VissMar 20

read this and try to tell me cloud wasnt a mistake

https://labs.watchtowr.com/8-million-requests-later-we-made-the-solarwinds-supply-chain-attack-look-amateur/

8 Million Requests Later, We Made The SolarWinds Supply Chain Attack Look Amateur

Surprise surprise, we've done it again. We've demonstrated an ability to compromise significantly sensitive networks, including governments, militaries, space agencies, cyber security companies, supply chains, software development systems and environments, and more. “Ugh, won’t they just stick to creating poor-quality memes?” we hear you moan. Maybe we should, maybe

watchTowr Labs
Show threadjwzMar 21
@Viss This is great stuff. Two things that I don't understand -- maybe they said and I missed it...
- How did they get the list of deleted bucket names to attack?
- Why does Amazon even make it possible to re-register a deleted bucket? These URLs aren't valuable/rare real estate like domain names.
Show threadVissMar 21

@jwz they intentionally didnt say because if they did there would immediately be copycats doing terrible things. they mentioned that they wrote a custom tool called 'kidwithafork' and basically lampshade that and move on immediately

and amazon does a ton of weird shit. last i heard how their cloudfront waf works, its just some python glue and nabbing some random ip blocklists. my colo network landed on one somehow and i had to chase it down. swooping s3 bucket names has been a thing for a while

Show threadJames Young
@Viss @jwz they’ve added namespaces for buckets, which I’d hoped would cover it - https://aws.amazon.com/blogs/aws/introducing-account-regional-namespaces-for-amazon-s3-general-purpose-buckets/ - but I think that only handles internal use so far, or from now on
Introducing account regional namespaces for Amazon S3 general purpose buckets | Amazon Web Services

AWS launches a new feature of Amazon S3 that lets you create general purpose buckets in your own account regional namespace simplifying bucket creation and management as your data storage needs grow in size and scope.

Amazon Web Services
Mar 28 at 3:58pmWeb