SEGA Europe Thoroughly Analyzes Cloud Security After Vulnerability

Security researcher Aaron Phillips worked with cybersecurity professionals at SEGA Europe to protect sensitive files that were mistakenly stored in a publicly accessible Amazon Webs Services (AWS) S3 bucket. On closer inspection, internal cloud security settings were found to be inadequate, which could have exposed visitors and employees of SEGA domains to digital threats such as malware and ransomware.

The joint efforts of the security researchers ensured that no harm was done and that SEGA was able to take its security measures to the next level. Potential vulnerabilities have now been patched and people are no longer at increased risk when visiting the websites and forums of their favourite SEGA games.

In the case of such vulnerabilities, information and knowledge sharing is crucial. Organizations can learn from each other’s case studies and experiences, which enables them to better protect themselves and their users. In addition, it is much more desirable for a vulnerability to be discovered and shared responsibly by a security researcher than by a hacker with criminal intentions.

Key findings

There were several sets AWS keys found in the affected Amazon bucket, with which it was possible scripts run and upload files to domains of SEGA Europe. This made the websites of several popular games and SEGA’s CDN (Content Delivery Network) services susceptible to malware distribution.

The researchers also managed to get hold of several API keys, which allowed further privileged escalation. With these extended rights, the team had direct access to several SEGA Europe cloud services. The researchers also found valid API keys for Mailchimp and Steam, allowing them to use these services on behalf of SEGA.

SEGA also stores user data of some 250,000 users of the community forum of SEGA’s Football Manager game in Amazon buckets. It is crucial that this data is kept carefully and securely. There is no indication that malicious parties have accessed the sensitive data or exploited any of the vulnerabilities.

SEGA Europe cloud security vulnerabilities

During the investigation, the researchers were able to gain access to the following parts of SEGA Europe:

ACCESS IMPACT
Steam developer key Average
Database password and RSA keys Seriously
Personal data and forum passwords Seriously
MailChimp API Key Criticism
Amazon Web Services credentials Criticism

 

The found keys, credentials and passwords could easily have been used by malicious parties for malicious purposes. Access to SEGA’s cloud services also put the entire platform of the various CDNs, partners, forums and popular games at risk. The researchers transferred all found information, passwords and access keys to SEGA, after which they closed the leak and repaired and improved the security of their cloud platform.

Acquisition of well-known SEGA domains

The core of the vulnerabilities lies in the fact that key AWS credentials were inadvertently accessible to everyone. The AWS keys discovered provided to read and write access to SEGA Europe’s cloud storage. Many of the affected SEGA sites are hosted on so-called AWS S3 buckets.

S3 buckets are used to store data in the cloud. Each bucket is like a folder on your computer. It can contain files and subfolders used for hosting websites, keeping logs, preserving data for mobile apps, and more. Buckets are thus a kind of Swiss army knife for cloud storage.

It was possible for the researchers to upload files and run scripts on official SEGA websites via these buckets. This allowed them to modify existing web pages or modify the configuration of various SEGA Europe domains.

Below is an overview of the affected domains including their Moz.com Domain Authority score:

SEGA DOMAINS MOZ DOMAIN AUTHORITY IMPACT
downloads.sega.com 83 Criticism
cdn.sega.com 83 Criticism
careers.sega.co.uk 65 Criticism
influencer.sega.co.uk 65 Criticism
cdn.sega.co.uk 65 Criticism
bayonetta.com 52 Criticism
whatif.humankind.game 49 Criticism
makewarnotlove.com 51 Criticism
vanquishgame.com 46 Criticism
sega.com 83 Seriously
forever.sega.com 83 Seriously
totalwar.com 77 Seriously
footballmanager.com 71 Seriously
sonicthehedgehog.com 61 Seriously
companyofheroes.com 61 Seriously

 

In total, 26 public domains managed by SEGA Europe were found to be vulnerable. At the websites where we label the vulnerabilities as ‘critical’, it was possible for attackers to upload files and modify content. In the domains with ‘serious vulnerabilities,’ it was possible to change the CloudFront Distributions.

Access to important and strong SEGA domains

Many of the affected domains have a high Domain Authority in addition to being known among gamers. These websites often rank higher in Google search results because they are known as reliable sources. In addition, users are also more likely to interact with websites they trust.

For example, the researchers were able to modify the content of a trusted domain such as careers.sega.co.uk.

SEGA Europe has regained control of the affected domains and it is no longer possible to upload arbitrary files on the sites.

Access to content distribution system

The researchers also had access to three SEGA production content distribution networks (CDNs). A CDN is used to store files and images that can then be shown by different domains. This made it possible to upload new files and replace existing files.

It is common for external sites to link to the CDN location of files to display official images. This puts exponentially more users at risk when exploiting such a vulnerability. For example, 531 domains with links to the affected CDNs were found.

CDN NUMBER OF EXTERNAL DOMAINS WITH LINKS IMPACT
downloads.sega.com 88 Criticism
cdn.sega.com 438 Criticism
cdn.sega.co.uk 5 Criticism

 

Some of the domains linking to files from the vulnerable CDN also had high Domain Authority. Had hypothetical hackers spread malicious files through SEGA Europe’s CDN, visitors to the following domains would also have been vulnerable :

EXTERNAL DOMAINS MOZ DOMAIN AUTHORITY
eveonline.com (third party) 80
somethingawful.com (third party) 74
sega.co.uk 65
sonicstadium.org (third party) 64
sigames.com 63
companyofheroes.com 61
twcenter.net (third party) 61
games2gether.com 57

 

The vulnerability of the CDN downloads.sega.com, in particular, could have caused major problems. It would not just be noticed if malicious files were distributed there, because this service is by definition intended to also host *.pdf or *.exe files.

