Researchers at WatchTowr Labs recently uncovered a critical security vulnerability in abandoned Amazon Web Services (AWS) S3 buckets that could lead to large-scale cyberattacks, potentially surpassing the impact of the SolarWinds breach. The vulnerability arises from the unique nature of AWS S3 bucket names, which become available for reuse once a bucket is deleted. WatchTowr discovered approximately 150 abandoned S3 buckets, once used by governments, Fortune 500 companies, cybersecurity firms, and open-source projects, that were still being queried for software updates, binaries, and other critical resources. By re-registering these buckets under the same names, attackers could distribute malicious payloads to any system attempting to access these outdated resources.
The vulnerability was demonstrated when WatchTowr researchers re-registered abandoned buckets for just $420.85 and observed over eight million HTTP requests originating from sensitive networks, including U.S. government agencies like NASA, military organizations, universities, and financial institutions. These requests involved various critical resources, such as software binaries, virtual machine images, JavaScript files, and CloudFormation templates. The attackers could exploit this flaw to inject malicious code, deploy ransomware, or gain unauthorized access to sensitive systems by distributing backdoored software updates or compromised virtual machine images.
WatchTowr’s findings reveal that many of the abandoned buckets were integral to critical infrastructure, including military and government systems, which highlights the risk posed by neglected cloud resources. The researchers suggest that the reuse of bucket names should be prevented by AWS to mitigate the risk of these supply chain attacks. This oversight allows attackers to distribute harmful content without detection, especially when the original content is no longer maintained or updated.
The experiment underscores the importance of securing cloud-hosted resources, both active and retired, to avoid exploitation by malicious actors.
As the threat of supply chain attacks grows, with Gartner predicting a threefold increase by 2025, organizations must take proactive steps to secure their cloud assets. WatchTowr advises conducting regular audits of cloud resources, implementing strict access controls, and utilizing digital signature verification for software updates to ensure authenticity. The report stresses that the security of abandoned digital infrastructure should be a top priority, as it can be just as vulnerable as active resources, and its compromise could lead to devastating consequences for both public and private organizations.