AWS Bucket Leaks Viacom Critical Data
20.9.2017 securityweek Cyber
An Amazon Web Services S3 cloud storage bucket containing a great deal of Viacom internal access credentials and other critical data was left publicly accessible, UpGuard security researchers have discovered.
Viacom is an $18 billion multinational corporation that owns Paramount Pictures and various cable channels, including MTV, BET, Comedy Central, and Nickelodeon. According to the company, it has “the largest portfolio of ad-supported cable networks in the United States, in terms of audience share.”
Chris Vickery, UpGuard Director of Cyber Risk Research, was the one to discover the exposed Amazon Web Services (AWS) bucket. In it, he found seventy-two .tgz files representing irregular backups of technical data, created starting with June 2017 and containing a host of sensitive data.
The backups, which the security researcher determined to be incremental, were located at the subdomain “mcs-puppet.” MCS likely refers to Multiplatform Compute Services, the group that supports the infrastructure for hundreds of Viacom’s online properties, including MTV, Nickelodeon, Comedy Central, Paramount, and BET.
MCS appears to be currently in the process of migrating its infrastructure to AWS and getting ready to launch production workloads on containers (Amazon ECS), which explains the presence of said backup data on AWS.
After having a look at the exposed data, the security researcher determined that it included a master provisioning server running Puppet, left accessible to the public Internet, along with “the credentials needed to build and maintain Viacom servers across the media empire’s many subsidiaries and dozens of brands,” UpGuard’s Dan O'Sullivan notes in a blog post.
Viacom’s secret cloud keys were also exposed in the leak, which could have put the media company’s cloud-based servers in the hands of hackers. Thus, attackers could have been able to launch a variety of attacks while leveraging “the IT infrastructure of one of the world’s largest broadcast and media companies.”
UpGuard also explains that in addition to the passwords and manifests for Viacom’s servers, the access key and secret key for the corporation’s AWS account were also stored in the repository. Thus, an attacker accessing the bucket could have compromised Viacom’s servers, storage, and databases under the AWS account, leveraging the leaked data for phishing schemes or abusing Viacom’s IT systems for a botnet.
“Analysis reveals that a number of cloud instances used within Viacom’s IT toolchain, including Docker, New Relic, Splunk, and Jenkins, could’ve thus been compromised in this manner,” O'Sullivan says.
When decompressed, each of the seventy-two .tgz files in the bucket revealed a number of folders, such as “manifests,” “configs,” “keys,” and “modules,” along with various files that indicated the use of server provisioning and automation suite Puppet, which is frequently used by IT admins for configuration management.
The suite allows enterprises to easily create new servers and streamline operations at scale, and an admin using it would need to know all of the relevant credentials to have access to all required systems, and this type of access was leaked via said repository.
“Picture a skeleton key, opening not merely every door in a house, but every door that could be added to the house as well. This is the type of master access that was publicly exposed in the S3 bucket,” O'Sullivan explains.
Other data in the bucket included GPG decryption keys, as Viacom utilizes GPG encryption on many regular backups, thus allowing an attacker to decrypt data. Ruby scripts were also exposed in the leak, allowing malicious actors to know what applications are being run.
UpGuard discovered the exposed bucket on August 30 and alerted Viacom the next day. The multinational corporation closed the gap within hours.
“This incident highlights the potentially enormous cost such data leaks can evince upon even the largest and most sophisticated organizations. Exposed in this incident were nothing less than the master controls needed to harness the power of a digital media empire and turn it towards nefarious aims,” O'Sullivan points out.
We’ve contacted Viacom for a comment on this and will update the article as soon as a response arrives.