Surprise surprise, we've done it again. We've demonstrated an ability to compromise significantly sensitive networks, including governments, militaries, space agencies, cyber security companies, supply chains, software development systems and environments, and more. “Ugh, won’t they just stick to creating poor-quality memes?” we hear you moan. Maybe we should, maybe

Alt Title: How to take over the world using abandoned S3 Buckets

Watchtowr has moved on from using expired domains to assume authority over entire TLDs and instead is using blind trust in S3 addresses to infiltrate governments and militaries across the world.

The TL;DR is that this time, we ended up discovering ~150 Amazon S3 buckets that had previously been used across commercial and open source software products, governments, and infrastructure deployment/update pipelines - and then abandoned.

As for the research itself, it panned out progressively, with S3 buckets registered as they were discovered. It went rather quickly from “Haha, we could put our logo on this website” to “Uhhh, .mil, we should probably speak to someone”.

These S3 buckets received more than 8 million HTTP requests over a 2 month period for all sorts of things -

  • Software updates,
  • Pre-compiled (unsigned!) Windows, Linux and macOS binaries,
  • Virtual machine images (?!),
  • JavaScript files…
  • seang96@spgrn.com
    8·
    22 hours ago

    I always thought it was a bad idea for AWS to make the buckets unique globally. Attach the AWS account Id so it would always be unique, you can name a bucket whatever you want, and this attack vector wouldn’t be possible (unless if you are AWS I guess)

  • dan@upvote.au
    22·
    2 days ago

    Good reminder to remove old DNS records that point to IPs or hostnames you no longer control or service providers you no longer use.

    That’s the main attack vector here - you delete an S3 bucket but still have a subdomain CNAME’d to it, so anyone could create a new bucket with the same name and serve arbitrary files from your domain.