In a world increasingly reliant on cloud infrastructure, the implications of neglecting digital assets like AWS (Amazon Web Services) S3 (Simple Storage Service) buckets can’t be overstated; these neglected buckets present significant security concerns that could potentially lead to devastating supply-chain attacks on a global scale. Research by watchTowr Labs has unearthed critical vulnerabilities revealing that derelict S3 buckets, if improperly managed, could become conduits for distributing malicious software. Specifically, this issue revolves around once-active S3 buckets that have been abandoned but continue to pull software updates or other essential code from unwary applications and websites.
The security implications associated with such neglected infrastructure are far-reaching and severe. WatchTowr’s study identified around 150 Amazon-hosted cloud storage buckets linked to high-profile entities, including governments, Fortune 500 companies, technology firms, cybersecurity organizations, and major open-source projects. Alarmingly, these abandoned buckets remain unsecured while still receiving legitimate resource requests, thus providing a potential gateway for cyber threats.
The Scale of the Problem
To comprehend the full extent of this issue, watchTowr’s security team invested $420.85 to re-register these abandoned buckets, configuring logging mechanisms to track incoming requests over a two-month observation period. The results were astoundingly alarming: these re-registered buckets amassed over eight million requests for various resources, including executables for Windows, Linux, and macOS, virtual machine images, JavaScript files, CloudFormation templates, and SSL VPN server configurations. These requests originated from a diverse array of sources ranging from NASA, other US government networks, UK government organizations, and military networks to Fortune 500 and 100 companies, financial services firms, universities, casinos, and instant messaging providers.
The findings highlight a critical issue observed in prior studies concerning expired internet domains that could be resurrected for malicious activities. A notable example includes expired domains tied to single-sign-on (SSO) services, which, if repurchased, could open avenues to gain unauthorized access to numerous business accounts. This raises the stakes, showing just how dangerous neglected digital infrastructure can become if left unintended.
Potential for High-Impact Cyberattacks
The study suggests several mitigation strategies to address these vulnerabilities. Security specialists emphasize the importance of fully deactivating accounts and associated domains or storage buckets before they lapse, in addition to using robust security mechanisms to authenticate any downloads or updates. However, watchTowr’s research reveals that common security measures like digital signature checks or verification protocols are not consistently applied across the board, resulting in significant security lapses.
During their investigation, watchTowr discovered an active advisory from the Cybersecurity and Infrastructure Security Agency (CISA.gov) dated 2012, which directed users to an S3 bucket for a patch file. This bucket had since been abandoned, yet its reference remained accessible on an official government page until watchTowr notified CISA, prompting the removal of the unsafe reference. Thus, the study underscores the latent risks posed by neglected cloud infrastructure. By reviving and scrutinizing defunct buckets, the study demonstrated just how easy it would be for malicious actors to exploit unsecured assets, further indicating that any defunct digital storage or service could potentially serve as a vector for high-impact cyberattacks capable of compromising critical networks and institutions.
The Need for Stricter Management Practices
The watchTowr study’s findings emphasize an urgent need to implement stricter management and decommissioning practices for cloud storage solutions. Over eight million resource requests logged to re-registered S3 buckets underscore the substantial active reliance on these storage solutions. Despite this ongoing dependency, proper security measures are often inconsistently applied, leaving significant vulnerabilities exposed.
A crucial observation from this research is the need for cloud providers, such as Amazon, to enforce stricter controls preventing the reuse of bucket names. Although AWS provides guidelines and recommends unique identifiers for secure configurations, the ease of resurrecting former bucket names remains a substantial threat. Preventing the re-registration of previously used bucket names would be a straightforward and effective measure to mitigate these risks. Unfortunately, Amazon has not yet adopted a policy banning the reuse of bucket names, focusing instead on flexibility and usability. While this allows convenience in transferring S3 buckets between accounts, it also leaves a loophole open for potential exploitation if these buckets are neglected or mishandled.
Addressing the Risks
Summarizing the key outcomes, watchTowr’s research highlights the urgent need to tackle the cybersecurity risks posed by abandoned cloud storage solutions. The findings emphasize the importance of enforcing stringent deactivation processes, adopting robust validation mechanisms, and considering more restrictive measures by cloud service providers to prevent the re-registration of previously used resources. Adhering to these guidelines can significantly reduce the risk of supply-chain attacks matching or even surpassing the scale of the SolarWinds incident.
As the digital landscape evolves and more organizations shift towards cloud-based infrastructure, the responsibility to secure these assets becomes increasingly paramount. WatchTowr’s findings paint an unequivocal picture: negligence in managing digital infrastructure is not merely a case of dormant data but represents a latent threat capable of unleashing widespread cyber disruptions. Proactive measures, industry standards, and rigorous security practices are necessary to safeguard the increasingly interconnected digital world, protecting it against these significant cybersecurity threats.
