Massive Viacom Data Exposed Through Amazon Web Services

Amazon Web Services S3 is in the news for all the wrong reasons as its Cloud storage has been accused of leaking massive amounts of data. A few days back we informed our readers about the findings of Kromtech Security Research Center in which it was revealed that the AWS S3 server was responsible for leaking a database containing sensitive private data of about 3 million WWE fans (World Wrestling Entertainment).

This time the victim is the $18 billion multinational corp. Viacom that owns a number of cable channels, for instance, MTV, Comedy Central, BET and Nickelodeon and the mighty Paramount Pictures. Viacom is believed to have the largest ad-supported cable networks portfolio in the US as per the audience share.

UpGuard security researchers have reported that AWS S3 Cloud storage bucket that contains a large number of Viacom internal access credentials and sensitive data is publicly accessible. The leaked database contains a gigabyte worth of data and configuration files. The files are available online and are insecure as well, which means anyone can exploit them for personal benefit. California based security firm UpGuard has noted that the data present in the leaked database might have compromised various company properties so far.

Cyber Risk Research director at UpGuard Chris Vickery, who discovered the leaked database, identified 72 .tgz files demonstrating irregular backups of technical files while folders are bearing the names manifests,” “configs,” “keys,” and “modules.” The database was created in June 2017, as per UpGuard researchers. The backups have been identified as incremental and were located in a subdomain called ‘mcs-puppet.’

Here, the term MCS refers to the group Multiplatform Compute Services that support the infrastructure of not one or two but hundreds of online properties owned by Viacom such as MTV and Nickelodeon, etc. It seems like MCS was in the process of transferring its infrastructure to AWS to launch production workloads on Amazon ECS or other containers that’s why it uploaded backup data on AWS, which has been leaked now.

Analysis of the leaked data reveals that it contains a master provisioning server running Puppet, which is also available publicly. The leaked database also contains secret cloud keys of Viacom, which can help attackers in launching all sorts of attacks. According to Dan O’Sullivan from UpGuard:

“The credentials needed to build and maintain Viacom servers across the media empire’s many subsidiaries and dozens of brands.”

Along with passwords and Viacom, servers manifests, the presence of access key and secret key for AWS account is quite worrisome because accessing the bucket would compromise the Viacom servers, storage, and other databases so attackers can easily launch phishing scams or abuse the IT systems of the multinational corporation for a botnet.

“Analysis reveals that a number of cloud instances used within Viacom’s IT toolchain, including Docker, New Relic, Splunk, and Jenkins, could’ve thus been compromised in this manner,” said O’Sullivan.

The leaked database was discovered on August 30, and UpGuard immediately notified Viacom; the company responded quickly and closed the gaps within merely a few hours. In its statement, Viacom claimed to be trying to diminish the risk posed by the leaking of its database. According to Viacom spokesperson:

“Once Viacom became aware that information on a server—including technical information, but no employee or customer information—was publicly accessible, we rectified the issue. We have analyzed the data in question and determined there was no material impact.”

While O’Sullivan points out that this incident is a clear reminder of the “potentially enormous” cost of this sort of massive data leaks from worlds leading organizations.

“Exposed in this incident were nothing less than the master controls needed to harness the power of a digital media empire and turn it towards nefarious aims,” noted O’Sullivan.

Source: Hackread

Add new comment

Text format

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
CAPTCHA

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

logo_inverse

is loading the page...