Abandoned AWS S3 Buckets Pose Major Cybersecurity Risk
2025-02-10
Need some FUD to illustrate the hidden dangers of abandoned cloud resources and the potential for supply chain attacks? This article is for you!
Recent research reveals that abandoned AWS S3 buckets pose a significant cybersecurity risk, as malicious actors can re-register these unused storage resources under their original names to execute attacks, such as delivering malware through software updates. The study identified 150 neglected S3 buckets previously used by major organizations for software deployment and other purposes. When researchers registered these buckets, they received 8 million file requests in two months from various high-profile entities, indicating the potential for malicious exploitation. Although AWS intervened to mitigate the specific risks, the underlying issue persists, emphasizing the need for organizations to manage cloud resources diligently and understand the permanence of references in deployment code.
Shadow IT/Exposed Assets, Supply Chain, Malware
AWS S3, cloud storage, supply chain attack, abandoned buckets, malware delivery
N/A
AWS S3, US government agencies, UK government agencies, Australian government agencies, Fortune 100 companies, a major payment card network, an industrial product company, global banks, regional banks, cybersecurity companies
Recent research has uncovered a significant cybersecurity risk associated with abandoned AWS S3 buckets. These storage resources, when left unused and unmonitored, can become attractive targets for malicious actors. By re-registering these abandoned S3 buckets under their original names, attackers can exploit them to deliver malware or conduct other harmful activities. The risk primarily arises when organizations fail to properly manage their cloud storage assets. Bad actors can search for references to AWS S3 buckets in deployment code or software update mechanisms. If they find that these references point to unverified or unsigned executables, they can re-register the abandoned buckets and use them to distribute malicious files. This technique can lead to severe consequences, similar to the infamous SolarWinds supply chain attack. In the study, researchers identified approximately 150 S3 buckets that had been previously utilized by various organizations, including government agencies, Fortune 500 companies, and open source projects, for software deployment and updates. Once these buckets were abandoned, researchers re-registered them for a nominal cost of around $400. They enabled logging to track file requests and discovered an astonishing volume of 8 million requests over two months. The requests originated from a wide array of high-profile entities, such as government agencies in the US, UK, and Australia, Fortune 100 companies, a major payment card network, banks, and cybersecurity firms. The files requested ranged from software updates to virtual machine images and SSL VPN configurations. If exploited, these abandoned buckets could be used to send backdoored software updates or compromised virtual machine images. The attackers could potentially gain unauthorized access to the AWS environments of the organizations requesting files, leading to data breaches or further attacks. While the focus of this study was on AWS S3 buckets, the risk extends to any cloud storage resources that are abandoned and can be re-registered. It highlights the importance of proper cloud resource management and the need for organizations to be aware of persistent references in their deployment code. AWS has since acted to mitigate the specific risks identified by the researchers by sinkholing the re-registered buckets, but the broader issue remains. Organizations must be vigilant in managing their cloud assets to prevent such vulnerabilities from being exploited.Abandoned AWS S3 Buckets: A Hidden Cybersecurity Threat
How the Exploit Works
Findings from the Study
Who Is Affected?
Potential Risks and Impact
Broader Implications
https://www.darkreading.com/remote-workforce/abandoned-aws-cloud-storage-cyberattack-vector