Accenture suffers significant data leakThursday, October 12, 2017
Default cloud settings claim another high-profile victim...
An enormous cache of highly sensitive corporate and customer data was allegedly left exposed to the public internet by Accenture, according to researchers at UpGuard. The consultancy apparently had left our Amazon Web Services S3 storage buckets configured for public access, (an issue highlighted by High-Tech Bridge in November 16) which contained secret API data, authentication credentials, certificates, decryption keys and customer information.
According to a blog post from UpGuard: “On September 17th, 2017, UpGuard Director of Cyber Risk Research Chris Vickery discovered four Amazon Web Services S3 storage buckets configured for public access, downloadable to anyone who entered the buckets’ web addresses into their internet browser. A cursory analysis on September 18th of the four buckets - titled with the AWS subdomains “acp-deployment,” “acpcollector,” “acp-software,” and “acp-ssl” - revealed significant internal Accenture data, including cloud platform credentials and configurations, prompted Vickery to notify the corporation; the four AWS servers were secured the next day.”
It is not known how long the servers were exposed before they were found. However, the researchers were astonished by the data involved, which included a collection of nearly 40,000 plaintext passwords in one of the database backups, access keys for Enstratus, a cloud infrastructure management platform, and a plaintext document containing the master access key for Accenture’s account with Amazon Web Service’s Key Management Service, among gigabytes of other potentially useful data to attackers, such as log files providing an overview of Accenture’s cloud infrastructure, and VPN details.
“Taken together, the significance of these exposed buckets is hard to overstate. In the hands of competent threat actors, these cloud servers, accessible to anyone stumbling across their URLs, could have exposed both Accenture and its thousands of top-flight corporate customers to malicious attacks that could have done an untold amount of financial damage”, the researchers summarised.
The incident is far from the first example of misconfigured AWS S3 storage buckets. Just weeks before researchers from Kromtech Security found an accessible bucket used by Verizon, that contained data used by the US telco's billing system and the Distributed Vision Service (DVS) software that powers it. A few weeks prior, the same group of researchers found the records of four million Time Warner Cable customers in the US exposed after a contractor responsible for web application management failed to secure an AWS S3 storage bin.
Ilia Kolochenko, web and mobile security expert and CEO High-Tech Bridge said: “Cybersecurity is not rocket science and is mainly based on common sense. First, one needs to locate all digital assets of a company including hardware, software, users, data and licenses. It’s a challenging task in the era or cloud, outsourcing and mobile, however it’s a quintessential and unavoidable step to take before spending on cybersecurity. Without it, you pour money down the drain. Once you have a comprehensive and up2date inventory of your digital assets, it’s the right time to a perform holistic risk assessment and prioritization. Try to involve as many relevant people from your organization, your partners and customers, special interest groups, law enforcement agencies and even from competitors. All these people may bring great value when identifying and assessing appropriate risks for your organization.
“Further, you need to prepare an actionable risk-based mitigation plan with clear deadlines and responsibilities assigned to the right people with necessary authority and budgets. Continuous monitoring and measurement of threat and risk mitigation is vitally important, as well as continuous monitoring of new assets and vulnerabilities. Cybersecurity is a 24/7 process of continuous improvement, not a set of yearly actions to address on the ad hoc basis.”
It seems fairly certain that until AWS S3 defaults are secure there will be plenty more of these unintentional data leaks, and until enterprises can be certain that their systems and data are secure, even at scale, then this type of incident remains a significant risk.