left-arrowBack

Lessons Learned from SEGA Europe's recent security blunder

profile

Priya Ravindran

~ 8 mins read | February 16, 2022

log4j-banner-image

A misconfiguration in SEGA Europe's AWS S3 bucket exposed credentials and confidential data between October 18 and October 28, 2021. A thorough scan of cloud assets and risk assessment can help organizations identify such exposures that could result in data misuse or even tarnish brand image.

AWS S3 misconfiguration: Security incident in SEGA, Europe 

SEGA Corporation is a Japanese multinational video game entertainment company, with SEGA of America and SEGA Europe being its international wings. On January 3, 2022, it came to light that several sensitive files of the European branch were put to risk, owing to a misconfiguration in its AWS S3 bucket. Being a multi-million-selling gaming franchise catering to over twenty million customers directly, SEGA Corporation acted in time to fix the security hole before malicious actors could effectuate a costly attack.

The incident highlights two types of cloud misconfigurations -

  1. The AWS S3 bucket was set to public access permissions.
  2. Hard-coded credentials were stored in the cloud.

In this blog, we will look into the details of AWS S3 misconfigurations and understand how organizations can avoid issues arising from such lapses.

Security Risks from Cloud Misconfigurations

Cloud misconfigurations are one of the most common and easily overlooked exposures introduced into organizational assets, often by mistake. These could be any error, glitch or gap in the set up or configuration of an application. According to Gartner's Hype Cycle for Cloud Security Report, more than 99% of cloud breaches will loop back to misconfigurations or human errors, through 2025. 

How are AWS S3 misconfigurations introduced? 

Simple Storage Service (S3) buckets are cloud repositories for Amazon Web Services, providing object storage through a web service interface.  Most often, the data in these repositories needs to be shared across multiple users, and this is when S3 bucket misconfigurations arise.

  • Buckets that host support pages are made public, in order to allow all users to access the page.

  • When documents in S3 storage are shared with users, they are given more permissions than required. For example, a user who needs to view the document is given write access to the folder.

  • While resources are re-used for other purposes, the old permission settings are re-used, without validation.

  • Sometimes, S3 buckets are used as file share to share text files or documents containing plain text, with details like credentials stored in an easily accessible location.

Each of the above scenarios, while seemingly minor issues, are the No.1 cause for S3 misconfigurations that could lead to data breaches. Interestingly, S3 buckets default to private settings. Thus, it is the owner/user of the S3 bucket who is responsible for the misconfiguration.

Exposures from AWS S3 Misconfigurations

What are the exposures these misconfigurations can cause? How severe an impact can they have? To understand this, let us look into the implications of the SEGA S3 misconfiguration incident.

Insufficient privacy/control settings for the AWS S3 bucket of SEGA led to the following services being compromised, besides potential data compromise that included API keys, internal messaging systems, cloud systems, user data and more.   

SEGA Europe misconfigurations

Tips to prevent Cloud Misconfigurations

The cloud is in constant flux, and what's secure today may not hold good tomorrow. A huge component of this security comes from managing the exposures due to misconfigured assets. The impact of human error is huge, not only in missing critical configuration aspects, but also while remediating those misconfigurations. While the SEGA issue stands as an example of the former, the various vulnerabilities being identified in newer fixes for Apache Log4j exemplify the latter.

Here are four steps that can help organizations prevent misconfigurations in their cloud assets. Broadly, these can be categorized into discovering the assets and configuring each right.

  1. Discover all the assets (resources) in the cloud
  2. Catalogue the services running on every asset (resource)
  3. Identify configuration rules for each of the assets (resources)
  4. Perform rule checks for every asset (resource)

As a thumb rule, all assets must be set to private mode. If the asset needs to be offered public access, the settings should default to "Read only" status.

 

Recent S3 misconfiguration incidents

Disclosed Timeframe Organization Region & Sector Impact Reference Link
February 2022 Securitas Sweden-based multinational security company 3TB data exposed, Columbia and Peru airport employee data leaked https://www.zdnet.com/article/unsecured-aws-server-exposed-airport-employee-records-3tb-in-data/?&web_view=true
January 2022 SEGA Europe European wing of the gaming giant Multiple related domains affected https://www.google.com/url?q=https://securityaffairs.co/wordpress/126258/data-breach/sega-europe-aws-s3-bucket-data-leak.html?web_view%3Dtrue&sa=D&source=editors&ust=1643772606746458&usg=AOvVaw3yCNxU3UsuP8uVcZdFFIwt
December 2021 ONUS Vietnamese crypto trading platform 2 million customer data put up for sale https://www.bleepingcomputer.com/news/security/fintech-firm-hit-by-log4j-hack-refuses-to-pay-5-million-ransom/
December 2021 National Service Secretariate Ghana government agency 55Gb worth of 7,00,000 citizen's data exposed https://www.hackread.com/ghana-govt-agency-citizens-data-leak/?web_view=true
November 2021 WSpot Brazil-based WiFi management software firm 10 GB worth of visitor data exposed; 5% of customer base impacted https://www.hackread.com/wifi-software-firm-exposed-users-data/?web_view=true
October 2021 Thingiverse Website dedicated to sharing user-created digital design files More than 255 Million lines of data leaked; 228000 subscribers affected https://www.inforisktoday.com/thingiverse-data-leak-affects-25-million-subscribers-a-17729?&web_view=true

How Securin can help with preventing cloud and S3 misconfigurations

Securin's Attack Surface Management (ASM) platform can help you address all misconfigurations, right from the discovery to the remediation stage. Securin can perform two types of scans and identify the exposures in your assets, including misconfigurations.

  1. Authenticated Scan - The user specifies the resources and assets to be scanned for exposures. Securin can also scan asset integrations like cloud, scanners and ticketing systems.
  2. Unauthenticated Scan - All assets are discovered based on domain or company name and scanned for exposures. Depending on access permissions provided, Securin can also scan for all existing S3 buckets including those left unattended or forgotten about.

In specific, Securin allows you to add AWS S3 buckets as an asset in the ASM platform to monitor it 24x7. You can also add other AWS resources by adding an AWS connector via the "Integrations" pane and choose the services to scan for exposures. The Securin rules engine automatically checks for all exposures, including those covered by AWS paid services like Inspector and Security Hub.

Below, we list the major S3 bucket exposures that Securin ASM can help you identify. These help you understand if your asset conforms to the basic security, performance and cost optimization rules.

  •  Access Settings

  •  Authenticated User Permissions

  • Cross Account Access

  •  Encryption

  •  Data transport and Logging

  • Enabled Feature checks

  • Compliance Checks

  • Checks for  hard-coded  credentials

  • An Extensive Asset Discovery & Exposure Scan is what organizations need 

A single misconfiguration left unaddressed can provide attackers enough to get started with a major attack. These misconfigurations can also serve as the initial access vector in attack that combine multiple exposures to enter into and crawl deeper into organizational networks. Organizations need to be wary of all exposures in their attack surfaces and address them before they can be exploited by cyber adversaries to launch a cyber attack. Ensure you scan your assets for all possible exposures and fix them in time!

Trends

How we onboarded a US Government State Agency onto our Attack Surface Management Platform - A Customer Success Story The Log4j Wildfire (CVE-2021-44228) : Are you exposed? Why security scores are misleading?