Viacom one of the world’s premier entertainment brands with a network presence in over 160 countries, misconfigured its cloud databases, which raised security concerns as it might have allowed hackers to remotely control the entire IT infrastructure. The Security firm UpGaurd, made this discovery when Chris Vickery a noted director of cyber risk research found a “publicly downloadable” Amazon Web Service S3 cloud storage bucket Containing 72.tgz files.
The files frequently contained references to “MCS” which was thought to be refered with Viacom’s Multiplatform Compute Services group, which supports the IT infrastructure for hundreds of the media giant’s brands, including MTV, Nickelodeon, Comedy Central, Paramount, and BET.
Explaining about the incidence UpGaurd cyber resilience analyst Dan O’Sullivan, in a blog post said- “While Viacom has not confirmed to UpGuard the purpose of this bucket, the contents of the repository appear to be nothing less than either the primary or backup configuration of Viacom’s IT infrastructure,”
He mentions in that blog that this cloud storage bucket not only exposes passwords and manifests of Viacom’s servers, data needed to maintain and expand the IT infrastructure of an $18 billion multinational corporation, but also Viacom;s access key and secret key for the corporation’s AWS account. The disclosure of these credentials would allow control of Viacom’s servers storage or databases under the AWS account could have been compromised.
The attackers would have literally massacred the Viacom’s network with faultless phishing campaigns using Viacom brands and infrastructure cause this accidental leak. He further warned saying the AWS access keys could have been used to spin off new servers to create a botnet
UpGaurd has been a known name when it comes to making discovery of a countless number of misconfigured AWS installations, exposing poor security practices in various firms like Dow Jones, the US Department of Defense and Verizon.
Viacom tried to play down on the seriousness of the leak said
Once Viacom became aware that information on a server – including technical information, but no employee or customer information – was publicly accessible, we rectified the issue. We have analyzed the data in question and determined there was no material impact.