Researchers have revealed current vulnerabilities in Amazon’s data storage services, the knock-on effect of which could potentially result in the biggest supply-chain attack in the internet’s history.
In November 2024, watchTowr Labs decided to show how a significant Internet-wide supply-chain attack could be caused by abandoned infrastructure left unattended and forgotten on the internet. The researchers chose to focus on an Amazon business data storage service, known as ‘S3 buckets’.
WatchTowr discovered150 Amazon S3 buckets that had previously been used by governments, Fortune 500 firms, technology companies, and major open-source projects. The security problem arises when S3 buckets are allowed to decay and subsequently abandoned, allowing bad actors to re-register them for themselves.
“We believe that in the wrong hands, the research we have performed could have led to supply chain attacks that out-scaled and out-impacted anything we as an industry have seen so far,” reports watchTowr Labs.
The researchers need to spend only a little over $400 to take control of the 150 S3 buckets. They then sat back and observed these S3 buckets receiving over eight million HTTP requests over a two-month period for software updates, JavaScript files, virtual machine images, and numerous other requests.
Incoming requests from NASA and others
The incoming requests came from the US National Aeronautics and Space Administration (NASA) and other US government networks plus government organizations in the UK and in other countries. WatchTowr also said requests were also made by a “major payment card network,” a “major industrial product company”, Fortune 100 and Fortune 500 companies, universities around the world, casinos, global and regional banks, and even cybersecurity companies.
WatchTowr’s researchers believe that it would be a simple matter for any threat actor who had taken over the S3 buckets to respond in ways that would instantly compromise the organization that had made a request. This could be done by simply replying with for example, “a nefarious software update.” By responding with hidden malware the threat actors could, in theory, then use this “Trojan horse” to infiltrate the organization’s IT systems, causing virtually incalculable damage.
But, according to watchTowr, this is not merely a problem concerning Amazon data storage services, but one which may be far more widespread, potentially impacting many more organizations in the US and elsewhere.
“Amazon’s S3 just happened to be the first storage solution we thought of, and we’re certain this same challenge would apply to any customer/organization usage of any storage solution provided by any cloud provider,” says watchTowr.
