Abandoned AWS S3 buckets could be used in attacks targeting supply chains

📟 News

Date: 09/02/2025

watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations.

The researchers discovered some 150 Amazon S3 buckets that were previously used for data storage by commercial and open source-software products. The team spent $420 to register abandoned buckets with the same names and monitored them for two months logging requests for files.

In total, more than 8 million HTTP requests were received over a two-month period, including requests for software updates, Virtual Machine images, JavaScript files, SSLVPN server configurations, CloudFormation templates, pre-compiled Windows, Linux and macOS binaries, etc., etc.

If these 150 buckets were registered not by an IT security company, but by malefactors, they could be used to deliver malicious stuff, including nefarious software updates, backdoored Virtual Machine images, malware, and CloudFormation templates giving attackers access to AWS environments.

Request sources included government networks of the United States, United Kingdom, Australia, South Korea, and other countries. Make things worse, some requests originated from military networks, NASA, unnamed Fortune 100 and Fortune 500 companies, a major payment card network, an industrial company, banks, other financial institutions, universities, instant messenger developers, casinos, and even cybersecurity companies.

“We believe that in the wrong hands, the research we have performed could have led to supply chain attacks that out-scaled and out-impacted anything we as an industry have seen so far – or put more clearly, we would’ve embarrassed Cozy Bear and made their SolarWinds adventures look amateurish and insignificant,” – watchTowr.

To prevent further abuse, the researchers notified AWS, Inc. of the problem, and it took control of the abandoned buckets. In addition, watchTowr contacted government agencies in the US and UK.

However, Amazon representatives didn’t explain why the company hasn’t yet prohibited the reuse of S3 bucket names: experts believe that this would be the easiest way to solve the problem.

“The best solution is to prevent the registration of S3 buckets using names that had been used previously. This approach would entirely kill this vulnerability class (abandoned infrastructure) in the context of AWS S3,” – watchTowr.

Related posts:
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains

watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…

Full article →
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello

Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…

Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin

Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…

Full article →
2025.03.28 — Zero-day vulnerability in Windows results in NTLM hash leaks

Security experts reported a new zero-day vulnerability in Windows that enables remote attackers to steal NTLM credentials by tricking victims into viewing malicious files in Windows…

Full article →
2025.04.01 — Hackers abuse MU plugins to inject malicious payloads to WordPress

According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected. The technique was first discovered…

Full article →
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members

The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…

Full article →
2025.04.04 — Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched

Tenable Research revealed details of a recently patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run enabling an attacker to gain access to container images…

Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts

Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…

Full article →
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals

Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…

Full article →
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign

According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…

Full article →