation. However, the broader issue of abandoned cloud storage resources remains a persistent concern. The company reiterated its commitment to providing guidance to customers on best practices for securing cloud buckets and using unique identifiers to prevent unintended reuse of bucket names. AWS also emphasized the importance of researchers engaging with their security team before conducting any research involving the company’s services.
In conclusion, the research conducted by watchTowr has underscored the critical need for heightened vigilance when it comes to managing cloud resources, particularly those that have been abandoned or neglected. The ease with which malicious actors can exploit these overlooked assets highlights the importance of proactive measures to secure and monitor cloud storage buckets to prevent potential cyber threats. As technology continues to evolve, staying ahead of emerging risks and vulnerabilities will be key in safeguarding the integrity of cloud-based infrastructure and maintaining robust cybersecurity defenses.