Cybersecurity firm WatchTowr has uncovered a significant security risk involving abandoned Amazon S3 buckets that could have been exploited by threat actors to distribute malware and backdoors to governments and major corporations.

The researchers identified approximately 150 abandoned S3 buckets that were once used for storing files by various commercial and open-source software products. Over a two-month period, WatchTowr registered and monitored these buckets, receiving over eight million HTTP requests for critical assets such as software updates, VM images, JavaScript files, SSLVPN server configurations, and CloudFormation templates. Had these domains fallen into the hands of malicious actors, they could have been leveraged to deliver backdoored software updates, tampered VM images, and other forms of malware, potentially leading to large-scale supply chain attacks.

Further analysis revealed that requests originated from a range of high-profile sources, including government and military networks in the US, UK, Australia, and South Korea, as well as Fortune 100 and 500 companies, banks, universities, and even cybersecurity firms. WatchTowr emphasized the severity of this risk, stating that in the wrong hands, the attack potential could have surpassed the impact of the notorious SolarWinds breach. The firm collaborated with AWS and government agencies in the US and UK to secure the abandoned buckets before they could be misused. This discovery follows previous research efforts by WatchTowr, including the hijacking of over 4,000 backdoors by taking over expired infrastructure and even becoming the administrator of the .mobi TLD by purchasing a legacy Whois server for just $20.