The researchers discovered some 150 Amazon S3 buckets that were previously used for data storage by commercial and open source-software products. The team spent $420 to register abandoned buckets with the same names and monitored them for two months logging requests for files.
In total, more than 8 million HTTP requests were received over a two-month period, including requests for software updates, Virtual Machine images, JavaScript files, SSLVPN server configurations, CloudFormation templates, pre-compiled Windows, Linux and macOS binaries, etc., etc.
If these 150 buckets were registered not by an IT security company, but by malefactors, they could be used to deliver malicious stuff, including nefarious software updates, backdoored Virtual Machine images, malware, and CloudFormation templates giving attackers access to AWS environments.
Request sources included government networks of the United States, United Kingdom, Australia, South Korea, and other countries. Make things worse, some requests originated from military networks, NASA, unnamed Fortune 100 and Fortune 500 companies, a major payment card network, an industrial company, banks, other financial institutions, universities, instant messenger developers, casinos, and even cybersecurity companies.
“We believe that in the wrong hands, the research we have performed could have led to supply chain attacks that out-scaled and out-impacted anything we as an industry have seen so far – or put more clearly, we would’ve embarrassed Cozy Bear and made their SolarWinds adventures look amateurish and insignificant,” – watchTowr.
To prevent further abuse, the researchers notified AWS, Inc. of the problem, and it took control of the abandoned buckets. In addition, watchTowr contacted government agencies in the US and UK.
However, Amazon representatives didn’t explain why the company hasn’t yet prohibited the reuse of S3 bucket names: experts believe that this would be the easiest way to solve the problem.
“The best solution is to prevent the registration of S3 buckets using names that had been used previously. This approach would entirely kill this vulnerability class (abandoned infrastructure) in the context of AWS S3,” – watchTowr.
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider
Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…
Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer
Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…
Full article →
2025.04.08 — Website of Everest ransomware group hacked and defaced
Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…
Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder
According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…
Full article →
2025.01.27 — Zyxel firewalls reboot due to flawed update
Zyxel warned its customers that a recent signature update may cause critical errors in USG FLEX and ATP series firewalls. As a result, devices go into…
Full article →
2025.03.07 — YouTube warns of scam video featuring its CEO
According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…
Full article →
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello
Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…
Full article →
2025.02.01 — Critical RCE vulnerability fixed in Cacti
A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…
Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework
According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…
Full article →
2025.03.16 — Researchers force DeepSeek to write malware
According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…
Full article →