Security researchers have uncovered a serious vulnerability in abandoned Amazon Web Services (AWS) cloud storage that could enable devastating cyberattacks. The discovery reveals how attackers could potentially hijack deleted AWS S3 storage buckets to distribute malware and launch supply chain attacks.
Research firm watchTowr identified approximately 150 abandoned S3 buckets previously used by major organizations including government agencies, Fortune 500 companies, and cybersecurity vendors. By simply re-registering these buckets under their original names for around $400 total, the researchers gained control over storage locations that continued receiving millions of file requests.
Over a two-month period, the repossessed buckets received 8 million requests from high-profile organizations including US, UK and Australian government agencies, global banks, and major corporations. The requests sought various files like software updates, executable programs, and infrastructure configuration templates.
"We just typed the name into the input box and used the power of one finger to click register," explained watchTowr researchers, highlighting the simplicity of exploiting this weakness. A malicious actor could have responded to these requests with malware or backdoored files.
Benjamin Harris, CEO of watchTowr, emphasized that while their study focused on AWS, similar risks exist with any abandoned cloud storage that can be re-registered under its original name. The company has urged AWS to prevent the reuse of previously registered bucket names.
In response, AWS has blocked the specific buckets identified in the research from being recreated. The company pointed to existing features like bucket ownership conditions designed to prevent unintended reuse, and emphasized the importance of proper bucket naming and configuration practices.
The findings underscore the need for organizations to carefully manage their cloud resources and ensure deprecated storage locations cannot be repurposed for attacks. As cloud services continue expanding, addressing abandoned infrastructure vulnerabilities becomes increasingly critical for cybersecurity.