Security researcher Aaron Phillips worked with cybersecurity professionals at SEGA Europe to protect sensitive files that were mistakenly stored in a publicly accessible Amazon Webs Services (AWS) S3 bucket. On closer inspection, internal cloud security settings were found to be inadequate, which could have exposed visitors and employees of SEGA domains to digital threats such as malware and ransomware.
The joint efforts of the security researchers ensured that no harm was done and that SEGA was able to take its security measures to the next level. Potential vulnerabilities have now been patched and people are no longer at increased risk when visiting the websites and forums of their favourite SEGA games.
In the case of such vulnerabilities, information and knowledge sharing is crucial. Organizations can learn from each other’s case studies and experiences, which enables them to better protect themselves and their users. In addition, it is much more desirable for a vulnerability to be discovered and shared responsibly by a security researcher than by a hacker with criminal intentions.
There were several sets AWS keys found in the affected Amazon bucket, with which it was possible scripts run and upload files to domains of SEGA Europe. This made the websites of several popular games and SEGA’s CDN (Content Delivery Network) services susceptible to malware distribution.
The researchers also managed to get hold of several API keys, which allowed further privileged escalation. With these extended rights, the team had direct access to several SEGA Europe cloud services. The researchers also found valid API keys for Mailchimp and Steam, allowing them to use these services on behalf of SEGA.
SEGA also stores user data of some 250,000 users of the community forum of SEGA’s Football Manager game in Amazon buckets. It is crucial that this data is kept carefully and securely. There is no indication that malicious parties have accessed the sensitive data or exploited any of the vulnerabilities.
SEGA Europe cloud security vulnerabilities
During the investigation, the researchers were able to gain access to the following parts of SEGA Europe:
|Steam developer key||Average|
|Database password and RSA keys||Seriously|
|Personal data and forum passwords||Seriously|
|MailChimp API Key||Criticism|
|Amazon Web Services credentials||Criticism|
The found keys, credentials and passwords could easily have been used by malicious parties for malicious purposes. Access to SEGA’s cloud services also put the entire platform of the various CDNs, partners, forums and popular games at risk. The researchers transferred all found information, passwords and access keys to SEGA, after which they closed the leak and repaired and improved the security of their cloud platform.
Acquisition of well-known SEGA domains
The core of the vulnerabilities lies in the fact that key AWS credentials were inadvertently accessible to everyone. The AWS keys discovered provided to read and write access to SEGA Europe’s cloud storage. Many of the affected SEGA sites are hosted on so-called AWS S3 buckets.
S3 buckets are used to store data in the cloud. Each bucket is like a folder on your computer. It can contain files and subfolders used for hosting websites, keeping logs, preserving data for mobile apps, and more. Buckets are thus a kind of Swiss army knife for cloud storage.
It was possible for the researchers to upload files and run scripts on official SEGA websites via these buckets. This allowed them to modify existing web pages or modify the configuration of various SEGA Europe domains.
Below is an overview of the affected domains including their Moz.com Domain Authority score:
|SEGA DOMAINS||MOZ DOMAIN AUTHORITY||IMPACT|
In total, 26 public domains managed by SEGA Europe were found to be vulnerable. At the websites where we label the vulnerabilities as ‘critical’, it was possible for attackers to upload files and modify content. In the domains with ‘serious vulnerabilities,’ it was possible to change the CloudFront Distributions.
Access to important and strong SEGA domains
Many of the affected domains have a high Domain Authority in addition to being known among gamers. These websites often rank higher in Google search results because they are known as reliable sources. In addition, users are also more likely to interact with websites they trust.
For example, the researchers were able to modify the content of a trusted domain such as careers.sega.co.uk.
SEGA Europe has regained control of the affected domains and it is no longer possible to upload arbitrary files on the sites.
Access to content distribution system
The researchers also had access to three SEGA production content distribution networks (CDNs). A CDN is used to store files and images that can then be shown by different domains. This made it possible to upload new files and replace existing files.
It is common for external sites to link to the CDN location of files to display official images. This puts exponentially more users at risk when exploiting such a vulnerability. For example, 531 domains with links to the affected CDNs were found.
|CDN||NUMBER OF EXTERNAL DOMAINS WITH LINKS||IMPACT|
Some of the domains linking to files from the vulnerable CDN also had high Domain Authority. Had hypothetical hackers spread malicious files through SEGA Europe’s CDN, visitors to the following domains would also have been vulnerable :
|EXTERNAL DOMAINS||MOZ DOMAIN AUTHORITY|
|eveonline.com (third party)||80|
|somethingawful.com (third party)||74|
|sonicstadium.org (third party)||64|
|twcenter.net (third party)||61|
The vulnerability of the CDN downloads.sega.com, in particular, could have caused major problems. It would not just be noticed if malicious files were distributed there, because this service is by definition intended to also host *.pdf or *.exe files.
