Home Security Accenture's crown jewels found exposed in unsecured AWS buckets

Accenture's crown jewels found exposed in unsecured AWS buckets

Global corporate consulting and management firm Accenture left at least four cloud-based storage servers unsecured and open to the public, the security company UpGuard has found.

Exposed to the world were secret API data, authentication credentials, certificates, decryption keys, customer information and other data that could have been used to attack both the company and its clients.

Accenture’s customers “include 94 of the Fortune Global 100 and more than three-quarters of the Fortune Global 500”.

The exposed data was found on 17 September by UpGuard director of Cyber Risk Research, Chris Vickery, who has made a large number of similar discoveries. Four Amazon Web Services S3 storage buckets were found set up for public access and with their contents downloadable by anyone who accessed the sites using their Web address.

"A cursory analysis on 18 September of the four buckets — titled with the AWS subdomains 'acp-deployment', 'acpcollector', 'acp-software', and 'acp-ssl' — revealed significant internal Accenture data, including cloud platform credentials and configurations, [and this] prompted Vickery to notify the corporation; the four AWS servers were secured the next day," UpGuard's Dan O'Sullivan wrote in a detailed description of the find.

All four of the S3 buckets contained sensitive data about Accenture Cloud Platform, its inner workings, and Accenture clients using the platform. "All were maintained by an account named 'awsacp0175', a possible indication of the buckets’ origin."

One bucket, “acpcollector”, was used to store data that was needed to have visibility into, and maintenance of, Accenture’s cloud stores. There were VPN keys used in production for Accenture’s private network which meant that a master view of Accenture’s cloud ecosystem could be exposed.

"Also contained in the bucket are logs listing events occurring in each cloud instance, enabling malicious actors to gain far-reaching insight into Accenture’s operations," O'Sullivan wrote.

The bucket “acp-deployment” included configuration files for Accenture's Identity API and a document listing the master access key for Accenture’s account with Amazon Web Service’s Key Management Service. This meant an an unknown number of credentials were exposed to possible malicious use.

The "acp-software" bucket contained huge database dumps that included credentials, some being of Accenture clients. "While many of the passwords contained here are hashed, nearly 40,000 plaintext passwords are present in one of the database back-ups," O'Sullivan said.

"Access keys for Enstratus, a cloud infrastructure management platform, are also exposed, potentially leaking the data of other tools co-ordinated by Enstratus. Information about Accenture’s ASGARD database, as well as internal Accenture email info, are also contained here."

UpGuard said the exposed buckets could have left both Accenture and its thousands of top-flight corporate customers open to malicious attacks that could have done untold financial damage.

"It is possible a malicious actor could have used the exposed keys to impersonate Accenture, dwelling silently within the company’s IT environment to gather more information. The spectre of password re-use attacks also looms large, across multiple platforms, websites, and potentially hundreds of clients."

Contacted for comment, an Accenture spokesperson told iTWire: "There was no risk to any of our clients – no active credentials, PII (personally identifiable information) or other sensitive information was compromised.

"We have a multi-layered security model, and the data in question would not have allowed anyone that found it to penetrate any of those layers. The information involved could not have provided access to client systems and was not production data or applications."

LEARN HOW TO BE A SUCCESSFUL MVNO

Did you know: 1 in 10 mobile services in Australia use an MVNO, as more consumers are turning away from the big 3 providers?

The Australian mobile landscape is changing, and you can take advantage of it.

Any business can grow its brand (and revenue) by adding mobile services to their product range.

From telcos to supermarkets, see who’s found success and learn how they did it in the free report ‘Rise of the MVNOs’.

This free report shows you how to become a successful MVNO:

· Track recent MVNO market trends
· See who’s found success with mobile
· Find out the secret to how they did it
· Learn how to launch your own MVNO service

DOWNLOAD NOW!

Sam Varghese

website statistics

A professional journalist with decades of experience, Sam for nine years used DOS and then Windows, which led him to start experimenting with GNU/Linux in 1998. Since then he has written widely about the use of both free and open source software, and the people behind the code. His personal blog is titled Irregular Expression.