Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

AWS Bucket Leaks Viacom Critical Data

An Amazon Web Services S3 cloud storage bucket containing a great deal of Viacom internal access credentials and other critical data was left publicly accessible, UpGuard security researchers have discovered.

An Amazon Web Services S3 cloud storage bucket containing a great deal of Viacom internal access credentials and other critical data was left publicly accessible, UpGuard security researchers have discovered.

Viacom is an $18 billion multinational corporation that owns Paramount Pictures and various cable channels, including MTV, BET, Comedy Central, and Nickelodeon. According to the company, it has “the largest portfolio of ad-supported cable networks in the United States, in terms of audience share.”

Chris Vickery, UpGuard Director of Cyber Risk Research, was the one to discover the exposed Amazon Web Services (AWS) bucket. In it, he found seventy-two .tgz files representing irregular backups of technical data, created starting with June 2017 and containing a host of sensitive data.

The backups, which the security researcher determined to be incremental, were located at the subdomain “mcs-puppet.” MCS likely refers to Multiplatform Compute Services, the group that supports the infrastructure for hundreds of Viacom’s online properties, including MTV, Nickelodeon, Comedy Central, Paramount, and BET.

MCS appears to be currently in the process of migrating its infrastructure to AWS and getting ready to launch production workloads on containers (Amazon ECS), which explains the presence of said backup data on AWS.

After having a look at the exposed data, the security researcher determined that it included a master provisioning server running Puppet, left accessible to the public Internet, along with “the credentials needed to build and maintain Viacom servers across the media empire’s many subsidiaries and dozens of brands,” UpGuard’s Dan O’Sullivan notes in a blog post.

Viacom’s secret cloud keys were also exposed in the leak, which could have put the media company’s cloud-based servers in the hands of hackers. Thus, attackers could have been able to launch a variety of attacks while leveraging “the IT infrastructure of one of the world’s largest broadcast and media companies.”

UpGuard also explains that in addition to the passwords and manifests for Viacom’s servers, the access key and secret key for the corporation’s AWS account were also stored in the repository. Thus, an attacker accessing the bucket could have compromised Viacom’s servers, storage, and databases under the AWS account, leveraging the leaked data for phishing schemes or abusing Viacom’s IT systems for a botnet.

Advertisement. Scroll to continue reading.

“Analysis reveals that a number of cloud instances used within Viacom’s IT toolchain, including Docker, New Relic, Splunk, and Jenkins, could’ve thus been compromised in this manner,” O’Sullivan says.

When decompressed, each of the seventy-two .tgz files in the bucket revealed a number of folders, such as “manifests,” “configs,” “keys,” and “modules,” along with various files that indicated the use of server provisioning and automation suite Puppet, which is frequently used by IT admins for configuration management.

The suite allows enterprises to easily create new servers and streamline operations at scale, and an admin using it would need to know all of the relevant credentials to have access to all required systems, and this type of access was leaked via said repository.

“Picture a skeleton key, opening not merely every door in a house, but every door that could be added to the house as well. This is the type of master access that was publicly exposed in the S3 bucket,” O’Sullivan explains.

Other data in the bucket included GPG decryption keys, as Viacom utilizes GPG encryption on many regular backups, thus allowing an attacker to decrypt data. Ruby scripts were also exposed in the leak, allowing malicious actors to know what applications are being run.

UpGuard discovered the exposed bucket on August 30 and alerted Viacom the next day. The multinational corporation closed the gap within hours.

“This incident highlights the potentially enormous cost such data leaks can evince upon even the largest and most sophisticated organizations. Exposed in this incident were nothing less than the master controls needed to harness the power of a digital media empire and turn it towards nefarious aims,” O’Sullivan points out.

“Once Viacom became aware that information on a server — including technical information, but no employee or customer information — was publicly accessible, we rectified the issue. We have analyzed the data in question and determined there was no material impact,” a Viaom spokesperson told SecurityWeek in an emailed statement.

*Updated with response from Viacom

Related: HBO Offered ‘Bounty’ to Hackers

Related: WWE Exposes Details of 3 Million Customers on AWS

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...