Full Report
Cloud storage tools used by military, government and even cybersecurity organizations around the world have been left abandoned by their users, exposing them to a wide variety of security risks.
Analysis Summary
# Vulnerability: Takeover of Abandoned AWS S3 Buckets
## CVE Details
- CVE ID: Not explicitly assigned in the provided text. This is a configuration/process flaw rather than a specific software vulnerability (e.g., code injection flaw in S3 service itself).
- CVSS Score: Not provided. (Severity is considered High due to impact potential).
- CWE: CWE-404 (Improper Resource Shutdown or Release) or potentially CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) if sensitive data was previously stored.
## Affected Systems
- Products: Amazon Web Services (AWS) S3 buckets.
- Versions: Applicable to any environment utilizing AWS S3 where buckets are deleted but still referenced by active systems (websites, software update mechanisms, etc.).
- Configurations: S3 buckets that have been deleted by the original owner but whose names are still referenced by active endpoints (e.g., in configuration files, deployment scripts, software update manifests).
## Vulnerability Description
The vulnerability stems from the ability for anyone to re-register an AWS S3 bucket using the exact name of a previously deleted bucket. Researchers discovered approximately 150 previously used S3 buckets (used by government, military, and private sector entities) that were abandoned but continued to receive millions of HTTP requests over a two-month period. An attacker taking control of such a bucket could respond to legitimate requests (such as software update checks) with malicious payloads, including backdoored binaries, ransomware, or infrastructure-as-code templates designed to compromise the requesting entity's network.
## Exploitation
- Status: Exploitation demonstrated in proof-of-concept scenario by WatchTowr researchers who successfully registered and observed traffic to abandoned buckets.
- Complexity: Low (Requires only the knowledge of a previously used bucket name).
- Attack Vector: Network (Malicious response payload delivered over the network to unsuspecting clients).
## Impact
- Confidentiality: High (Potential to gain access to requesting network, allowing data exfiltration).
- Integrity: High (Ability to inject malicious code/backdoors into software updates or deployments).
- Availability: Medium/High (Potential to deploy ransomware or disrupt services).
## Remediation
### Patches
- No traditional software patch applies as the issue lies in the AWS process handling of deleted bucket names.
- AWS responded by **blocking the re-creation of the specific buckets identified by WatchTowr.**
### Workarounds
1. **Inventory and Update References:** Organizations must audit all internal and third-party documentation, deployment scripts, configuration files, and software update manifests to remove references to any decommissioned S3 buckets.
2. **Secure Decommissioning Process:** Implement strict procedures ensuring that when an S3 bucket is decommissioned, all external or internal references pointing to that specific bucket name are immediately and concurrently retired or updated.
## Detection
- **Indicators of Compromise (IOCs):** Unexpected network connections or downloaded files originating from an S3 endpoint that should be dormant or deleted. Unusual traffic volumes directed at historically inactive S3 bucket names.
- **Detection Methods and Tools:** Monitoring outgoing connections from critical infrastructure (e.g., update servers) to AWS S3 endpoints to verify that the target bucket content/origin is legitimate and expected. Cloud configuration monitoring tools can help identify hardcoded S3 references.
## References
- Vendor Advisory: AWS provided guidance on S3 security best practices (link provided in the article: https://aws.amazon.com/blogs/aws/amazon-s3-update-three-new-security-access-control-features/)
- Research Report: labs dot watchtowr dot com/8-million-requests-later-we-made-the-solarwinds-supply-chain-attack-look-amateur/
- CISA Advisory Reference: cisa dot gov/news-events/ics-advisories/icsa-12-025-02a