The abandoned AWS S3 buckets can be abused for supply-chain attacks.
In a report, researchers from British security start-up watchTowr Labs say that about 150 former S3 buckets, once used by governments and large companies, remained accessible undetected. Meanwhile, applications and websites were still trying to get software updates and files from these locations.
Reuse buckets soon to be banned?
The researchers re-registered these abandoned buckets for just $420 and saw over eight million requests in two months from government networks (such as NASA), military networks and Fortune 500 companies, among others. These requests involved critical files such as Windows and Linux executions, JavaScript code and VPN configurations.
According to WatchTowr, it is “frighteningly simple” to carry out such an attack. An attacker need only re-register an abandoned bucket and insert their own malware into it. Verification of updates is possible, but it often appears to be poorly implemented.
Amazon tells The Register that their services are functioning correctly and emphasizes the use of unique ids to mitigate this type of risk. However, WatchTowr continues to advocate for a blanket ban on reuse of old bucket names to permanently fix this vulnerability.