~ 8 mins read | February 16, 2022
A misconfiguration in SEGA Europe's AWS S3 bucket exposed credentials and confidential data between October 18 and October 28, 2021. A thorough scan of cloud assets and risk assessment can help organizations identify such exposures that could result in data misuse or even tarnish brand image.
SEGA Corporation is a Japanese multinational video game entertainment company, with SEGA of America and SEGA Europe being its international wings. On January 3, 2022, it came to light that several sensitive files of the European branch were put to risk, owing to a misconfiguration in its AWS S3 bucket. Being a multi-million-selling gaming franchise catering to over twenty million customers directly, SEGA Corporation acted in time to fix the security hole before malicious actors could effectuate a costly attack.
The incident highlights two types of cloud misconfigurations -
- The AWS S3 bucket was set to public access permissions.
- Hard-coded credentials were stored in the cloud.
In this blog, we will look into the details of AWS S3 misconfigurations and understand how organizations can avoid issues arising from such lapses.
Cloud misconfigurations are one of the most common and easily overlooked exposures introduced into organizational assets, often by mistake. These could be any error, glitch or gap in the set up or configuration of an application. According to Gartner's Hype Cycle for Cloud Security Report, more than 99% of cloud breaches will loop back to misconfigurations or human errors, through 2025.
Simple Storage Service (S3) buckets are cloud repositories for Amazon Web Services, providing object storage through a web service interface. Most often, the data in these repositories needs to be shared across multiple users, and this is when S3 bucket misconfigurations arise.
Buckets that host support pages are made public, in order to allow all users to access the page.
When documents in S3 storage are shared with users, they are given more permissions than required. For example, a user who needs to view the document is given write access to the folder.
While resources are re-used for other purposes, the old permission settings are re-used, without validation.
Sometimes, S3 buckets are used as file share to share text files or documents containing plain text, with details like credentials stored in an easily accessible location.
Each of the above scenarios, while seemingly minor issues, are the No.1 cause for S3 misconfigurations that could lead to data breaches. Interestingly, S3 buckets default to private settings. Thus, it is the owner/user of the S3 bucket who is responsible for the misconfiguration.
What are the exposures these misconfigurations can cause? How severe an impact can they have? To understand this, let us look into the implications of the SEGA S3 misconfiguration incident.
Insufficient privacy/control settings for the AWS S3 bucket of SEGA led to the following services being compromised, besides potential data compromise that included API keys, internal messaging systems, cloud systems, user data and more.
The cloud is in constant flux, and what's secure today may not hold good tomorrow. A huge component of this security comes from managing the exposures due to misconfigured assets. The impact of human error is huge, not only in missing critical configuration aspects, but also while remediating those misconfigurations. While the SEGA issue stands as an example of the former, the various vulnerabilities being identified in newer fixes for Apache Log4j exemplify the latter.
Here are four steps that can help organizations prevent misconfigurations in their cloud assets. Broadly, these can be categorized into discovering the assets and configuring each right.
As a thumb rule, all assets must be set to private mode. If the asset needs to be offered public access, the settings should default to "Read only" status.
Recent S3 misconfiguration incidents
Disclosed Timeframe | Organization | Region & Sector | Impact | Reference Link |
---|---|---|---|---|
February 2022 | Securitas | Sweden-based multinational security company | 3TB data exposed, Columbia and Peru airport employee data leaked | https://www.zdnet.com/article/unsecured-aws-server-exposed-airport-employee-records-3tb-in-data/?&web_view=true |
January 2022 | SEGA Europe | European wing of the gaming giant | Multiple related domains affected | https://www.google.com/url?q=https://securityaffairs.co/wordpress/126258/data-breach/sega-europe-aws-s3-bucket-data-leak.html?web_view%3Dtrue&sa=D&source=editors&ust=1643772606746458&usg=AOvVaw3yCNxU3UsuP8uVcZdFFIwt |
December 2021 | ONUS | Vietnamese crypto trading platform | 2 million customer data put up for sale | https://www.bleepingcomputer.com/news/security/fintech-firm-hit-by-log4j-hack-refuses-to-pay-5-million-ransom/ |
December 2021 | National Service Secretariate | Ghana government agency | 55Gb worth of 7,00,000 citizen's data exposed | https://www.hackread.com/ghana-govt-agency-citizens-data-leak/?web_view=true |
November 2021 | WSpot | Brazil-based WiFi management software firm | 10 GB worth of visitor data exposed; 5% of customer base impacted | https://www.hackread.com/wifi-software-firm-exposed-users-data/?web_view=true |
October 2021 | Thingiverse | Website dedicated to sharing user-created digital design files | More than 255 Million lines of data leaked; 228000 subscribers affected | https://www.inforisktoday.com/thingiverse-data-leak-affects-25-million-subscribers-a-17729?&web_view=true |
Securin's Attack Surface Management (ASM) platform can help you address all misconfigurations, right from the discovery to the remediation stage. Securin can perform two types of scans and identify the exposures in your assets, including misconfigurations.
In specific, Securin allows you to add AWS S3 buckets as an asset in the ASM platform to monitor it 24x7. You can also add other AWS resources by adding an AWS connector via the "Integrations" pane and choose the services to scan for exposures. The Securin rules engine automatically checks for all exposures, including those covered by AWS paid services like Inspector and Security Hub.
Below, we list the major S3 bucket exposures that Securin ASM can help you identify. These help you understand if your asset conforms to the basic security, performance and cost optimization rules.
Access Settings
Authenticated User Permissions
Cross Account Access
Encryption
Data transport and Logging
Enabled Feature checks
Compliance Checks
Checks for hard-coded credentials
An Extensive Asset Discovery & Exposure Scan is what organizations need
A single misconfiguration left unaddressed can provide attackers enough to get started with a major attack. These misconfigurations can also serve as the initial access vector in attack that combine multiple exposures to enter into and crawl deeper into organizational networks. Organizations need to be wary of all exposures in their attack surfaces and address them before they can be exploited by cyber adversaries to launch a cyber attack. Ensure you scan your assets for all possible exposures and fix them in time!