The researchers discovered some 150 Amazon S3 buckets that were previously used for data storage by commercial and open source-software products. The team spent $420 to register abandoned buckets with the same names and monitored them for two months logging requests for files.
In total, more than 8 million HTTP requests were received over a two-month period, including requests for software updates, Virtual Machine images, JavaScript files, SSLVPN server configurations, CloudFormation templates, pre-compiled Windows, Linux and macOS binaries, etc., etc.
If these 150 buckets were registered not by an IT security company, but by malefactors, they could be used to deliver malicious stuff, including nefarious software updates, backdoored Virtual Machine images, malware, and CloudFormation templates giving attackers access to AWS environments.
Request sources included government networks of the United States, United Kingdom, Australia, South Korea, and other countries. Make things worse, some requests originated from military networks, NASA, unnamed Fortune 100 and Fortune 500 companies, a major payment card network, an industrial company, banks, other financial institutions, universities, instant messenger developers, casinos, and even cybersecurity companies.
“We believe that in the wrong hands, the research we have performed could have led to supply chain attacks that out-scaled and out-impacted anything we as an industry have seen so far – or put more clearly, we would’ve embarrassed Cozy Bear and made their SolarWinds adventures look amateurish and insignificant,” – watchTowr.
To prevent further abuse, the researchers notified AWS, Inc. of the problem, and it took control of the abandoned buckets. In addition, watchTowr contacted government agencies in the US and UK.
However, Amazon representatives didn’t explain why the company hasn’t yet prohibited the reuse of S3 bucket names: experts believe that this would be the easiest way to solve the problem.
“The best solution is to prevent the registration of S3 buckets using names that had been used previously. This approach would entirely kill this vulnerability class (abandoned infrastructure) in the context of AWS S3,” – watchTowr.
