Abandoned S3 buckets could have caused a catastrophic supply chain attack – and all at a cost of just $400

Abandoned cloud storage buckets were ripe to be taken over by cyber criminals and used to conduct a supply chain attack that would have dwarfed the 2020 SolarWinds incident, according to new research.

A report from watchTowr Labs demonstrated how attackers could potentially exploit unused cloud storage buckets to gain access to sensitive networks of national governments, militaries, and major enterprises.

One researcher at watchTowr Labs noticed that a number of organizations around the world had deleted Amazon S3 buckets without realizing that the buckets in question were still being referenced by third-party applications.

Looking into the incident, watchTowr found that by registering the same buckets, they were able to receive any requests still being sent to them.

“Naturally, we registered them, just to see what would happen - “how many people are really trying to request software updates from S3 buckets that appear to have been abandoned months or even years ago?”, we naively thought to ourselves,” the report detailed.

The report noted that it was certain this type of attack is applicable to a range of cloud-hosted storage services, but that Amazon’s S3 option happened to be “the first storage solution we thought of”.

The team spent just over $400 registering around 150 Amazon S3 buckets and enabled logging so they could track who was requesting files from each, as well as what it was they were requesting – and the results were very surprising.

WatchTowr found these buckets, long forgotten by the entities that originally set them up, were still receiving thousands of requests.

The report stated that over a two month period, the S3 buckets received more than 8 million HTTP requests for a number of things including software updates, unsigned pre-compiled OS binaries, VM images, JavaScript files, CloudFormation templates, SSLVPN server configurations, and more.

A potential attacker could have used these requests to carry out a number of malicious actions such as using VM images to backdoor the network using remote access tools (RAT), deploy ransomware using binaries, or use a Cloud Formation template to gain access to the victim’s AWS environment.

Critical blind spot in cloud security could have been “devastating”

WatchTowr noted that many of these requests came from important organizations, including government networks in the US, UK, Poland, Australia, South Korea, Turkey, Taiwan, and Chile, as well as military networks, Fortune 500 companies, a “major payment card network”, and a number of global and regional banks.

The report stated the fallout from an attack leveraging this technique could have been potentially catastrophic, comparing it to the 2020 SolarWinds attack, which compromised a number of significant entities including the US Department of Homeland Security (DHS).

“We believe that in the wrong hands, the research we have performed could have led to supply chain attacks that out-scaled and out-impacted anything we as an industry have seen so far - or put more clearly, we would've embarrassed Cozy Bear and made their SolarWinds adventures look amateurish and insignificant.”

Speaking to ITPro, Dray Agha, senior manager of security operations at Huntress, described the issue covered in the report as a ‘critical blind spot in cloud security’, stating that it could have underpinned a ‘massive’ supply chain attack if exploited by threat actors.

“The research highlights a critical blind spot in cloud security—abandoned object storage can become a silent yet devastating supply chain attack vector,” Agha said.

“If threat actors had discovered and exploited these buckets first and compromised these upstream sources to deliver malice, the downstream consequences could have been catastrophic, affecting governments, financial institutions, and critical infrastructure."

“This research proves that a single, forgotten cloud bucket can become a ticking time bomb. If attackers had seized this opportunity first, we’d be talking about a massive supply chain attack(s).”

WatchTowr added that before publishing the report it informed AWS, who sinkholed the buckets used in the demonstration to ensure this type of attack could not be replicated.

A spokesperson for AWS told ITPro the cloud computing giant acted swiftly after being informed of the issue.

“AWS services and infrastructure are operating as expected. The issues described in this blog occurred when customers deleted S3 buckets that were still being referenced by third-party applications,” the spokesperson said.

“After conducting their research without notifying AWS, watchTowr provided the bucket names to AWS, and to protect our customers, we blocked these specific buckets from being re-created.”

The spokesperson noted that it provides guidance on best practices for customers to ensure robust storage security. This includes using unique identifiers when creating bucket names to prevent “unintended reuse”.

“In 2020 we launched the bucket ownership condition feature and encouraged customers to use this mechanism, specifically designed to prevent unintended reuse of bucket names,” they added.

MORE FROM ITPRO

• These tech firms downplayed the impact of the SolarWinds hack – now they’ve been fined by the SEC
• Software supply chain attacks are soaring – and security leaders are sluggish to react
• Hackers are turning Amazon S3 bucket encryption against customers in new ransomware campaign – and they’ve already claimed two victims