Photo credit: www.darkreading.com
Recent research has uncovered a significant yet often unnoticed security risk associated with abandoned cloud storage buckets, which could have severe implications for Internet security.
The danger arises when cybercriminals manage to find these neglected digital assets, re-register them under their original names, and exploit them to disseminate malware or execute other nefarious actions targeted at users attempting to access files from these buckets.
A Far From Theoretical Threat
Researchers from watchTowr have highlighted that this threat is far more than just a theoretical concern; it is notably simple to exploit. Their latest findings are a continuation of previous investigations into vulnerabilities linked to expired and abandoned Internet domain names.
In their new study, the team searched online for Amazon AWS S3 buckets that had been mentioned in deployment code or as part of a software update process. They aimed to determine whether these mechanisms were accessing unsigned or unverified software from the archived S3 buckets. This analysis led them to uncover roughly 150 S3 buckets previously utilized by government agencies, Fortune 500 companies, technology firms, and other major projects, all of which had been abandoned.
To explore this further, watchTowr registered these unused buckets under their original names for a modest fee and implemented logging to track file requests. Over a two-month observation period, they were astonished to document around 8 million requests made by users seeking access to these abandoned resources, many of which could have been maliciously fulfilled.
Among those attempting to access files were several government entities from the US, UK, Australia, and other nations, Fortune 100 companies, a prominent payment card corporation, a manufacturing entity, various banks, and cybersecurity firms.
WatchTowr researchers stated, “We were not ‘sniping’ S3 buckets as they were deleted, nor employing any ‘advanced’ technique to register these S3 buckets. We just typed the name into the input box and clicked register with ease.”
The analysis highlighted that the requests to the S3 buckets involved various file types, including software updates, unsigned executable binaries for Windows, Linux, and macOS, virtual machine images, JavaScript files, configurations for SSL VPNs, and CloudFormation templates used for managing AWS cloud services via code.
Had the researchers been inclined, they could have easily responded to these requests with a malicious update or other harmful scripts, potentially compromising the requesting organizations.
A ‘Terrifyingly Simple’ Cloud Cyberattack Vector?
Benjamin Harris, CEO of watchTowr, emphasized a critical takeaway: “The vulnerability presents a disturbingly straightforward method for attackers to conduct major supply chain assaults akin to the SolarWinds incident by exploiting this largely overlooked class of vulnerabilities linked to abandoned infrastructure.”
While their findings were centered on AWS buckets, the researchers suggested that this threat could extend to any abandoned cloud storage whose names can be re-registered, revealing a broader concern for cloud security.
Harris elaborated, “This is not specifically an AWS issue. However, it is crucial for AWS clients to recognize that once a cloud resource is created and referenced in any manner—such as in software updates or deployment instructions—that reference remains indefinitely.”
The watchTowr team has attempted to urge AWS to address this issue by disallowing the re-registration of S3 buckets that had been previously utilized.
“We have consistently expressed our belief to the AWS teams that the most logical remedy for this vulnerability is to prohibit the registration of S3 buckets with names that were previously in use,” he noted. Eliminating the possibility of reusing old names could effectively neutralize this class of vulnerability related to abandoned resources.
“There are certainly debates regarding usability, including factors related to transferring S3 buckets across accounts. Nevertheless, we question whether these concerns outweigh the serious risks we have uncovered through our research.”
AWS Responds to Abandoned S3 Bucket Threat
In response, AWS took immediate action by sinkholing the S3 buckets identified by watchTowr, rendering the highlighted attack scenarios ineffective for those specific resources, although the underlying issue persists.
An AWS spokesperson commented, “The situations discussed occurred when customers deleted S3 buckets still referenced by third-party applications.” After learning about the research conducted without prior notice to them, AWS blocked the identified buckets from being re-created to safeguard its clients.
The spokesperson highlighted AWS’s commitment to educating users on proper practices regarding cloud bucket management and suggested using unique identifiers when creating bucket names to prevent their unintended reuse. Furthermore, AWS has introduced features like the bucket ownership condition to help mitigate such risks.
Lastly, AWS encouraged researchers to engage with their security team prior to undertaking studies involving their services.
Source
www.darkreading.com