SEGA has also fixed the vulnerabilities in the CDN systems, so methods of attack targeting the CDNs are no longer possible.

Access to the SEGA cloud

The researchers were able to access the following parts of the SEGA cloud infrastructure:

SHIFT NUMBER OF CLOUD COMPONENTS AFFECTED
S3 storage buckets 147
Cloudfront distributions 24
EC2 Servers 27
SNS Notification Topics 20

 

With the obtained AWS credentials, it was possible to scan SEGA’s cloud environment for further access . As a result, the researchers compiled a list of all the cloud elements they had access to. The compiled list has been handed over to the SEGA Europe cybersecurity team.

Access to SNS notification queues

In addition to the already mentioned parts of the cloud, they also had access to the Amazon Simple Notification Service (SNS) queues and the subscribers of this list. Amazon SNS sends email alerts to the relevant IT staff of SEGA Europe, for example, server alerts to the administrator responsible for that server.

Accessing this queue could allow an attacker to create malicious SNS alerts. The team found the following high-impact SNS queue that an attacker could target:

SEGA Europe Thoroughly Analyzes Cloud Security After Vulnerability

In addition, this data breach also gave access to the email addresses of eight SEGA engineers and two internal mail relays. A hacker could use this information to pry even wider access to the SEGA cloud.

SEGA has picked up our report and is now securing the SNS queues.

Access to the Steam API

Some of the S3 buckets also contained API keys, including a key for the Steam Partner API. This turned out to be a useful Steam developer key that allowed access to the SEGA Steam Partner API.

SEGA Europe Thoroughly Analyzes Cloud Security After Vulnerability

SEGA has since withdrawn the leaked API key.

Leaked RSA keys

In addition to the Steam key, the researchers also found two sets of Private RSA keys from SEGA Europe. Private RSA keys are used to authenticate SSH certificates. The keys were found among the server image files available through the cloud. Yet another set contained expired RSA keys. SEGA has revoked the keys that were still active.

Access the SEGA MailChimp email service

Finally, the researchers managed to find a Mailchimp API key with which they could send emails from the email address donotreply@footballmanager.com. SEGA uses this address to send official emails to Football Manager players and users.

It was possible for the underocers to modify official mail templates and to create new templates themselves. Should someone want to cause harm, a fraudulent email from this account will be very difficult for the recipient to recognize. Everything points to it being an official, legitimate email.

Next to donotreply@footballmanager.com. there were no other e-mail addresses that could be copied by the researchers. In addition, SEGA has already detected the use of this key during the investigation and blocked access.

Timeline

Here is a timeline of the vulnerability analysis at SEGA Europe:

EVENT DATE
Exploration of a publicly accessible S3 bucket containing invoices in the name of SEGA Amusements Intl. October 18, 2021
Discovery of the SQL backup and nginx.img October 18, 2021
Security researchers have communicated their initial findings to SEGA October 18, 2021
AWS Credentials and RSA Keys Found October 19, 2021
Gained access to AWS S3 Buckets October 19, 2021
http://www.bayonetta.com could be adapted and taken over October 21, 2021
sgaas-service.img, a database password and additional AWS credentials found October 22-24, 2021
Accessed: AWS Cloudfront distributions and AWS EC2 instances October 25-26, 2021
Steam Developer key and MailChimp key found October 26, 2021
Accessed the email account donotreply@footballmanager.com October 27, 2021
Second notice and update to SEGA October 28, 2021
SEGA Europe cybersecurity team have confirmed vulnerabilities have been fixed October 28, 2021

scrollable

SEGA also pointed us to their Hacker One page where researchers get a quick response when they find a leak at SEGA Group.

Conclusion

This leak at SEGA Europe underlines the importance of sandboxing in cloud storage. First, the private cloud and the public cloud must be kept strictly separate from each other. In this case, the credentials ended up in the public cloud by mistake, where unauthorized persons could theoretically find and abuse them.

Secondly, the storage within the private cloud should also be segmented via sandboxing. In this case, the SEGA cloud could easily be searched and mapped. Finally, it should not be the case that there is a universal bucket key, with which an attacker can easily access all buckets.

There is no indication that any other malicious parties knew about this vulnerability before the security team identified it. As far as is known, this leak has not been actively exploited. After contact was made, SEGA’s cybersecurity team quickly and professionally closed the leak.

The research shows how a single misconfiguration can jeopardize the digital infrastructure of even the largest companies. Other organizations should therefore view the findings as a wake-up call and continuously monitor and improve their digital infrastructure and security measures. We hope others take SEGA as an example when it comes to tackling reported vulnerabilities before they can be exploited by cybercriminals.

Organizations using Amazon’s cloud services can refer to Amazon’s own guides for good practices.

Catch up on more articles here

Follow us on Twitter here

Popular

Must read

MORE ON THIS TOPIC:

Related Posts