An Amazon server containing roughly a gigabyte's worth of credentials and configuration files belonging to behemoth media conglomerate Viacom were discovered online and unsecured, according to UpGuard, a California-based "cyber resiliency" firm. A security researcher working for the company discovered the server flapping in the wind last month — without so much as a password between it and the public web.
Viacom is one of the most powerful entertainment and media companies in the US. It owns household names like Paramount Pictures, Comedy Central, MTV, and others known the world over. It also owns hundreds of digital properties, in addition to cable channels and a film studio. The data found in the leak could have potentially compromised many of the company's properties, according to UpGuard.
The server didn't contain any customer or employee information, per se, but had these sensitive credentials fallen into the wrong hands, the researchers said, the devastation at Viacom would have been ostensibly immeasurable. Among the files exposed, for example, are the access key and the secret key to its corporate Amazon Web Services (AWS) account. With that alone, an intruder may have gained further access to an untold number of servers hosted by the AWS account, which is where Viacom has said it plans to host nearly its entire infrastructure. The unprotected server further contained GPG decryption keys, typically used to access the most delicate types of records and communications.
On Aug. 31, Viacom was notified about its exposure when UpGuard researcher Chris Vickery, of its cyber risk department, contacted a Viacom executive by phone. He later spoke by email to the company's chief information security officer and again explained the situation.
Hours later, the vulnerable server was quietly secured.
In a report compiled by UpGuard, Viacom's exposure is painted as potentially "unprecedented." Unlike most of the unsecured corporate servers UpGuard has has uncovered — major defence contractors, GOP data firms, and a private contractors among them — that lowly 1GB of Viacom data offered nothing less than the "keys to a media kingdom," the company said:
"While the overall size of this exposed repository is far less than that of other data-heavy cloud leaks in recent memory, the leaked Viacom data is remarkably potent and of great significance — an important reminder that cloud leaks need not be large to be devastating."
The Viacom server was first discovered by Vickery on Aug. 30. It was distinguished by the AWS subdomain "mcs-puppet." Seventy-two files were found compressed on the server, the first of which was created in June. The last of the files were created the day before Viacom was notified. It's unclear for exactly how long the files were exposed or if any external actors other than Vickery gained access — only Viacom and Amazon would have access to those logs.
The mentioning of "mcs" in the subdomain is believed to be a reference to Viacom's "Multiplatform Compute Services," a group that, according to one job listing, "supports the infrastructure of hundreds of Viacom's online properties, including MTV, Nickelodeon, Comedy Central, Paramount, and BET." The team is also described as being responsible for "provisioning, configuring, and monitoring thousands of systems."
The subdomain's reference to "puppet" refers to a specific piece of software used by Viacom. UpGuard explains its pertinence and the risks involved in its compromise:
Puppet, commonly used in IT environments for configuration management, allows for enterprises to spin up new servers, enabling streamlined operations at scale. In order to ensure these servers fit any necessary internal specifications, a Puppet manifest is created, providing instructions for provisioning a server of the type and are able to access all other relevant systems — which means the "puppetmaster" usually needs to know all of the relevant access credentials. Picture a skeleton key, opening not merely every door in a house, but every door that could be added to the house as well. This is the type of master access that was publicly exposed in the S3 bucket.
In a statement to Gizmodo on Tuesday, Viacom sought to diminish the potential risks posed by the exposure of its server: "Once Viacom became aware that information on a server — including technical information, but no employee or customer information — was publicly accessible, we rectified the issue," a company spokesperson said. "We have analysed the data in question and determined there was no material impact."
UpGuard declined to comment further on Viacom's response. "Our report should speak for itself," Vickery said.
The devastating hacks at HBO and Sony illustrate just how bad a media company can suffer from a malicious intrusion. Sony's proprietary data and corporate communications became the fodder of daily news outlets for weeks. The HBO hack was in some ways worse, exposing roughly 1.5 terabytes of data, including employee information and scripts from its highest grossing show, Game of Thrones.
Viacom did not mention having detected any intrusion, nor have we seen any evidence so far of that happening. There is no way for UpGuard to know, however; only Amazon and Viacom would have access to those types of logs.