SEGA has also fixed the vulnerabilities in the CDN systems, so methods of attack targeting the CDNs are no longer possible.
Access to the SEGA cloud
The researchers were able to access the following parts of the SEGA cloud infrastructure:
|SHIFT||NUMBER OF CLOUD COMPONENTS AFFECTED|
|S3 storage buckets||147|
|SNS Notification Topics||20|
With the obtained AWS credentials, it was possible to scan SEGA’s cloud environment for further access . As a result, the researchers compiled a list of all the cloud elements they had access to. The compiled list has been handed over to the SEGA Europe cybersecurity team.
Access to SNS notification queues
In addition to the already mentioned parts of the cloud, they also had access to the Amazon Simple Notification Service (SNS) queues and the subscribers of this list. Amazon SNS sends email alerts to the relevant IT staff of SEGA Europe, for example, server alerts to the administrator responsible for that server.
Accessing this queue could allow an attacker to create malicious SNS alerts. The team found the following high-impact SNS queue that an attacker could target:
In addition, this data breach also gave access to the email addresses of eight SEGA engineers and two internal mail relays. A hacker could use this information to pry even wider access to the SEGA cloud.
SEGA has picked up our report and is now securing the SNS queues.
Access to the Steam API
Some of the S3 buckets also contained API keys, including a key for the Steam Partner API. This turned out to be a useful Steam developer key that allowed access to the SEGA Steam Partner API.
SEGA has since withdrawn the leaked API key.
Leaked RSA keys
In addition to the Steam key, the researchers also found two sets of Private RSA keys from SEGA Europe. Private RSA keys are used to authenticate SSH certificates. The keys were found among the server image files available through the cloud. Yet another set contained expired RSA keys. SEGA has revoked the keys that were still active.
Access the SEGA MailChimp email service
Finally, the researchers managed to find a Mailchimp API key with which they could send emails from the email address firstname.lastname@example.org. SEGA uses this address to send official emails to Football Manager players and users.
It was possible for the underocers to modify official mail templates and to create new templates themselves. Should someone want to cause harm, a fraudulent email from this account will be very difficult for the recipient to recognize. Everything points to it being an official, legitimate email.
Next to email@example.com. there were no other e-mail addresses that could be copied by the researchers. In addition, SEGA has already detected the use of this key during the investigation and blocked access.
Here is a timeline of the vulnerability analysis at SEGA Europe:
|Exploration of a publicly accessible S3 bucket containing invoices in the name of SEGA Amusements Intl.||October 18, 2021|
|Discovery of the SQL backup and nginx.img||October 18, 2021|
|Security researchers have communicated their initial findings to SEGA||October 18, 2021|
|AWS Credentials and RSA Keys Found||October 19, 2021|
|Gained access to AWS S3 Buckets||October 19, 2021|
|http://www.bayonetta.com could be adapted and taken over||October 21, 2021|
|sgaas-service.img, a database password and additional AWS credentials found||October 22-24, 2021|
|Accessed: AWS Cloudfront distributions and AWS EC2 instances||October 25-26, 2021|
|Steam Developer key and MailChimp key found||October 26, 2021|
|Accessed the email account firstname.lastname@example.org||October 27, 2021|
|Second notice and update to SEGA||October 28, 2021|
|SEGA Europe cybersecurity team have confirmed vulnerabilities have been fixed||October 28, 2021|
SEGA also pointed us to their Hacker One page where researchers get a quick response when they find a leak at SEGA Group.
This leak at SEGA Europe underlines the importance of sandboxing in cloud storage. First, the private cloud and the public cloud must be kept strictly separate from each other. In this case, the credentials ended up in the public cloud by mistake, where unauthorized persons could theoretically find and abuse them.
Secondly, the storage within the private cloud should also be segmented via sandboxing. In this case, the SEGA cloud could easily be searched and mapped. Finally, it should not be the case that there is a universal bucket key, with which an attacker can easily access all buckets.
There is no indication that any other malicious parties knew about this vulnerability before the security team identified it. As far as is known, this leak has not been actively exploited. After contact was made, SEGA’s cybersecurity team quickly and professionally closed the leak.
The research shows how a single misconfiguration can jeopardize the digital infrastructure of even the largest companies. Other organizations should therefore view the findings as a wake-up call and continuously monitor and improve their digital infrastructure and security measures. We hope others take SEGA as an example when it comes to tackling reported vulnerabilities before they can be exploited by cybercriminals.
Catch up on more articles here
Follow us on Twitter here