{"id":1942,"date":"2025-02-13T05:03:26","date_gmt":"2025-02-13T05:03:26","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/02\/13\/delivering-malware-through-abandoned-amazon-s3-buckets-html\/"},"modified":"2025-02-13T05:03:26","modified_gmt":"2025-02-13T05:03:26","slug":"delivering-malware-through-abandoned-amazon-s3-buckets-html","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/02\/13\/delivering-malware-through-abandoned-amazon-s3-buckets-html\/","title":{"rendered":"Delivering Malware Through Abandoned Amazon S3 Buckets"},"content":{"rendered":"\n<div>Delivering Malware Through Abandoned Amazon S3 Buckets<\/div>\n<p> \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>Here\u2019s a <a href=\"https:\/\/labs.watchtowr.com\/8-million-requests-later-we-made-the-solarwinds-supply-chain-attack-look-amateur\/\">supply-chain attack<\/a> just waiting to happen. A group of researchers searched for, and then registered, abandoned Amazon S3 buckets for about $400. These buckets contained software libraries that are still used. Presumably the projects don\u2019t realize that they have been abandoned, and still ping them for patches, updates, and etc.<\/p>\n<blockquote>\n<p>The TL;DR is that this time, we ended up discovering ~150 Amazon S3 buckets that had previously been used across commercial and open source software products, governments, and infrastructure deployment\/update pipelines\u2014and then abandoned.<\/p>\n<p>Naturally, we registered them, just to see what would happen\u2014\u201dhow many people are really trying to request software updates from S3 buckets that appear to have been abandoned months or even years ago?\u201d, we naively thought to ourselves.<\/p>\n<\/blockquote>\n<p>Turns out they got eight million requests over two months.<\/p>\n<p>Had this been an actual attack, they would have modified the code in those buckets to contain malware and watch as it was incorporated in different software builds around the internet. This is basically the SolarWinds attack, but much more extensive.<\/p>\n<p>But there\u2019s a second dimension to this attack. Because these update buckets are abandoned, the developers who are using them also no longer have the power to patch them automatically to protect them. The mechanism they would use to do so is now in the hands of adversaries. Moreover, often\u2014but not always\u2014losing the bucket that they\u2019d use for it also removes the original vendor\u2019s ability to identify the vulnerable software in the first place. That hampers their ability to communicate with vulnerable installations.<\/p>\n<p>Software supply-chain security is an absolute mess. And it\u2019s not going to be easy, or cheap, to fix. Which means that it won\u2019t be. Which is an even worse mess.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Bruce Schneier<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/www.schneier.com\/blog\/archives\/2025\/02\/delivering-malware-through-abandoned-amazon-s3-buckets.html\">Go to bruce schneier<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Delivering Malware Through Abandoned Amazon S3 Buckets Here\u2019s a supply-chain attack just waiting to happen. A group of researchers searched for, and then registered, abandoned Amazon S3 buckets for about $400. These buckets contained software libraries that are still used. Presumably the projects don\u2019t realize that they have been abandoned, and still ping them for [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[57,258,254,407,1],"tags":[87],"class_list":["post-1942","post","type-post","status-publish","format-standard","hentry","category-bruce-schneier","category-malware","category-software","category-supply-chain","category-uncategorized","tag-bruce-schneier"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/1942"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=1942"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/1942\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=1942"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=1942"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=1942"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}