this post was submitted on 19 Feb 2025
47 points (100.0% liked)

Technology

38075 readers
21 users here now

A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.

Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.

Subcommunities on Beehaw:

This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 3 years ago
MODERATORS
remington
alyaza
TheRtRevKaiser
gyrfalcon
rs5th
coldredlight
SemioticStandard
TheRtRevKaiser@kbin.social
47
8 Million Requests Later, We Made The SolarWinds Supply Chain Attack Look Amateur (labs.watchtowr.com)
submitted 1 day ago* (last edited 1 day ago) by Bishma@discuss.tchncs.de to c/technology
2 comments fedilink hide all child comments
 

Alt Title: How to take over the world using abandoned S3 Buckets

Watchtowr has moved on from using expired domains to assume authority over entire TLDs and instead is using blind trust in S3 addresses to infiltrate governments and militaries across the world.

The TL;DR is that this time, we ended up discovering ~150 Amazon S3 buckets that had previously been used across commercial and open source software products, governments, and infrastructure deployment/update pipelines - and then abandoned.

As for the research itself, it panned out progressively, with S3 buckets registered as they were discovered. It went rather quickly from “Haha, we could put our logo on this website” to “Uhhh, .mil, we should probably speak to someone”.

These S3 buckets received more than 8 million HTTP requests over a 2 month period for all sorts of things -

  • Software updates,
  • Pre-compiled (unsigned!) Windows, Linux and macOS binaries,
  • Virtual machine images (?!),
  • JavaScript files...
top 2 comments
sorted by: hot top controversial new old
[–] seang96@spgrn.com 5 points 12 hours ago

I always thought it was a bad idea for AWS to make the buckets unique globally. Attach the AWS account Id so it would always be unique, you can name a bucket whatever you want, and this attack vector wouldn't be possible (unless if you are AWS I guess)

[–] dan@upvote.au 20 points 1 day ago* (last edited 1 day ago)

Good reminder to remove old DNS records that point to IPs or hostnames you no longer control or service providers you no longer use.

That's the main attack vector here - you delete an S3 bucket but still have a subdomain CNAME'd to it, so anyone could create a new bucket with the same name and serve arbitrary files from your domain.