While this blog post provides a description of a data exposure discovery involving Viacom, this is no longer an active data breach. As soon as the UpGuard Cyber Risk Team notified Viacom of this publicly exposed information, immediate action was taken, securing the open buckets and preventing further access.
The UpGuard Cyber Risk Team can now disclose that Viacom Inc, the Fortune 500 corporation that owns Paramount Pictures, as well as cable channels like MTV, Comedy Central, and Nickelodeon, exposed a vast array of internal access credentials and critical data that could be used to cause immense harm to the multinational corporation’s business operations. Exposed in the leak are a master provisioning server running Puppet, left accessible to the public internet, as well as the credentials needed to build and maintain Viacom servers across the media empire’s many subsidiaries and dozens of brands. Perhaps most damaging among the exposed data are Viacom’s secret cloud keys, an exposure that, in the most damaging circumstances, could put the international media conglomerate’s cloud-based servers in the hands of hackers. Such a scenario could enable malicious actors to launch a host of damaging attacks, using the IT infrastructure of one of the world’s largest broadcast and media companies.
This cloud leak exposed the master controls of the world’s sixth-largest media corporation, potentially enabling the takeover of Viacom’s internal IT infrastructure and internet presence by any malicious actors. With a low CSTAR cyber risk score of 428, out of a maximum of 950, Viacom is not unique in suffering a data exposure, but stands apart leaving such critical internal data so publicly accessible. The potential nefarious acts made possible by this cloud leak could have resulted in grave reputational and business damages for Viacom, on a scale rarely seen.
On August 30th, 2017, UpGuard Director of Cyber Risk Research Chris Vickery discovered a publicly downloadable Amazon Web Services S3 cloud storage bucket, located at the subdomain “mcs-puppet” and containing seventy-two .tgz files. Vickery noted that each of the .tgz files, an extension often used for compressing backup data, had been created since June 2017 at irregular intervals; on some days, no such files had been created, while on others, five or six had been generated throughout the day. The last of these files would be created on August 30th, shortly before Vickery’s notification to Viacom of the leak on the morning of August 31st; the exposure was secured within hours.
Recurring throughout the contents of each decompressed file are mentions of Viacom, as well as its associated brands, including MTV, VH1, and Comedy Central - a clear indication of the data’s purpose and use. Also frequently mentioned is the acronym “MCS,” including in the “mcs-puppet” name of the subdomain - a further clue as to the bucket’s origin. As revealed in a number of descriptions posted within Viacom job listings, MCS likely refers to Viacom’s Multiplatform Compute Services:
The Multiplatform Compute Services (MCS) group supports the infrastructure for hundreds of Viacom’s online properties, including MTV, Nickelodeon, Comedy Central, Paramount, and BET. We are responsible for provisioning, configuring, and monitoring thousands of systems (mostly CentOS) and the applications which run on them, as well as troubleshooting problems within the environment. Currently we are engaged in a year-long project to move the majority of our infrastructure to Amazon Web Services (AWS), and are preparing to launch production workloads on containers (Amazon ECS).
While Viacom has not confirmed to UpGuard the purpose of this bucket, the contents of the repository appear to be nothing less than either the primary or backup configuration of Viacom’s IT infrastructure. The presence of this data in an S3 bucket bearing MCS’s name appears to further corroborate the Viacom group’s mission of moving its infrastructure onto Amazon Web Services’ cloud.
Exposed within this repository are not only passwords and manifests for Viacom’s servers, data needed to maintain and expand the IT infrastructure of an $18 billion multinational corporation, but perhaps more significantly, Viacom’s access key and secret key for the corporation’s AWS account. By exposing these credentials, control of Viacom’s servers, storage, or databases under the AWS account could have been compromised. Analysis reveals that a number of cloud instances used within Viacom’s IT toolchain, including Docker, New Relic, Splunk, and Jenkins, could’ve thus been compromised in this manner.
The secret access key for Viacom’s Amazon Web Services account
This data contained in seventy-two .tgz files in the bucket appears to be an incremental backup scheme. When decompressed, each .tgz file is revealed to contain a number of folders, such as “manifests,” “configs,” “keys,” and “modules,” as well as a number of files indicating the use of Puppet, a a server provisioning and automation suite.
Puppet, commonly used in IT environments for configuration management, allows for enterprises to spin up new servers, enabling streamlined operations at scale. In order to ensure these servers fit any necessary internal specifications, a Puppet manifest is created, providing instructions for provisioning a server of the type and are able to access all other relevant systems - which means the “puppetmaster” usually needs to know all of the relevant access credentials. Picture a skeleton key, opening not merely every door in a house, but every door that could be added to the house as well. This is the type of master access that was publicly exposed in the S3 bucket.
Example configuration files for Viacom's wide array of server instances
Besides these damaging access exposures, other data included in the repository is sensitive and would aid malicious actors. Some of the scripts present suggest that Viacom utilizes GPG encryption on many regular backups; unfortunately, also revealed in the leak are GPG decryption keys which may unlock that data.
Finally, Ruby scripts exposed in the leak provide a clear roadmap for any malicious actor to know what applications are being run, as do YAML configuration files. Picture how, in a heist movie, the bad guys need information in order to pull off the robbery. They need to know the layout of the bank vault, what type of safe they need to crack, and what keys they might need. Such scripts are the digital equivalent of this blueprint.
While the exposure has since been closed, following UpGuard’s notification to Viacom, this incident highlights the potentially enormous cost such data leaks can evince upon even the largest and most sophisticated organizations. Exposed in this incident were nothing less than the master controls needed to harness the power of a digital media empire and turn it towards nefarious aims.
What could malicious actors have done with the data exposed in this leak? Several threat vectors immediately present themselves. The control of Viacom digital properties could have enabled the execution of phishing schemes, using the corporation’s brand recognition to trick consumers into furnishing their personal details. The exposure of secret access keys to Viacom’s AWS account, as well as the control of the company’s server configurations and manifests, could also have allowed malicious actors to spin off additional servers to use Viacom IT systems as a botnet.
Media and entertainment organizations are increasingly struggling with digital security, as cyber risk exacts increasingly high costs against the industry. Recent breaches and exposures have wrought significant damages against targets like Sony, which saw data including emails and unreleased movies stolen in an infamous 2014 incident, and HBO, which suffered similar losses this summer of scripts, emails, and unreleased television episodes. Clearly, this is not a problem of one corporation, but a growing threat to any business relying upon information technology in any way.
There are indications that this pervasive level of cyber risk has not yet been met with commensurate cyber resilience across the board. While Viacom’s main website scored a low 428 on the CSTAR cyber risk scanner, other Viacom properties affected by the cloud leak mark similarly poor scores, Out of a maximum score of 950, film studio and Viacom property Paramount Pictures scores a low 475:
Viacom’s cable flagship MTV scores 472:
Fellow Viacom cable property Comedy Central scores 430:
Kid’s cable channel Nickelodeon scores the poorest, at 386:
With such widespread mediocrity in digital security postures, it is vital that this incident serve as an example of just why enterprises in every industry must begin fostering better processes for ensuring such gaps are quickly identified and remediated.
The leaked Viacom data is remarkably potent and of great significance, an important reminder that cloud leaks need not be large in disk size to be devastating; when it comes to data exposures, quality can be as vital as quantity. Analysis of the Viacom leak reveals nothing less than this: the keys to a media kingdom were left publicly accessible on the internet, completely compromising the integrity of Viacom’s digital infrastructure.