Presented at
DEF CON 33 (2025),
Aug. 8, 2025, 12:30 p.m.
(45 minutes).
Imagine one sunny morning you read the news: A crypto worm targets 100+ organizations around the world. The authorities estimate that during the first days of attack ~28,000 hosts in 158 countries were affected, including 24 nation state and European union assets, major banks and tech companies. Since then, the worm has spread and is now everywhere. The industry doesn't know the main source of attack. There are many backdoored artifacts reportedly used by the victims with no obvious connections.
Eventually, a security researcher connects all dots and finds the source: compromised, abandoned AWS S3 buckets. The risk that researchers warned in the past materialized on a truly gigantic scale, 5155 buckets were affected.
Luckily, this incident has never happened. The buckets used in that hypothetical scenario were claimed by a security researcher and taken down by the Cloud provider.
In this talk, we will dissect the anatomy of such an attack. We will show that adversaries equipped with instruments of big data analysis and custom LLM-agents can take these scenarios to the next level by automating and scaling them. We will share statistical insights and 9 concrete stories illustrating potential victim profiles and attack vectors. Finally, we will discuss remediation actions that would eliminate the risk once and for all.
References:
1. [link](https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf)
2. [link](https://www.f5.com/labs/articles/threat-intelligence/the-dangers-of-dns-hijacking)
3. [link](https://www.theregister.com/2022/05/24/pypi_ctx_package_compromised/)
4. [link](https://checkmarx.com/blog/hijacking-s3-buckets-new-attack-technique-exploited-in-the-wild-by-supply-chain-attackers/)
5. [link](https://www.darkreading.com/cyber-risk/why-you-should-track-down-expired-domain-names)
6. [link](https://thehackerblog.com/zero-days-without-incident-compromising-angular-via-expired-npm-publisher-email-domains-7kZplW4x/)
7. [link](https://labs.detectify.com/writeups/how-i-hijacked-the-top-level-domain-of-a-sovereign-state/)
8. [link](https://www.theregister.com/2022/05/10/security_npm_email/)
9. [link](https://www.theregister.com/2022/05/23/npm_dependencies_vulnerable/)
10. [link](https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Jesse-Michael-and-Mickey-Shkatov-Driving-Down-the-Rabbit-Hole.pdf)
11. [link](https://blog.talosintelligence.com/domain-dumpster-diving/)
12. [link](https://www.youtube.com/watch?v=uwsykPWa5Lc)
13. [link](https://www.researchgate.net/publication/325480896_Don%27t_throw_me_away_Threats_Caused_by_the_Abandoned_Internet_Resources_Used_by_Android_Apps)
14. [link](https://labs.watchtowr.com/more-governments-backdoors-in-your-backdoors/)
15. [link](https://labs.watchtowr.com/we-spent-20-to-achieve-rce-and-accidentally-became-the-admins-of-mobi/)
16. [link](https://labs.watchtowr.com/8-million-requests-later-we-made-the-solarwinds-supply-chain-attack-look-amateur/)
17. [link](https://archive.softwareheritage.org/)
18. [link](https://github.com/Zenexer/lnkr/tree/ac6b8c0a81f18631103515e934b86fa3a6c72d0c/recon/extensions/fanagokoaogopceablgmpndejhedkjjb)
19. [link](https://krebsonsecurity.com/2020/03/the-case-for-limiting-your-browser-extensions/)
20. [link](https://malpedia.caad.fkie.fraunhofer.de/details/js.lnkr)
Presenters:
-
Maksim Shudrak
Maksim is an offensive security researcher and engineer with more than a decade of experience in red teaming, malware analysis, and exploit development complemented by a PhD in machine code vulnerability detection. He loves searching for complex large-scale issues in modern technologies and outlining their impact.
Maksim is an author of open-source tools for scanning cloud infrastructure, fuzzing, and dynamic malware analysis which he presented at various conferences such as DEF CON, VirusBulletin, and BlackHat Arsenal.
Similar Presentations: