An unguarded access point
During the four-month investigation by watchTowr researchers managed to assume control of roughly 150 neglected AWS S3 buckets belonging to a range of users, including Fortune 500 corporations, government agencies, academic institutions, and cybersecurity firms. These abandoned cloud assets were still being queried via millions of HTTP requests. Legitimate organizations and systems sought critical resources such as software updates, unsigned virtual machines, JavaScript files, and server configurations. During two months, more than 8 million such calls were recorded.
The implications are staggering: These requests could have easily been manipulated by bad actors to deliver malware, collect sensitive information, or even orchestrate large-scale supply chain attacks. WatchTowr warned that breaches of this magnitude could surpass the infamous 2020 SolarWinds attack in scale and impact. Among the incidents uncovered by watchTowr are several alarming examples:
- Abandoned S3 buckets tied to SSL VPN appliance vendors were discovered to be still serving deployment templates and configurations.
- An older GitHub commit from 2015 exposed an S3 bucket linked to a popular open source WebAssembly compiler.
- Researchers uncovered systems pulling virtual machine images from abandoned resources.
A minor oversight with major consequences
Entities attempting to communicate with these abandoned assets include government organizations (such as NASA and state agencies in the United States), military networks, Fortune 100 companies, major banks, and universities. The fact that these large organizations were still relying on mismanaged or forgotten resources is a testament to the pervasive nature of this oversight.