Surprise surprise, we've done it again. We've demonstrated an ability to compromise significantly sensitive networks, including governments, militaries, space agencies, cyber security companies, supply chains, software development systems and environments, and more. “Ugh, won’t they just stick to creating poor-quality memes?” we hear you moan. Maybe we should, maybe

Alt Title: How to take over the world using abandoned S3 Buckets

Watchtowr has moved on from using expired domains to assume authority over entire TLDs and instead is using blind trust in S3 addresses to infiltrate governments and militaries across the world.

The TL;DR is that this time, we ended up discovering ~150 Amazon S3 buckets that had previously been used across commercial and open source software products, governments, and infrastructure deployment/update pipelines - and then abandoned.

As for the research itself, it panned out progressively, with S3 buckets registered as they were discovered. It went rather quickly from “Haha, we could put our logo on this website” to “Uhhh, .mil, we should probably speak to someone”.

These S3 buckets received more than 8 million HTTP requests over a 2 month period for all sorts of things -

  • Software updates,
  • Pre-compiled (unsigned!) Windows, Linux and macOS binaries,
  • Virtual machine images (?!),
  • JavaScript files…
  • seang96@spgrn.com
    8·
    1 day ago

    I always thought it was a bad idea for AWS to make the buckets unique globally. Attach the AWS account Id so it would always be unique, you can name a bucket whatever you want, and this attack vector wouldn’t be possible (unless if you are AWS I guess)