Here’s all the ways an abandoned cloud instance can cause security issues

There is a line of thought among the public that “the internet is forever.” A security company published research Tuesday that showed why “forever” can be a security nightmare. 

Over the course of four months, cybersecurity researchers at watchTowr monitored and ultimately took control of what they referred to as “abandoned” digital infrastructure, focusing on Amazon Web Services S3 buckets previously used by various entities ranging from governments and Fortune 500 companies to universities and cybersecurity firms.

Once researchers identified a rudimentary way to take ownership of the approximately 150 neglected Amazon assets, they discovered those assets were still being pinged for data by all types of government entities and businesses. Over a two-month period, the S3 buckets received more than 8 million HTTP requests for all sorts of files, including software updates, pre-compiled (unsigned) Windows, Linux, and macOS binaries, virtual machine images, JavaScript files, CloudFormation templates, and SSLVPN server configurations.

The findings emphasize that neglected cloud infrastructure, particularly with outdated configurations, leaves sensitive networks vulnerable to unauthorized access, and setting the stage for highly damaging supply chain attacks. 

“We believe that in the wrong hands, the research we have performed could have led to supply chain attacks that out-scaled and out-impacted anything we as an industry have seen so far — or put more clearly, we would’ve embarrassed Cozy Bear and made their SolarWinds adventures look amateurish and insignificant,” the blog reads. 

Supply chain attacks, though not new, remain a formidable challenge. Real-world examples like the SolarWinds incident or the MOVEit breach have demonstrated the extensive impact that such attacks can have. The watchTowr investigation reveals that even unsophisticated attackers have the potential to inflict similar disruptions by hijacking neglected resources, including unverified software update links embedded in official government and corporate materials. 

WatchTowr researchers listed a slew of entities that communicated with the neglected assets: government networks in the United States (including NASA, numerous laboratories, and state governments), the United Kingdom, Poland, Australia, South Korea, Turkey, Taiwan, Chile, and other countries; military networks; Fortune 500 and Fortune 100 companies; a major payment card network; a major industrial product company; global and regional banks and financial services organizations; universities around the world; instant messenger software companies; cybersecurity technology companies; casinos; and many others.

WatchTowr’s researchers went to lengths to describe how the issues they uncovered were not done to single out Amazon Web Services or the original owners of the cloud infrastructure, but to highlight systemic weaknesses rooted in the mass adoption and subsequent abandonment of these resources. WatchTowr reached out to AWS over the course of the research, and the tech giant ended up sinkholing the infrastructure after WatchTowr turned it over. 

“We will not entertain any conversation or speculation that we targeted any organization,” the company wrote. “It is clear that, like expired and abandoned domain names, this issue is prolific and not representative of any one organization’s approach to infrastructure or cybersecurity in isolation. Any conclusion that you come to around any individual organization’s security posture as a result of this research would be incorrect, misguided, and likely due to your own bias.”

An Amazon Web Services spokesperson told CyberScoop “the issues described in this blog occurred when customers deleted S3 buckets that were still being referenced by third-party applications,” and directed users to its guidance “on best practices, including using unique identifiers when creating bucket names to prevent unintended reuse, and ensuring applications are properly configured to reference only customer-owned buckets.”

Among some of the individual security issues the research uncovered are: 

• An abandoned S3 bucket in a 2012 CISA advisory, informing the public of a patch to software that’s used for monitoring and controlling heating and cooling systems in large buildings or communities. A malicious actor could have re-registered the cloud instance to distribute malware or perform some other nefarious activity. CISA removed the instance after being contacted by watchTowr.

“It is an incredible example of how this challenge is ubiquitous and not limited to only the unenlightened — even security professionals inside governments trip up here,” the researchers wrote. 

• A dataset analysis revealed multiple abandoned S3 buckets tied to unnamed SSL VPN appliance vendors, which were still being targeted for fetching deployment templates and configurations. If a malicious actor were to gain access to these configurations, they can impersonate legitimate users, access internal resources, conduct man-in-the-middle attacks, redirect communications, and manipulate the network with full control.
• Researchers found that systems were using Vagrant, a tool for automating virtual machine setup, to source virtual machine images from abandoned S3 buckets, a practice they found highly alarming due to the security risks involved. By using these untrusted sources, attackers could insert malicious code or users, enabling potential attacks such as credential theft, ransomware deployment, and unauthorized system access.

Researchers further determined that the window of opportunity for attackers to take advantage of these abandoned assets is wide open, due to the origin date of the uncovered buckets. Another S3 bucket researchers found related to the emscripten project — a very popular open-source WebAssembly compiler — has been open partly due to an ignored GitHub commit made in 2015. 

“It is very scary to think that the ‘window of exploitation’ for this issue is so large — it seems reasonable to assume that at any point in (we are educated-guessing) those nine years, attackers were given the opportunity to claim this abandoned S3 bucket and start serving malware, subsequently compromising hosts,” the researchers wrote. 

Researchers at watchTowr said they had many more examples of neglected digital resources, each presenting potential avenues for exploitation. However, they believe the research points to a systemic issue with the way organizations of all sizes have embraced the broader concept of cloud computing.

“The reality is that there is a ‘simple’ root cause of all this strife. It’s not Amazon, S3, or even ‘the cloud,’” the researchers wrote. “The root cause stems from a mindset that has grown as friction to acquiring Internet infrastructure — be it S3 buckets, domain names, IP addresses, or whatever — has lessened. This mindset lulls us in and persuades us that Internet infrastructure is ‘easy come, easy go.’ In a world where registering a domain name costs a mere few dollars, and registering an Internet resource like an S3 bucket takes even less, it takes very little to inadvertently commit to maintaining a finite resource.”

You can read the full report on watchTowr’s website. 

Update, 10:40 a.m.: This story has been updated with comment from Amazon Web Services.