Abandoned S3 Buckets: A Goldmine for Hackers

In the world of cybersecurity, digital trash can be more dangerous than you think. Today’s businesses rely on cloud storage for everything from software updates to crucial patches. But what happens when these storage containers are forgotten? Enter the world of abandoned S3 buckets, a seemingly innocuous issue that could lead to supply chain compromises, data leaks, and even remote code execution.

Recent research by Watchtowr revealed a chilling reality: abandoned S3 buckets are not just forgotten storage; they are ticking time bombs waiting for the right hacker to exploit them. The research team spent a mere $400 to re-register about 150 abandoned S3 buckets and found thousands of requests pouring in, revealing sensitive data dependencies and posing significant security threats. What are the implications? “Think along the lines of Log4j or SolarWinds—major supply chain attacks that rattled the cybersecurity landscape,” shared Sherri Davidoff, founder of LMG Security. “This new research shows that abandoned S3 buckets can present a major risk to your organization and your connected clients and vendors.” Let’s dive deeper into this issue and explore how to defend against this threat.

The Discovery: How It All Began

The story begins with a simple error message: “No Such Bucket.” A Watchtowr researcher encountered this when trying to access a report published by a security vendor. This moment sparked a realization—if one bucket was abandoned, how many more were out there?

Amazon S3 buckets are widely used for hosting everything from PDFs to software updates. Companies often store files in S3 buckets and reference them in public links, even after they stop using those buckets. The problem? When the buckets are abandoned, the references remain live on the Internet, effectively pointing to nothing—or worse, to a bucket that a malicious actor could take over.

Watchtowr’s researchers decided to test this theory by looking for abandoned S3 buckets related to governments, Fortune 500 companies, tech companies, security vendors, and open-source projects. They wanted to see if these abandoned buckets posed a real threat. Spoiler alert: They did.

The Shocking Results

What they found was alarming: thousands of requests from users and systems still trying to access files from these abandoned buckets. The investigation exposed dependencies that highlighted serious security risks, including:

• CISA Issue: An official government website (CISA, in fact!) pointed to a “patch” stored in an abandoned S3 bucket. This opened the door for potential supply chain attacks if a malicious actor took control of that bucket.
• Open-Source Code Vulnerabilities: Some open-source projects directed users to download and execute files from abandoned buckets. This creates an avenue for remote code execution and malware distribution.
• SSL VPN Deployment Template: An SSL VPN requested a deployment template from an abandoned S3 bucket. If a hacker had taken control, they could have distributed malicious configurations, compromising entire networks.

“These research findings exposed the broad implications of abandoned S3 buckets,” stated Matt Durrin, director of research and training at LMG Security. “In two months, the researchers received 8 MILLION file requests from only 150 abandoned S3 buckets. Since Amazon now lets you request up to 1 million buckets per AWS account, the security implications for this level of exposure are deeply concerning. Many of the security teams I have chatted with have not even considered the security implications of abandoned S3 buckets until now.”

Parallels with Abandoned Domains

The issue of abandoned S3 buckets is not new in concept—it has parallels with abandoned domains. When companies let domain registrations lapse, threat actors can take over those domains and use them maliciously.

A prime example involves Matt’s experience with Windows XP. “Back when I was using Windows XP, I found that when older versions of the OS were initially installed, it was programmed to automatically pull a file from a specific website,” Matt shared. “However, the company that originally registered the domain let it lapse, and a malicious actor took it over, leading to a pop-up of a malicious webpage the first time it was booted.” This example is one of the reasons that it’s important to conduct continuous vulnerability scanning and cloud configuration reviews, in order to identify security issues in workstations and servers that can lead to compromise.

Just as with abandoned domains, abandoned S3 buckets leave organizations vulnerable to cyber threats.

The Discovery of Software Supply Chain Risks

Watchtowr’s research culminated with a startling discovery involving Sparkle, an open-source software update framework for Mac OS X applications. Sparkle is widely used—think Log4j-level widespread—and facilitates the update process for many applications.

The framework fetches metadata from an S3 bucket to determine if an update is available. While the update packages are signed, the metadata file itself is not. This allows a malicious actor to manipulate the metadata if they control the abandoned bucket. Even more concerning, some apps using Sparkle allow users to download the .dmg (disk image) file directly from the bucket, bypassing the signature check entirely. This creates a golden opportunity for attackers to distribute malware.

Similarly, Watchtowr discovered security implications linked to the Gradle Suite, another software component dependent on abandoned S3 buckets.

How can your organization reduce its risk?

“If your organization is using Gradle Suite or another software that connects to an S3 bucket, an attacker could upload malicious files or dependencies, potentially compromising software builds that use Gradle,” Matt cautioned. “This could lead to supply chain attacks, where developers unknowingly integrate compromised software into their, or your, applications.”

“One of the most effective ways to protect against attacks leveraging abandoned S3 buckets is cryptographic signing,” Sherri shared. “Cryptographic signing ensures that a file is authentic and hasn’t been tampered with. It provides a backup plan.” Here’s how it works:

• The file creator uses a private key to sign their work.
• They publish or distribute the corresponding public key, which anyone can use to verify the signature.
• This process confirms that the file hasn’t been modified and really was created by the author.

While cryptographic signing is an powerful defense, it must be implemented consistently across all updates, configurations, and files to be effective.

Abandoned S3 Bucket Defense Strategies and Best Practices

To protect against the risks associated with abandoned S3 buckets, organizations should implement the following defense strategies:

1. Require Cryptographic Signing: Mandate cryptographic signing for all software updates and configuration files to verify integrity and authenticity. Ensure vendors consistently use cryptographic signatures and perform checks during installation.
2. Map and Track All Data Repositories: Include S3 buckets, domains, and other data repositories in your asset management strategy. Confirm that third-party vendors maintain comprehensive asset management practices. Watch our video on the importance of asset inventory and management for more details.
3. Conduct Cloud Configurations Regularly: Conduct regular cloud configuration reviews to identify and manage abandoned S3 buckets and data repositories. Audit permissions, confirm data accessibility, and apply asset management protocols consistently. Review our checklist of AWS security best practices for more advice.
4. Continuously Monitor Legacy Dependencies: Implement monitoring systems to identify and mitigate risks associated with legacy dependencies linked to abandoned resources. This proactive approach prevents exploitation before it occurs.
5. Integrate Compromised Repositories into Incident Response: Include compromised repositories in your tabletop exercises and incident response processes. Update incident response plans to account for abandoned S3 bucket exploitation and ensure rapid recovery and remediation procedures are in place.

Don’t Let Your Trash Become a Treasure for Hackers

Abandoned S3 buckets may seem like digital trash, but they are a goldmine for hackers looking to exploit supply chain dependencies and inject malicious code into trusted systems. The findings from Watchtowr’s research underscore the importance of taking abandoned S3 buckets seriously and implementing robust defenses to safeguard your organization.

As a leader in cybersecurity, LMG Security is here to help you assess your cloud storage security posture, review your cloud configurations, conduct penetration tests, and implement best practices for protecting your data repositories. Don’t wait for a breach—contact us today to learn how we can help secure your infrastructure.

Stay vigilant and stay secure. And remember, even digital trash can be dangerous.