Delivering Malware Through Abandoned Amazon S3 Buckets

Original article: <a href="https:&#x2F;&#x2F;labs.watchtowr.com&#x2F;8-million-requests-later-we-made-the-solarwinds-supply-chain-attack-look-amateur&#x2F;" rel="nofollow">https:&#x2F;&#x2F;labs.watchtowr.com&#x2F;8-million-requests-later-we-made-...</a><p>I suppose the lesson is to not publicize your bucket names, if possible? Or if not, leave them present but empty in AWS and don&#x27;t actually delete the buckets?

The fact that this is possible <i>at all</i> is mindboggling.<p>Amazon is being a bad netizen here and has been from the start with S3 - yes, the original fault lies with careless app &#x2F; appliance developers, obviously, but AWS has had sooo many security issues caused by their default settings, complex configuration, bucket takeover possibility and by having one large global namespace for all tenants instead of always adding the account ID as a suffix in the domain (like they do now with, say, ECR). Hell if you know a juicy target bucket, you can just poll its name and wait for some poor sod to make a fat finger mistake or not paying their bills and then immediately take over the bucket.<p>AWS should <i>at the very least</i> only allow re-registering a bucket from the original account - and if it or its super organization get deleted, the bucket name is gone forever until someone can prove by, say, providing corporate register documents showing a legitimate claim.

Slightly related but I noticed something interesting back when the Tor project released the Snowflake proxy. I was provisioning VPS with Snowflake and due to some trial and error I had to re-provision a few times. One of the times I checked the web server logs and saw HTTP requests for theguardian.com.<p>I just kept provisioning so the IP is long lost but it only took 3 attempts to get this IP from the cloud provider.<p>I still can&#x27;t really explain it because the guardian is not hosted at that cloud provider, but maybe it was a test environment? Also kinda scary that active requests were coming in.

&gt; Amazon S3 buckets that had previously been used across commercial and open source software products, governments, and infrastructure deployment&#x2F;update pipelines—and then abandoned.<p>Couldn&#x27;t this happen with a domain too? e.g. you stop paying and someone else takes it over but your app is still pinging it.<p>I don&#x27;t see how AWS is really special here to be honest. If you can&#x27;t guarantee you&#x27;ll always have &lt;thing that provides updates&gt; then you should probably add in a signing mechanism to your software to verify it&#x27;s coming from the original devs.