Security researchers have uncovered a dangerous vulnerability involving abandoned Amazon Web Services (AWS) cloud storage buckets that could enable large-scale cyberattacks. The research team at watchTowr found that threat actors can easily take control of deserted storage buckets and potentially use them to distribute malware or launch other malicious campaigns.
During a two-month study, researchers identified approximately 150 abandoned AWS S3 storage buckets previously used by government organizations, Fortune 500 companies, technology firms, and cybersecurity vendors. After registering these buckets under their original names for around $400, the team recorded over 8 million file requests from various high-profile organizations.
The requesting entities included government agencies from the US, UK, and Australia, Fortune 100 companies, major banks, and cybersecurity firms. These organizations sought various files including software updates, executable files, virtual machine images, and infrastructure configuration templates.
"We just typed the name into the input box and used the power of one finger to click register," noted the watchTowr research team, highlighting the simplicity of exploiting this vulnerability.
Benjamin Harris, CEO of watchTowr, emphasized that malicious actors could potentially create "SolarWinds-scale supply chain attacks" by exploiting these abandoned resources. While the study focused on AWS buckets, the risk extends to any abandoned cloud storage that can be re-registered under its original name.
In response to these findings, AWS quickly blocked the specific buckets identified in the research from being re-created. The company highlighted its existing security features, including the bucket ownership condition feature launched in 2020, designed to prevent unintended bucket name reuse.
The researchers recommend preventing the registration of S3 buckets using previously used names as a potential solution to address this security gap. However, this approach may face challenges due to requirements around bucket transfers between accounts and other operational considerations.
This discovery underscores the need for organizations to carefully manage their cloud resources and maintain proper security controls, particularly when decommissioning storage buckets that may still be referenced in existing applications or deployment processes.