Viacom AWS Misconfig Exposes Entire IT Infrastructure
Viacom is the latest big-name firm to have misconfigured its cloud databases, in a security incident which could theoretically have allowed hackers to remotely control its entire IT infrastructure.
Security firm UpGuard made the discovery, when noted director of cyber risk research, Chris Vickery, found a “publicly downloadable” Amazon Web Services S3 cloud storage bucket containing 72 .tgz files.
Frequently mentioned in the files is “MCS” – thought to refer to Viacom’s Multiplatform Compute Services group, which supports the IT infrastructure for hundreds of the media giant’s brands, including MTV, Nickelodeon, Comedy Central, Paramount and BET.
“While Viacom has not confirmed to UpGuard the purpose of this bucket, the contents of the repository appear to be nothing less than either the primary or backup configuration of Viacom’s IT infrastructure,” explained UpGuard cyber resilience analyst, Dan O’Sullivan, in a blog post.
“Exposed within this repository are not only passwords and manifests for Viacom’s servers, data needed to maintain and expand the IT infrastructure of an $18 billion multinational corporation, but perhaps more significantly, Viacom’s access key and secret key for the corporation’s AWS account. By exposing these credentials, control of Viacom’s servers, storage, or databases under the AWS account could have been compromised.”
The accidental leak could have allowed attackers to launch faultless phishing campaigns using Viacom brands and infrastructure, while AWS access keys could have been used to spin off new servers to create a botnet, he warned.
UpGuard has been leading from the front in its discovery of countless misconfigured AWS installations, exposing poor security practices at the likes of Dow Jones, the US Department of Defense and Verizon.
A Viacom statement played down the seriousness of the leak:
“Once Viacom became aware that information on a server – including technical information, but no employee or customer information – was publicly accessible, we rectified the issue. We have analyzed the data in question and determined there was no material impact.”
Source: Information Security Magazine