A mishandling of Viacom's master AWS key has left the credentials of hundreds of digital properties, including Comedy Central, Paramount, MTV and other entertainment companies, exposed.
On Aug. 30, 2017, UpGuard Director of Cyber Risk Research Chris Vickery spotted a publicly downloadable Amazon Web Services S3 cloud storage bucket containing what appeared to be nothing less than either the primary or backup configuration of Viacom's IT infrastructure.
The servers contained the passwords and manifest for Viacom's servers as well as data needed to maintain and expand the IT infrastructure in addition to the access key and secret key for the corporations AWS account.
Researchers described the exposed information as the digital road map and blueprint equivalent of the layout of a bank vault, details on the type of safe a bank uses, and what keys they might need to crack it, for threat actors looking to take advantage of Viacom IT systems.
The exposure of this information could have enabled threat actors to essentially harness the power of the media empire to do anything from executing massive phishing campaigns, use trusted brand recognition to trick customers into furnishing personal data, or even spin off additional servers to use Viacom IT systems as a botnet.
“By exposing these credentials, control of Viacom's servers, storage, or databases under the AWS account could have been compromised,” the post said. “Analysis reveals that a number of cloud instances used within Viacom's IT toolchain, including Docker, New Relic, Splunk, and Jenkins, could've thus been compromised in this manner.”
UpGuard reported the incident to Viacom and the issue has since been patched but this isn't the first time-sensitive information has been exposed like this. Viacom told SC Media it has analyzed the data in question and determined no employee or customer information was compromised.
"We've seen this movie before – pun intended. TimeWarner Cable, DeepRoot (Republican Party data vendor), Nice Systems, TalentPen, and now Viacom,” Prevalent, Inc. Product Management Director Jeff Hill told SC Media. “Cloud server misconfigurations and inadvertent credentials exposure seem to be all the rage, removing even the most rudimentary obstacles to penetration for bad actors.”
Hill said organizations must assure that their data is protected against pro-active external attacks from the carelessness of those charged with basic configuration and other seemingly pedestrian and taken-for-granted functions as more and more enterprise data moves to cloud-based environments.
The incident could have been prevented by following basic security measures and by including an assessment of security operational procedures as a critical component of their vendor assessment programs to confirm that proper security procedures are in place to protect their assets, Prevalent Inc. Sr. Director 3rd Party Strategy Brad Keller told SC Media.
“Viacom fails to employ basic security protocols on servers that essentially contained the “keys to the kingdoms” of their customers,” Keller said. “The fact that there have been no confirmed (at least publicly) instances of the information being used doesn't negate the potential damage that will be caused if the access and secret key information to corporate server accounts have fallen into the wrong hands.”
Furthermore, Keller added a company's obligation to ensure that their data is protected doesn't stop when the data is outsourced and that companies need to carefully consider the data they need to protect, and then take the appropriate steps to make sure data is protected.
The breach also sheds light on the devastating effect that a lack of visibility in the cloud paired with manual error can produce.
“IT teams need to consistently ingrain security policies within their DevOps project deployments,” Tufin Chief Technology Officer Reuven Harrison told SC Media said. “Using automation and orchestration to enable adherence to security policy during initial configuration and to ensure visibility across the cloud eliminates the risk of manual error while maintaining business agility.”