Abandoned AWS S3 Buckets

Researchers at WatchTowr Labs have uncovered a critical security vulnerability in abandoned Amazon Web Services (AWS) S3 buckets that could enable attackers to hijack the global software supply chain.

The research highlights how these neglected cloud storage resources could facilitate large-scale cyberattacks, potentially eclipsing the infamous SolarWinds breach in scope and impact.

Over a two-month investigation, WatchTowr identified approximately 150 abandoned S3 buckets previously used by governments, Fortune 500 companies, cybersecurity firms, and major open-source projects.

Despite their abandonment, these buckets were still being queried for software updates, binaries, and other critical resources. By re-registering these buckets under the same names for just $420.85, the researchers demonstrated how attackers could exploit this oversight to distribute malicious payloads.

Abandoned AWS S3 Buckets

The vulnerability stems from the way AWS S3 bucket names are globally unique. Once a bucket is deleted, its name becomes available for reuse.

If an application or system continues to reference an abandoned bucket for updates or resources, attackers can seize control by re-registering it and hosting malicious content.

WatchTowr enabled logging on the re-registered buckets during their experiment and observed over eight million HTTP requests originating from sensitive networks.

These included U.S. government agencies like NASA, military organizations, Fortune 100 companies, financial institutions, and universities worldwide. Requested resources ranged from unsigned software binaries and virtual machine images to JavaScript files and CloudFormation templates.

The implications are alarming. An attacker could use these requests to distribute backdoored software updates, deploy ransomware, or gain unauthorized access to sensitive networks. For example:

  • Malicious binaries could install remote access tools or ransomware.
  • Compromised CloudFormation templates might grant attackers access to AWS environments.
  • Backdoored virtual machine images could infiltrate enterprise systems.

WatchTowr’s findings underscore the widespread reliance on cloud-hosted resources in modern software development and deployment pipelines. The researchers noted that many of these abandoned buckets were integral to critical infrastructure, including government and military systems.

“Neglected cloud infrastructure leaves sensitive networks vulnerable to unauthorized access,” WatchTowr stated in their report. “In the wrong hands, this vulnerability could lead to supply chain attacks far more devastating than anything we’ve seen before.”

Supply chain attacks have become a growing concern in recent years. Gartner predicts that by 2025, nearly 45% of organizations will experience such attacks—a threefold increase since 2021. These incidents exploit weak links in software supply chains to distribute malware or steal sensitive data.

Examples include the poisoning of open-source packages like “bignum,” where attackers hijacked an abandoned S3 bucket to serve malicious binaries. Such vulnerabilities highlight the importance of securing not just active infrastructure but also retired or abandoned resources.

AWS has acknowledged the issue but insists that its services are functioning as designed. While they have implemented measures like bucket ownership conditions and encouraged best practices for naming conventions, WatchTowr argues that AWS should prevent the reuse of previously registered bucket names altogether.

Organizations can take proactive steps to mitigate risks:

  • Conduct regular audits of cloud resources to identify and decommission unused assets.
  • Implement strict access controls and logging for all active buckets.
  • Use digital signature verification for software updates to ensure authenticity.
  • Educate developers on secure coding practices and dependency management.

The WatchTowr report is a reminder of the risks posed by abandoned digital infrastructure in an increasingly interconnected world. As organizations continue to migrate operations to the cloud, vigilance is essential to secure not only active resources but also those left behind.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Guru Baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.