WatchTowr warns abandoned S3 buckets pose supply chain risk

New research from WatchTowr highlighted supply chain security risks that abandoned cloud infrastructure like Amazon S3 buckets continues to pose for organizations.

In a blog post published Tuesday, WatchTowr researchers warned that attackers could take over abandoned Amazon S3 buckets and exploit them to deploy malicious software updates and remote access tooling, or even gain access to an AWS environment. WatchTowr analyzed assets previously owned by government organizations, Fortune 500 companies, technology companies, cybersecurity companies and major open source projects.

While the researchers examined instances that involved S3 buckets, they expressed concern that abandoned assets could pose similar supply chain risks to other cloud storage services.

"The reality is that there is a 'simple' root cause of all this strife. It's not Amazon, S3, or even 'the cloud'. The root cause stems from a mindset that has grown as friction to acquiring Internet infrastructure -- be it S3 buckets, domain names, IP addresses, or whatever -- has lessened," WatchTowr wrote in the research. "... In a world where registering a domain name costs a mere few dollars, and registering an Internet resource like an S3 bucket takes even less, it takes very little to inadvertently commit to maintaining a finite resource."

WatchTowr said the project began after researchers found a dead S3 link to an advanced persistent threat report published by an unnamed company that they referred to as "Antivirus and MDR Vendor #1." While the PDF file was no longer available, the researchers found that they could register the S3 bucket and serve malicious content from the domain instead.

While conducting Tuesday's research, they discovered "[about] 150 Amazon S3 buckets that had previously been used across commercial and open source software products, governments, and infrastructure deployment/update pipelines -- and then abandoned." Some had been abandoned for months and even years.

However, WatchTowr researchers found that they could still register them. The reregistered buckets "received more than 8 million HTTP requests over a 2 month period" for a variety of actions including software updates; precompiled Windows, Linux and macOS binaries; virtual machine images; CloudFormation templates; and SSL VPN server configuration. Researchers warned that attackers could leverage those requests for a myriad of malicious actions including ransomware deployment.

"The problem, from a security standpoint, manifests when these S3 buckets are allowed to decay and subsequently abandoned, allowing bad actors to re-register them for themselves. This is a known bug class, known as any names, including 'S3 bucket takeover' (we know this is not new -- bear with us). Second-order Amazon S3 bucket takeovers via broken links are also not new, before you tell us this also," the researchers said.

Other security vendors and researchers have warned about the risks posed by abandoned S3 buckets. In 2023, Checkmarx discovered that a threat actor had obtained control of a recently abandoned S3 bucket and used it to poison the NPM package "bignum."

WatchTowr researchers found one abandoned S3 bucket involving a CISA advisory from 2012, which could pose a significant risk if an attacker gained control. Additionally, they discovered a Mozilla-games example where the S3 bucket was removed from Emscripten project documentation in 2015.

"The fact that an attacker could theoretically register a resource abandoned such a long time ago, and instantly serve malware to trusting hosts should alarm us all -- and especially those who use the Internet in a non-paranoid way, not checking the integrity of every binary they download (i.e. 99.9999% of us)," the researchers said.