The researchers discovered some 150 Amazon S3 buckets that were previously used for data storage by commercial and open source-software products. The team spent $420 to register abandoned buckets with the same names and monitored them for two months logging requests for files.
In total, more than 8 million HTTP requests were received over a two-month period, including requests for software updates, Virtual Machine images, JavaScript files, SSLVPN server configurations, CloudFormation templates, pre-compiled Windows, Linux and macOS binaries, etc., etc.
If these 150 buckets were registered not by an IT security company, but by malefactors, they could be used to deliver malicious stuff, including nefarious software updates, backdoored Virtual Machine images, malware, and CloudFormation templates giving attackers access to AWS environments.
Request sources included government networks of the United States, United Kingdom, Australia, South Korea, and other countries. Make things worse, some requests originated from military networks, NASA, unnamed Fortune 100 and Fortune 500 companies, a major payment card network, an industrial company, banks, other financial institutions, universities, instant messenger developers, casinos, and even cybersecurity companies.
“We believe that in the wrong hands, the research we have performed could have led to supply chain attacks that out-scaled and out-impacted anything we as an industry have seen so far – or put more clearly, we would’ve embarrassed Cozy Bear and made their SolarWinds adventures look amateurish and insignificant,” – watchTowr.
To prevent further abuse, the researchers notified AWS, Inc. of the problem, and it took control of the abandoned buckets. In addition, watchTowr contacted government agencies in the US and UK.
However, Amazon representatives didn’t explain why the company hasn’t yet prohibited the reuse of S3 bucket names: experts believe that this would be the easiest way to solve the problem.
“The best solution is to prevent the registration of S3 buckets using names that had been used previously. This approach would entirely kill this vulnerability class (abandoned infrastructure) in the context of AWS S3,” – watchTowr.
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin
Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…
Full article →
2025.03.24 — Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud
Amazon announced that the privacy option allowing users of Echo speakers to avoid sending their voice recordings to the company's cloud will no longer be supported. Effective March…
Full article →
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024
According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…
Full article →
2025.02.03 — PyPI introduces a project archival system to combat malicious updates
The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…
Full article →
2025.04.08 — Website of Everest ransomware group hacked and defaced
Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…
Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years
Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…
Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer
Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…
Full article →
2025.03.28 — Zero-day vulnerability in Windows results in NTLM hash leaks
Security experts reported a new zero-day vulnerability in Windows that enables remote attackers to steal NTLM credentials by tricking victims into viewing malicious files in Windows…
Full article →
2025.01.27 — YouTube plays hour-long ads to users with ad blockers
Users complain that YouTube plays very long unskippable ads. Sometimes such ads are longer than the video the person is watching. The issue was raised…
Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework
According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…
Full article →