Newly released research from WatchTowr has shed light on the ongoing supply chain security risks that abandoned cloud infrastructure, specifically Amazon S3 buckets, continues to present for organizations. The researchers at WatchTowr have cautioned that attackers could exploit abandoned S3 buckets to deploy malicious software updates, deploy remote access tools, or potentially gain access to an entire AWS environment. In their analysis, WatchTowr looked at assets previously owned by a variety of entities, including government organizations, Fortune 500 companies, technology firms, cybersecurity companies, and major open-source projects.
While the focus of the research was on Amazon S3 buckets, the experts at WatchTowr expressed concerns that similar risks could exist with other cloud storage services if assets are left abandoned. The root cause of this issue, as identified by WatchTowr, lies in the ease with which Internet infrastructure can be acquired in today’s digital landscape. With the low cost and minimal effort required to obtain resources like S3 buckets, domain names, or IP addresses, many organizations inadvertently commit to maintaining these assets without fully considering the long-term implications.
The project undertaken by WatchTowr was triggered by the discovery of a dead Amazon S3 link to an advanced persistent threat report published by an unnamed company referred to as “Antivirus and MDR Vendor #1.” Despite the original PDF file being unavailable, the researchers found they could register the S3 bucket and potentially serve malicious content from the domain. During their latest research efforts, WatchTowr uncovered approximately 150 abandoned Amazon S3 buckets that had previously been utilized by a range of entities but had been left dormant for varying periods, some for months and others for years.
Of particular concern was the fact that these abandoned S3 buckets could still be registered by the researchers, who were surprised to find that these re-registered buckets received over 8 million HTTP requests in just a two-month period. These requests encompassed a wide range of actions, including software updates, binary files for various operating systems, virtual machine images, CloudFormation templates, and SSL VPN server configurations. The WatchTowr team warned that bad actors could exploit these requests for malicious purposes, such as deploying ransomware.
WatchTowr stressed that the security risk arises when organizations allow their S3 buckets to decay and eventually abandon them, enabling malicious actors to re-register and exploit these assets. This type of vulnerability, known as “S3 bucket takeover,” is a well-known issue within the cybersecurity community. Other security vendors and researchers have also highlighted the dangers associated with abandoned S3 buckets, with instances of threat actors taking control of dormant buckets to launch supply chain attacks.
In response to their findings, WatchTowr took the proactive step of contacting affected organizations, including CISA and an unnamed SSL VPN appliance vendor, to address the issues identified. AWS, the cloud provider associated with Amazon S3 buckets, agreed to sinkhole the 150 identified abandoned buckets to mitigate the risk. WatchTowr CEO Benjamin Harris commended AWS and the affected organizations for their swift responses to the research findings, emphasizing the need for collaborative efforts to address supply chain security risks in cloud infrastructure.
Harris also urged AWS to play a more active role in reducing these risks, suggesting that preventing the registration of S3 buckets using names that had been previously used could help eliminate this vulnerability class. While certain mitigations exist within AWS S3 to prevent attacks, Harris believes that additional measures need to be taken to safeguard against abandoned infrastructure exploitation. To further empower AWS customers in reducing their attack surface, Harris outlined key considerations to keep in mind when creating and referencing cloud resources.
In light of the persistent threats posed by abandoned cloud infrastructure, it is essential for organizations to remain vigilant and proactive in managing their assets to prevent malicious exploitation. The research conducted by WatchTowr serves as a stark reminder of the importance of secure cloud practices and the potential risks associated with neglecting abandoned resources. As the digital landscape continues to evolve, collaborative efforts between security researchers, vendors, and cloud providers will be crucial in safeguarding against supply chain vulnerabilities and ensuring a more secure online environment for all users.