Researchers warn of risks tied to abandoned cloud storage buckets

Cloud storage tools used by military, government and even cybersecurity organizations around the world have been left abandoned by their users, exposing them to a wide variety of security risks. 

Cybersecurity researchers at watchTowr published a lengthy report on Tuesday outlining the findings from a study of abandoned Amazon Web Services (AWS) S3 buckets — tools used by a variety of organizations to store code, files, templates and more. 

The company tracked about 150 AWS S3 buckets that had previously been used across commercial and open source software products, governments and infrastructure before being abandoned.

These abandoned S3 buckets still received more than 8 million HTTP requests over a 2-month period for all sorts of things, including software updates and more that could be taken over by malicious actors. 

WatchTowr CEO Benjamin Harris explained the report’s findings using a recently-purchased house as an example of the issues they discovered.  

“We bought a house, and we keep receiving mail for the previous owners. Based on the return addresses, there are letters addressed to the previous owners from governments, militaries and other important entities,” he told Recorded Future News, adding that their research could apply to any of the widely-used storage tools on the market. 

“While we haven’t read the letters or responded to them — based on the letters, how they look, and who they are addressed to at our recently bought house, we believe that if we responded we could trigger a fairly significant incident.”

Harris said there is an “inherent issue surrounding the world’s approach, usage of and abandonment of infrastructure.” Many of the abandoned S3 buckets are still connected to websites currently in use. 

The blog outlines several examples illustrating how a malicious actor could take over an abandoned S3 bucket and take any number of actions. Someone could put their own code in a software update mechanism and “watch significant numbers of systems, and sensitive networks, pull down the payload.”

The blog jokingly notes that their research began with the idea of simply putting their logo on other websites but quickly morphed into serious concern about buckets connected to .mil websites — which are run by the United States Department of Defense. 

“Put extraordinarily simply – if we were villainously inclined, we could’ve responded to each of these requests with something malicious like: A nefarious software update, a CloudFormation template that gave us access to an AWS environment, virtual Machine images backdoored with ‘remote access tooling’, binaries that deployed ‘remote access tooling’ or scary ransomware, or such, etc to give us access to the requesting system, or network that the requesting system was sat within,” the researchers said. 

The millions of requests watchTowr witnessed came from government organizations in the U.S., U.K., Poland, Australia, South Korea, Turkey, Taiwan, Chile and more. 

They also saw requests come from Fortune 500 companies, a major payment card company, banks, universities, software firms, casinos and even other cybersecurity firms. 

The researchers thanked organizations like Cybersecurity and Infrastructure Security Agency (CISA) and the U.K.’s National Cyber Security Centre as well as other companies for responding quickly and remediating the issues found. 

One of the S3 buckets the researchers found was connected to a 2012 security advisory posted to CISA’s own website — illustrating how the most security-conscious organizations are impacted by the issue. 

A major antivirus provider and a VPN appliance vendor both had S3 buckets abandoned, according to the researchers. The VPN instance was concerning because the researchers believe they could have silently connected to a victim’s network as if they were a legitimate user or attacked specific endpoints. 

Although the research could apply to a wide variety of cloud storage tools, watchTowr focused on S3 buckets because they are the most popular example of what they wanted to look into. Harris noted that they have done previous research into other versions of this same abandoned infrastructure issue.

AWS response

An AWS spokesperson said that their tools are “operating as expected” but said the issues described in the blog “occurred when customers deleted S3 buckets that were still being referenced by third-party applications.” 

“After conducting their research without notifying AWS, watchTowr provided the bucket names to AWS, and to protect our customers, we blocked these specific buckets from being re-created,” the spokesperson said, providing links to guidance on best practices. 

Officials from watchTowr confirmed that AWS worked with them to take down the buckets they found. 

Harris said he and other watchTowr experts told AWS that the best solution is to prevent the registration of S3 buckets using names that had been used previously — which is how he and his team were able to take over the abandoned buckets.

“This approach would entirely kill this vulnerability class (abandoned infrastructure) in the context of AWS S3. As always, there is likely an argument about the usability trade off, the ability to transfer S3 buckets between accounts, etc — but we do wonder if these requirements outweigh the impact we have demonstrated through our research,” he said. 

“We recognize that we are not AWS S3 experts and would defer to AWS for the reasoning behind why preventing the registration of S3 buckets using names that had been used previously, an on-the-face-of-it-relatively-logical-change, has not been deemed appropriate or implemented yet.”

Harris reiterated that AWS was not the only one with this issue but warned customers of the company that once a cloud resource is created, leveraged and referenced in documentation or code — like in a software update process — that reference will exist forever and the implications of that reference will survive in perpetuity.

The blog notes that the other root cause of the issue “stems from a mindset that has grown as friction to acquiring Internet infrastructure — be it S3 buckets, domain names, IP addresses, or whatever — has lessened.” 

“This mindset lulls us in and persuades us that Internet infrastructure is ‘easy come, easy go’. In a world where registering a domain name costs a mere few dollars, and registering an Internet resource like an S3 bucket takes even less, it takes very little to inadvertently commit to maintaining a finite resource,” the researchers said. 

“The fact that an attacker could theoretically register a resource abandoned such a long time ago, and instantly serve malware to trusting hosts should alarm us all — and especially those who use the Internet in a non-paranoid way, not checking the integrity of every binary they download (i.e. 99.9999% of us). Even the ~150 S3 buckets we acquired to carry out this research posed some hazards regarding their disposal.”