Internal Accenture Data, Customer Information Exposed in Public Amazon S3 Bucket

A potentially devastating Amazon S3 bucket exposure left internal Accenture private keys, secret API data and other information publicly available to anyone who could then leverage it to attack the global consulting firm and its clients.

The exposure was privately reported to Accenture on Sept. 17 by researchers at UpGuard; Accenture secured the publicly available S3 buckets a day later.

“Taken together, the significance of these exposed buckets is hard to overstate,” UpGuard said in a report published today. “In the hands of competent threat actors, these cloud servers, accessible to anyone stumbling across their URLs, could have exposed both Accenture and its thousands of top-flight corporate customers to malicious attacks that could have done an untold amount of financial damage.”

Researcher Chris Vickery found four unsecured, publicly downloadable servers, each accessible without authentication and simply by knowing the right URL. The data contained inside the bucket is a laundry list of company secrets that would certainly make Accenture’s 94 Fortune Global 100  clients wince in agony.

Vickery said the downloadable data included authentication credentials, digital certificates, decryption key and logs of customer data. The leak also exposed software used by Accenture’s Cloud Platform enterprise-level management service.

Vickery and UpGuard have been among the firms looking for and disclosing similar leaks. In the past six months, numerous organizations across industries—from Verizon to Groupize to the Chicago voter roll—have sloppily left these S3 instances publicly accessible. The most damning aspect to these data leaks is that S3 is configured by default as private, requiring some kind of authentication to access the data stored therein. In each case, someone at the respective organizations has re-configured them to public.

“There is a lot of low-hanging fruit,” Vickery said in a recent Threatpost Podcast. Vickery said that Amazon dwarfs Microsoft and Google right now in terms of cloud storage market share which may skew the numbers of leaks in that direction. “If these buckets are set to public access, that means somebody at some point did something to make it that way. It’s not that Amazon did something wrong. Somebody who had administrative control over this data either made a decision to make it public, or didn’t realize what they were doing was going to make it public.”

Vickery added during the interview that many of these decisions are done for convenience-sake, for example removing the need for authentication in order for multiple parties to share access to the data in question.

“I see a lot of people cutting corners, plenty of people who say ‘I didn’t know that setting did that,’” Vickery said, adding that third-party utilities are also sometimes to blame and some organizations may not be aware of what exposure is left behind by those relationships. “It’s a really complicated new technology this cloud storage and computing, and there’s a whole lot of pressure on IT development people to do things on time, under budget and right.”

The four buckets each contained varied levels of sensitive information. One called acp-deployment stored internal access keys and credentials used by Accenture’s identity API used to authenticate credentials. There were also plaintext documents containing a master access key for Accenture’s account with Amazon Web Services’ Key Management Service. There were also private signing keys found in that bucket.

Another called acpcollector contained data related to the maintenance of Accenture’s cloud stores, including VPN keys for the company’s private network and a master view of its cloud ecosystem.

A third bucket called acp-software was the largest, and included database dumps featured Accenture client credentials, hashed passwords and 40,000 plaintext passwords in a separate backup. It also included access keys for Accenture’s Enstratus cloud management platform and data from its Zenoss event tracker system, including JSession IDs that could be plugged into cookies in order to bypass authentication.

The remaining bucket, acp-ssl, contained encryption key stores that provide access to a number of Accenture environments. The bucket also includes private keys and certificates that could be used to decrypt traffic between the company and its clients.

Enterprises must be able to secure their data against exposures of this type, which could have been prevented with a simple password requirement added to each bucket.

Source: ThreatPost

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!