Source URL: https://www.schneier.com/blog/archives/2025/02/delivering-malware-through-abandoned-amazon-s3-buckets.html
Source: Schneier on Security
Title: Delivering Malware Through Abandoned Amazon S3 Buckets
Feedly Summary: Here’s a supply-chain attack just waiting to happen. A group of researchers searched for, and then registered, abandoned Amazon S3 buckets for about $400. These buckets contained software libraries that are still used. Presumably the projects don’t realize that they have been abandoned, and still ping them for patches, updates, and etc.
The TL;DR is that this time, we ended up discovering ~150 Amazon S3 buckets that had previously been used across commercial and open source software products, governments, and infrastructure deployment/update pipelines—and then abandoned…
AI Summary and Description: Yes
Summary: The text discusses a critical vulnerability in the software supply chain, centering on the discovery of abandoned Amazon S3 buckets that could be exploited in a malicious supply-chain attack. The issue poses significant risks to software security and highlights gaps in the ability of developers and vendors to secure and manage their projects effectively.
Detailed Description:
The content reveals alarming insights into the state of software supply-chain security, specifically the dangers associated with abandoned resources that are still used in various software products. Key points include:
– **Abandoned Amazon S3 Buckets**: Researchers identified and registered abandoned Amazon S3 storage buckets that contained software libraries utilized in commercial and open-source software. This action raised questions about the security implications of these resources remaining unmonitored.
– **High Volume of Requests**: These buckets generated around eight million requests over a two-month period, indicating that many projects continued to rely on them despite their abandonment.
– **Potential Attack Scenario**: The researchers pointed out that an attacker could have modified the content in these buckets to introduce malware, subsequently integrating it into numerous software builds across the internet. This scenario is reminiscent of the SolarWinds attack but could have far-reaching implications due to the scale of the vulnerability.
– **Impact on Developers and Vendors**: The abandonment of these buckets not only means developers cannot patch them automatically but also complicates the communication regarding vulnerabilities. The original vendors may lose visibility into what has been deployed, making it exceedingly difficult to track and fix vulnerabilities across their software installations.
– **Broader Implications for Software Supply Chain Security**: The text concludes that software supply-chain security is currently in disarray. The implications of such vulnerabilities indicate a pressing need for organizations to address these weaknesses, although it may be costly and complex to implement effective solutions.
Given these insights, security and compliance professionals must prioritize the monitoring and management of software supply chains, address abandoned resources proactively, and implement robust mechanisms to detect, patch, and communicate vulnerabilities.