Jan 4, 2022
93 Views
0 0

SEGA’s Sloppy Security Confession: Exposed AWS S3 Bucket Offers Up Steam API Access & More

Written by

Newsletter
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
SEGA’s disclosure underscores a common, potentially catastrophic, flub — misconfigured Amazon Web Services (AWS) S3 buckets.
Gaming giant SEGA Europe recently discovered that its sensitive data was being stored in an unsecured Amazon Web Services (AWS) S3 bucket during a cloud-security audit, and it’s sharing the story to inspire other organizations to double-check their own systems.
Researcher Aaron Phillips with VPN Overview worked with SEGA Europe to secure the exposed data. Phillips explained SEGA’s disclosure is intended to help the wider cybersecurity community improve their own defenses.
“When vulnerabilities are discovered, information and knowledge sharing is of crucial importance,” Phillips wrote. “Organizations can learn from each other’s case studies and experiences, which enables them to better protect themselves and their users.”

Why give the attackers the benefit of keeping this very common cloud security mistake a secret?
“In addition, it is much more desirable that a vulnerability is discovered and shared responsibly by a security researcher than by a hacker with criminal intention,” Phillips added.
The laundry list of SEGA’s potentially exposed data is nauseating — API keys, internal messaging systems, cloud systems, user data and more.
The VPN Overview report provided a detailed disclosure that the exposed bucket held “multiple” sets of AWS keys, which could have provided malicious access to all of SEGA Europe’s cloud services.
In addition, the keys to SEGA’s Europe’s MailChimp and Steam API keys were left unprotected, meaning attackers could have sent out communications through SEGA Europe’s account, the report said.
The exposed S3 bucket could have also allowed access to both the simple notification service (SNS) used by the company’s IT team to communicate as well as 531 of SEGA Europe’s content delivery networks (CDNs), the team found.
“Often, third-party websites will link to a company’s CDN for an official version of an image or file,” the report added. “That creates the potential for a large secondary impact.”
The unsecured bucket also contained the sensitive data on “hundreds of thousands” of members of the Football Manager forums, Phillips added.
So far, “there are no indications malicious third parties accessed the sensitive data or exploited any of the mentioned vulnerabilities prior to the security researchers restricting access to the bucket,” Phillips emphasized.
Researchers found 26 vulnerable, public-facing SEGA domains that would have allowed attackers to upload malicious files and alter content, the report said. The analysts were also able to access files on three SEGA CDNs.
That amount of sensitive data falling into the hands of a malicious actor could easily prove catastrophic for any organization, but Hank Schless with Lookout explained to Threatpost gaming companies continue to be of particular interest to attackers.
“Gaming companies possess a treasure trove of personal data, development information, proprietary code, and payment information that is highly valuable to threat actors,” Schless added. “With data privacy laws like CCPA and GDPR, gaming companies need to be sure their data is protected as people from all over the world play their games.”
Indeed, leading companies like Steam, Among Us, Riot Games and others have been hijacked and used to lure unsuspecting gamers into all sorts of scams. Phillips wrote he hopes this report demonstrates how something as simple as a misconfigured S3 bucket can cause catastrophic harm to an organization.
“This cybersecurity report should serve as a wake-up call for businesses to assess their cloud security practices,” Phillips added. “We hope other organizations follow SEGA’s lead by examining and closing apparent vulnerabilities before they are exploited by cybercriminals.”
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.
Cover image source: Valve and SEGA.
Share this article:
Microsoft says it’s only going to get worse: It’s seen state-sponsored and cyber-criminal attackers probing systems for the Log4Shell flaw through the end of December.
The campaign was an opportunistic supply-chain attack abusing a weaponized cloud video player.
The Pacific Northwest hospitality stalwart is also still operationally crippled by a Dec. 12 ransomware attack.


This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
1.8M+ attacks, against half of all corporate networks, are attempting to exploit #Log4Shell, including with a new r… https://t.co/dDky1faadm
3 weeks ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.

source

Article Categories:
Vulnerabilities

Comments are closed.