Security researchers at WatchTowr have uncovered a widespread security risk arising from abandoned Amazon S3 storage buckets, demonstrating how attackers could have leveraged them to distribute malicious software updates, manipulate infrastructure deployments, and compromise networks across government, military, financial, and cybersecurity sectors. The scale of the issue, the researchers argue, could have made past supply chain attacks — such as the infamous SolarWinds compromise — seem miniscule in comparison.
In November 2024, WatchTowr researchers set out to examine the security risks of abandoned cloud infrastructure. While their previous work had focused on expired domains, this time they turned their attention to cloud storage, specifically Amazon S3 buckets. The researchers identified 150 abandoned S3 buckets that had been previously used by major organizations for software distribution, infrastructure deployment, and update pipelines. Once these buckets were abandoned, attackers — or, in this case, WatchTowr researchers — could easily re-register them and monitor the incoming requests.
Over a two-month period, these S3 buckets received more than 8 million HTTP requests from high-profile networks, including government agencies (NASA, CISA, state governments across the U.S., U.K., Poland, Australia, and more), military networks, Fortune 100 and Fortune 500 corporations, major financial institutions, cybersecurity vendors, universities, and research institutions.
The nature of these requests revealed an alarming truth — numerous organizations were still relying on long-abandoned cloud storage locations to download software updates, deployment configurations, and critical binaries. By simply responding to these requests with malicious versions of the expected files, attackers could have compromised thousands of machines and networks without requiring advanced nation-state-level resources.
The implications of this vulnerability extended across multiple attack vectors, including:
- Poisoned software updates: Security and productivity software — including macOS apps using the Sparkle update framework — were still pulling updates from abandoned S3 buckets. Attackers could replace these with malicious versions, leading to silent malware infections.
- CloudFormation template hijacking: Major SSLVPN appliance vendors stored deployment scripts in abandoned S3 buckets. By replacing them with altered configurations, attackers could have gained privileged access to AWS environments.
- Backdoored virtual machine images: Several organizations fetched pre-built virtual machine images from now-uncontrolled storage. Attackers could have injected persistent malware at the OS level.
- CI/CD pipeline compromise: Build tools such as Gradle and Maven retrieved dependency lists from abandoned buckets, exposing entire software development pipelines to supply chain compromise.
The breadth of the issue suggests that many organizations fail to properly decommission cloud-based storage, leaving critical infrastructure exposed long after they have moved on to new systems.
Once WatchTowr realized the extent of the issue, they engaged with cybersecurity authorities and affected vendors to mitigate the risk. Organizations such as AWS, CISA, and the U.K.’s NCSC collaborated with WatchTowr to sinkhole the affected S3 buckets, preventing further exploitation. Major vendors — including a global SSLVPN provider — worked swiftly to regain control over compromised infrastructure.
AWS has since revoked public access to the affected S3 buckets, ensuring that they cannot be hijacked again. However, the underlying issue — widespread reliance on abandoned infrastructure — remains an industry-wide problem.
Ransom DDoS Attack Disrupts Bohemia Interactive’s Gaming Servers
Leave a Reply