Resultados 1 a 4 de 4
  1. #1
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010

    [EN] How Misconfigured AWS S3 Exposed Accenture's Business

    A collection of nearly 40,000 plaintext passwords is present in one of the database backups

    Dan O'Sullivan
    October 10, 2017

    The UpGuard Cyber Risk Team can now reveal that Accenture, one of the world’s largest corporate consulting and management firms, left at least four cloud-based storage servers unsecured and publicly downloadable, exposing secret API data, authentication credentials, certificates, decryption keys, customer information, and more data that could have been used to attack both Accenture and its clients. The servers’ contents appear to be the software for the corporation’s enterprise cloud offering, Accenture Cloud Platform, a “multi-cloud management platform” used by Accenture’s customers, which “include 94 of the Fortune Global 100 and more than three-quarters of the Fortune Global 500” - raising the possibility that, if valid, exposed Accenture data could have been used for critical secondary attacks against these clients. With a CSTAR cyber risk score of 790 out of a possible 950, this cloud leak shows that even the most advanced and secure enterprises can expose crucial data and risk serious consequences.

    The Discovery

    On September 17th, 2017, UpGuard Director of Cyber Risk Research Chris Vickery discovered four Amazon Web Services S3 storage buckets configured for public access, downloadable to anyone who entered the buckets’ web addresses into their internet browser. A cursory analysis on September 18th of the four buckets - titled with the AWS subdomains “acp-deployment,” “acpcollector,” “acp-software,” and “acp-ssl” - revealed significant internal Accenture data, including cloud platform credentials and configurations, prompted Vickery to notify the corporation; the four AWS servers were secured the next day.

    All four S3 buckets contain highly sensitive data about Accenture Cloud Platform, its inner workings, and Accenture clients using the platform. All were maintained by an account named “awsacp0175,” a possible indication of the buckets’ origin.

    The bucket “acp-deployment” appears to be largely devoted to storing internal access keys and credentials for use by the Identity API, which is apparently used to authenticate credentials. A folder in the bucket titled “Secure Store” contains not only configuration files for the Identity API, but also a plaintext document containing the master access key for Accenture’s account with Amazon Web Service’s Key Management Service, exposing an unknown number of credentials to malicious use.

    Also contained in the bucket is a number of “client.jks” files - stored in some cases alongside what is believed to be the plaintext password necessary to decrypt the file. It is unknown precisely what the keys in “clients.jks” could be used to access. Private signing keys were also exposed within these files - placing a critical tool in the hands of anyone who encountered them.

    The bucket “acpcollector” appears to contain data necessary for visibility into and maintenance of Accenture’s cloud stores. The bucket contains VPN keys used in production for Accenture’s private network, potentially exposing a master view of Accenture’s cloud ecosystem. Also contained in the bucket are logs listing events occurring in each cloud instance, enabling malicious actors to gain far-reaching insight into Accenture’s operations.

    At a size of 137 GB, the bucket “acp-software” is much larger, giving some indication of its contents: large database dumps that include credentials, some of which appear to be for some Accenture clients. While many of the passwords contained here are hashed - passwords mathematically transformed into an alphanumeric string - a collection of nearly 40,000 plaintext passwords is present in one of the database backups. Access keys for Enstratus, a cloud infrastructure management platform, are also exposed here, potentially leaking the data of other tools coordinated by Enstratus. Information about Accenture’s ASGARD database, as well as internal Accenture email info, are also contained here.

    Also in this bucket are data dumps from the Zenoss event tracker used by Accenture, revealing such incidents as the adding of new users, recording of IP addresses, and JSession IDs which, if not expired, could be plugged into cookies to gain entry past authentication portals. An examination reveals a number of Accenture clients recorded in this manner.

    Finally, credentials for what appear to be Accenture’s Google and Azure accounts are also present in this folder - another critical revelation which could be used to gain further access to and control of Accenture assets.

