The researchers discovered some 150 Amazon S3 buckets that were previously used for data storage by commercial and open source-software products. The team spent $420 to register abandoned buckets with the same names and monitored them for two months logging requests for files.
In total, more than 8 million HTTP requests were received over a two-month period, including requests for software updates, Virtual Machine images, JavaScript files, SSLVPN server configurations, CloudFormation templates, pre-compiled Windows, Linux and macOS binaries, etc., etc.
If these 150 buckets were registered not by an IT security company, but by malefactors, they could be used to deliver malicious stuff, including nefarious software updates, backdoored Virtual Machine images, malware, and CloudFormation templates giving attackers access to AWS environments.
Request sources included government networks of the United States, United Kingdom, Australia, South Korea, and other countries. Make things worse, some requests originated from military networks, NASA, unnamed Fortune 100 and Fortune 500 companies, a major payment card network, an industrial company, banks, other financial institutions, universities, instant messenger developers, casinos, and even cybersecurity companies.
“We believe that in the wrong hands, the research we have performed could have led to supply chain attacks that out-scaled and out-impacted anything we as an industry have seen so far – or put more clearly, we would’ve embarrassed Cozy Bear and made their SolarWinds adventures look amateurish and insignificant,” – watchTowr.
To prevent further abuse, the researchers notified AWS, Inc. of the problem, and it took control of the abandoned buckets. In addition, watchTowr contacted government agencies in the US and UK.
However, Amazon representatives didn’t explain why the company hasn’t yet prohibited the reuse of S3 bucket names: experts believe that this would be the easiest way to solve the problem.
“The best solution is to prevent the registration of S3 buckets using names that had been used previously. This approach would entirely kill this vulnerability class (abandoned infrastructure) in the context of AWS S3,” – watchTowr.
2025.04.12 — Hackers compromised a bureau within the U.S. Department of the Treasury and spent months in hacked systems
The Office of the Comptroller of the Currency (OCC), an independent bureau within the United States Department of the Treasury, reported a major cybersecurity incident. Unknown attackers had…
Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts
Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…
Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years
Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…
Full article →
2025.03.05 — Polish Space Agency disconnects its network due to hacker attack
Last weekend, the Polish Space Agency (POLSA) had to disconnect all of its systems from the Internet to localize an attack targeting its IT infrastructure. After discovering the intrusion,…
Full article →
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign
According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…
Full article →
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members
The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…
Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud
ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…
Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters
According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…
Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer
Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…
Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE
Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…
Full article →