In a groundbreaking cybersecurity research conducted in late 2024, Security researchers at watchTowr have uncovered a massive supply chain vulnerability affecting numerous organizations worldwide, including government agencies, military networks, and Fortune 500 companies through abandoned Amazon S3 buckets.
The research, which analyzed over 8 million HTTP requests over a two-month period, demonstrated how abandoned cloud storage infrastructure could be exploited for large-scale supply chain attacks.
The researchers discovered approximately 150 abandoned Amazon S3 buckets previously used by commercial and open-source software products, governments, and infrastructure deployment pipelines.
These buckets, once registered by the researchers, received millions of requests for software updates, unsigned Windows, Linux and macOS binaries, virtual machine images, JavaScript files, and other critical infrastructure components.
The scope of affected organizations was particularly concerning, including government networks from the USA (including NASA and state governments), UK, Poland, Australia, South Korea, and others. Military networks, Fortune 500 companies, major payment card networks, global financial institutions, and even cybersecurity companies were among those making requests to these abandoned buckets.
"We believe that in the wrong hands, the research we have performed could have led to supply chain attacks that out-scaled and out-impacted anything we as an industry have seen so far," the researchers stated in their report, adding that it would have made "their SolarWinds adventures look amateurish and insignificant."
Thats Not Finished
One of the most concerning discoveries involved major SSLVPN appliance vendors. The researchers found multiple instances where VPN configurations and deployment templates were being requested from abandoned S3 buckets.
This could potentially allow attackers to compromise entire network infrastructures by serving malicious configurations or templates.
The research also revealed concerning practices in software distribution. For instance, they found numerous macOS applications using the Sparkle update framework were requesting updates from abandoned buckets. While some security measures prevented direct code execution, the researchers noted that these situations could still be exploited for effective social engineering attacks.
A particularly alarming finding involved build systems downloading unsigned executables and dependencies from abandoned S3 buckets. As the researchers note, "Instant RCE on hundreds of sensitive build servers." This could potentially lead to widespread supply chain compromises, as malicious code could be injected into software during the build process.
The temporal scope of the vulnerability was particularly troubling. In one case, the researchers traced an abandoned bucket's history back to 2015, indicating that these security gaps have existed unnoticed for nearly a decade. This discovery highlights the long-term risks associated with abandoned cloud infrastructure.
To address the immediate risk, Amazon Web Services (AWS) has agreed to "sinkhole" the identified S3 buckets, effectively removing them from general circulation. The researchers worked with several organizations to responsibly disclose their findings, including:
- NCSC UK
- AWS
- CISA
- Major SSLVPN appliance vendors
watchTowr emphasizes that this issue isn't specific to Amazon S3 or cloud services in general, but rather reflects a broader problem with how organizations handle infrastructure resources.
The findings underscore a critical challenge in modern cybersecurity: the casual approach to cloud infrastructure management.
As the researchers noted, while registering cloud resources is increasingly simple and cost-effective, organizations often overlook the long-term obligations and security implications of maintaining these resources.
The research serves as a wake-up call for organizations to better manage their cloud infrastructure and implement stronger security measures for software distribution and updates. It also highlights the need for improved practices in handling abandoned cloud resources to prevent potential supply chain attacks.
As the researchers conclude, "The fact that an attacker could theoretically register a resource abandoned such a long time ago, and instantly serve malware to trusting hosts should alarm us all - and especially those who use the Internet in a non-paranoid way, not checking the integrity of every binary they download (i.e. 99.9999% of us)."
This research underscores the critical importance of maintaining proper security hygiene in cloud infrastructure and the potential consequences of abandoning digital resources without proper decommissioning procedures. It serves as a reminder that in an interconnected digital world, seemingly minor oversights can have far-reaching security implications.