FlagThis

Researchers at watchTowr Labs have uncovered a significant security flaw involving abandoned Amazon Web Services (AWS) S3 buckets, potentially allowing attackers to compromise the software supply chain. The analysis revealed that nearly 150 S3 buckets previously used by various organizations, including cybersecurity firms, governments, Fortune 500 companies, and open source projects, could be re-registered. This re-registration could enable attackers to inject malicious code or executables into deployment processes and software update mechanisms.

Over a two-month period, these abandoned buckets received over eight million HTTPS requests for various files, including software updates and other binary artifacts. The requests originated from a wide range of sources, including government networks in multiple countries, military networks, Fortune 100 and 500 companies, and even cybersecurity companies. This vulnerability could allow threat actors to deliver malware or backdoors to these organizations, leading to widespread security breaches. AWS has since blocked the specific buckets identified by watchTowr to prevent their re-creation and potential misuse.

ImgSrc: regmedia.co.uk

References :

• The Register - Security: Abandoned AWS S3 buckets can be reused in supply-chain attacks that would make SolarWinds look 'insignificant'
• : watchTowr : Abandoned AWS S3 buckets could be reused to conduct supply chain attacks.
• go.theregister.com: Abandoned AWS S3 buckets can be reused in supply-chain attacks that would make SolarWinds look 'insignificant' When cloud customers don't clean up after themselves, part 97 Abandoned AWS S3 buckets could be reused to hijack the global software supply chain in an attack that would make Russia's "SolarWinds adventures look amateurish and insignificant," watchTowr Labs security researchers have claim…
• www.theregister.com: watchTowr : Abandoned AWS S3 buckets could be reused to conduct supply chain attacks.
• labs.watchtowr.com: WatchTowr Labs research details 8 million requests against AWS S3 buckets.
• www.csoonline.com: Code references to nonexistent cloud assets continue to pose significant security risks, and the problem is only growing. Recent research identified approximately 150 AWS S3 storage buckets once used by various software projects to host sensitive scripts, configuration files, software updates, and other binary artifacts that were automatically downloaded and executed on user machines.
• www.scworld.com: Nearly 150 S3 buckets previously leveraged by cybersecurity firms, governments, Fortune 500 companies, and open source projects could be re-registered with the same AWS account name to facilitate executable and/or code injections in the deployment code/software update mechanism, according to an analysis from watchTowr Labs researchers.
• www.securityweek.com: Abandoned Amazon S3 Buckets Enabled Attacks Against Governments, Big Firms
• BleepingComputer: How attackers abuse S3 Bucket Namesquatting — And How to Stop Them
• SecurityWeek: Abandoned Amazon S3 Buckets Enabled Attacks Against Governments, Big Firms
• therecord.media: Researchers warn of risks tied to abandoned cloud storage buckets
• Jon Greig: Researchers at Watchtowr warned of malicious actors taking over abandoned AWS S3 buckets used by governments, militaries, Fortune 500 companies and even some cybersecurity firms
• darkreading: Researchers from watchTowr discovered around 150 Amazon Web Services S3 buckets that were formerly used by organizations for software deployment and updates but were then abandoned.

Classification:

• HashTags: #SupplyChainSecurity #AWS #S3
• Company: AWS
• Target: Global Software Supply Chain
• Product: S3 Buckets
• Type: HighRisk
• Severity: Major