8 Million Requests Later, We Made The SolarWinds Supply Chain Attack Look Amateur
fliptop writes:
Surprise surprise, we've done it again. We've demonstrated an ability to compromise significantly sensitive networks, including governments, militaries, space agencies, cyber security companies, supply chains, software development systems and environments, and more:
Arguably armed still with a somewhat inhibited ability to perceive risk and seemingly no fear, in November 2024, we decided to prove out the scenario of a significant Internet-wide supply chain attack caused by abandoned infrastructure. This time however, we dropped our obsession with expired domains, and instead shifted our focus to Amazon's S3 buckets.
It's important to note that although we focused on Amazon's S3 for this endeavour, this research challenge, approach and theme is cloud-provider agnostic and applicable to any managed storage solution. Amazon's S3 just happened to be the first storage solution we thought of, and we're certain this same challenge would apply to any customer/organization usage of any storage solution provided by any cloud provider.
The TL;DR is that this time, we ended up discovering ~150 Amazon S3 buckets that had previously been used across commercial and open source software products, governments, and infrastructure deployment/update pipelines - and then abandoned.
Naturally, we registered them, just to see what would happen - "how many people are really trying to request software updates from S3 buckets that appear to have been abandoned months or even years ago?", we naively thought to ourselves.
[...] These S3 buckets received more than 8 million HTTP requests over a 2 month period for all sorts of things -
- Software updates,
- Pre-compiled (unsigned!) Windows, Linux and macOS binaries,
- Virtual machine images (?!),
- JavaScript files,
- CloudFormation templates,
- SSLVPN server configurations,
- and more.
The article goes on to describe where the requests came from and provides some details on getting the word to the right companies and what actions they took. Originally spotted on Schneier on Security.
Related:
- China's Telco Attacks Mean 'Thousands' Of Boxes Compromised
- Maximum-severity GitLab Flaw Allowing Account Hijacking Under Active Exploitation
- Open Source Software Supply Chain Has Security Risks
Read more of this story at SoylentNews.