    The final bucket “acp-ssl,” contains more key stores in a folder called “” The keys appear to provide access to various Accenture environments, such as one titled “Cloud File Store Key,” among a number of private keys, as well as certificates that, in theory, could be used to decrypt traffic between Accenture and clients, potentially gathering any sensitive information as it is sent across the wire.

    The Significance

    Taken together, the significance of these exposed buckets is hard to overstate. In the hands of competent threat actors, these cloud servers, accessible to anyone stumbling across their URLs, could have exposed both Accenture and its thousands of top-flight corporate customers to malicious attacks that could have done an untold amount of financial damage.

    It is possible a malicious actor could have used the exposed keys to impersonate Accenture, dwelling silently within the company’s IT environment to gather more information. The specter of password reuse attacks also looms large, across multiple platforms, websites, and potentially hundreds of clients.

    Enterprises must be able to secure their data against exposures of this type, which could have been prevented with a simple password requirement added to each bucket. Accenture’s relatively middle-of-the-road CSTAR score of 790 is a testament to the difficulty modern IT departments must face: how can we ensure all of our systems are configured as they need to be, even at scale? Until such enterprises can trust that their systems are only accessible as needed, hugely damaging exposures of this type will persist, exposing us all to the brunt of cyber risk.
    Última edição por 5ms; 15-10-2017 às 18:04.

  2. #2
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010


    PR: Accenture and Amazon Web Services Create New Business Group to Help Enterprises Migrate to and Run Their Business in the AWS Cloud

    LAS VEGAS; Oct. 7, 2015 – Accenture (NYSE: ACN) and Amazon Web Services, Inc. (AWS), an Amazon company (NASDAQ: AMZN), today announced the formation of a business group to help clients more quickly move their business to the cloud. The Accenture AWS Business Group brings together dedicated professionals from each company with expertise in cloud solutions architecture and development, marketing, sales, and business development. The business group will offer integrated consulting and technology solutions designed to help enterprise clients take greater advantage of the flexibility and economics of an “as-a-service” operating model where IT and business services are delivered on-demand, via the AWS Cloud.

    Large enterprises are under pressure to innovate faster than ever, drive down costs, and deliver increased value to their organizations through more responsive and flexible IT. The Accenture AWS Business Group was established to help organizations evolve long-established internal processes, reorganize internal IT teams, re-tool legacy solutions, and effectively extract value from the data their businesses are collecting. The business group will develop and deliver a suite of services and solutions that unify business process re-engineering, application migration services, architecture design and application development for the AWS Cloud so enterprise clients can accelerate innovation, enter new markets, and ultimately achieve improved business results.

    Accenture and AWS plan to invest significant resources over multiple years in the development of new services and technology solutions including application migration and development, cloud-based enterprise applications, and analytics and Big Data solutions. The companies are committed to train an additional 1,000 Accenture professionals and certify 500 Accenture professionals on the AWS Cloud in the first year, and support go-to-market activities. Employees dedicated to the Accenture AWS Business Group will be equipped with the latest AWS technologies, best-in-class methodologies, highly automated tools for application migration, and software-as-a-service applications for big data management and analytics.

    “Accenture is already a market leader in cloud and the formation of the Accenture AWS Business Group is a key part of our Accenture Cloud First agenda. Cloud is increasingly becoming a starting point with our clients for their enterprise solutions,” said Omar Abbosh, Chief Strategy Officer, Accenture. “Whether our clients need to innovate faster, create new services, or maximize value from their investments, the Accenture AWS Business Group will help them get there faster, with lower risk and with solutions optimized for AWS.”

    “We are working with more organizations than ever before who have made the decision to transform their business by moving to the AWS Cloud,” said Adam Selipsky, Vice President of Sales, Marketing, and Support, Amazon Web Services. “The Accenture AWS Business Group has been created to empower these organizations to rapidly achieve the agility benefits of moving to AWS so they can eliminate the undifferentiated heavy lifting of managing their IT infrastructure and instead focus on adopting new IT operating models, addressing new market opportunities, and growing their business, at the same time they reduce their overall IT costs.”

