Extensive software supply chain compromise possible with deserted AWS S3 buckets

Threat actors could hijack neglected Amazon AWS S3 buckets to conduct a global software supply chain attack significantly more damaging than the sweeping SolarWinds hack nearly five years ago, reports The Register.

Nearly 150 S3 buckets previously leveraged by cybersecurity firms, governments, Fortune 500 companies, and open source projects could be re-registered with the same AWS account name to facilitate executable and/or code injections in the deployment code/software update mechanism, according to an analysis from watchTowr Labs researchers, who already moved to sinkhole all of the abandoned buckets to prevent potential compromise. Such an issue was regarded by watchTowr founder and CEO Benjamin Harris to be easily addressed if Amazon prohibits repeat usage of S3 bucket names. "This approach would entirely kill this vulnerability class (abandoned infrastructure) in the context of AWS S3," said Harris. Meanwhile, AWS noted having unveiled a bucket ownership condition functionality curbing inadvertent bucket name reuse. "After conducting their research without notifying AWS, watchTowr provided the bucket names to AWS, and to protect our customers, we blocked these specific buckets from being re-created," said an AWS spokesperson.