    Initially, the Accenture AWS Business Group will focus on two main business areas, with plans to introduce additional solutions in the future:

    • Transformation Services Optimized for AWS: The business group will provide services to clients to move their existing applications to and develop new applications on AWS quickly, economically, and securely. The services include cloud strategy, organizational and architecture design, application migration, refactoring, and new application development services. A dedicated AWS application development and migration ‘factory’ will automate processes to help businesses run more efficiently.
    • Analytics and Big Data Services, powered by AWS: Enterprise clients, especially those in regulated industries such as healthcare and financial services, are increasingly looking for more effective analytics-driven solutions. The Accenture Insights Platform will be expanded to integrate AWS data and analytics capabilities. This will allow customers with compliance and regulatory requirements to better manage the end-to-end data lifecycle from data migration, curation, normalization, and analytics.

    The business group will also explore the creation of new services in high growth areas such as Internet of Things (IoT) and Security on the AWS Cloud.

    The formation of the Accenture AWS Business Group represents a continued expansion of the relationship between Accenture and AWS, who have been working together to support their clients in their move to the cloud for nearly 10 years. In 2014, the two companies collaborated on end-to-end cloud migration and management services designed to help enterprise clients move from cloud pilots to enterprise-wide deployments in the AWS Cloud. Notable clients who have successfully migrated to AWS leveraging these services include global broadcasting and content company Discovery Networks International and Japanese public WiFi service provider Wire and Wireless Co.

  3. #3
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010

    Data on 150,000 patients exposed in another misconfigured AWS bucket

    Patient Home Monitoring failed to lock down public access to its online server, exposing personal data of 150,000 patients.

    Jessica Davis
    October 12, 2017

    Kromtech Security researchers have discovered yet another unsecured Amazon S3 bucket. This time, the cloud server in question was linked to HIPAA-covered entity, Patient Home Monitoring, a vendor that provides U.S. patients with disease management services and in-home monitoring.

    The misconfigured server contained the lab results and other patient files of about 150,000 patients. The files were stored on a publicly accessible bucket that was left unprotected by a password, according to researchers.

    In total, the breach contained 47.5 GBs of data comprised of about 316,000 PDF files, which contained patient names, addresses, phone numbers, diagnoses and test results. The files also contained physician names, case management notes and other patient information.

    “Anyone with an internet connection could access these confidential records,” said Alex Kernishniuk, vice president of Strategic Alliances for Kromtech, in a statement.

    Kromtech researchers first discovered the breach on Sept. 29, and PHM was notified on Oct. 5. The company secured the server on the same day. However, the company did not respond to Kromtech’s inquiries.

    “It is unclear how they will notify their clients and inform them that their confidential data has been leaked online,” the researchers wrote. “Dealing with any form of medical data is risky and it is required by law to notify affected patients of a data breach.”

    “This is yet another wake-up call for companies who try to bridge the gap between healthcare and technology to make sure cybersecurity is also a part of their business model,” said Kernishniuk. “Even the most basic security measures would have prevented this data breach.”

    Kernishniuk said he believes this won’t be the last AWS breach. In fact, this latest breach is the second major AWS server breach announced this week. Accenture left four of its AWS buckets unprotected due to a misconfiguration error, exposing hundreds of gigabytes of data.

  4. #4
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Lydia Leong‏ @cloudpundit 2 hours ago

    ACP creds in S3 exposed … - Dear @Upguard, public S3 bucket != server w/o password. Plz write w/ technical accuracy.

Permissões de Postagem

  • Você não pode iniciar novos tópicos
  • Você não pode enviar respostas
  • Você não pode enviar anexos
  • Você não pode editar suas mensagens