This report serves as a summary of the coordinated security efforts undertaken by the researchers. Cybercrime is rampant, unfortunately. Companies are encouraged to continuously scrutinize their security measures and protocols, and work with professionals to improve their cybersecurity strategy preemptively, as every company is exposed to certain vulnerabilities. When vulnerabilities are discovered, information and knowledge sharing is of crucial importance. Organizations can learn from each other’s case studies and experiences, which enables them to better protect themselves and their users. In addition, it is much more desirable that a vulnerability is discovered and shared responsibly by a security researcher than by a hacker with criminal intentions.
Main findings
Researchers found compromised SNS notification queues and were able to run scripts and upload files on domains owned by SEGA Europe. Several popular SEGA websites and CDNs were affected.
The compromised bucket could potentially also grant access to user data, including information on hundreds of thousands of users of the Football Manager forums at community.sigames.com. It’s crucial such information is stored properly and securely. There are no indications malicious third parties accessed the sensitive data or exploited any of the mentioned vulnerabilities prior to the security researchers restricting access to the bucket.
SEGA Europe Cloud Security Vulnerabilities
These keys, credentials, and passwords could, in theory, be used for malicious purposes. They granted access to many SEGA cloud services. The researchers turned over any access keys, passwords, and certificates they found and SEGA Europe made sure the security of their cloud was properly updated.
SEGA Europe domains vulnerabilities
The AWS keys discovered allowed read and write access to SEGA Europe’s cloud storage. All of the critically affected domains were hosted in AWS S3 buckets. S3 buckets are used to store data in the cloud. Each bucket is like a folder on a filesystem. It can contain files and subdirectories. Buckets can be used to host websites, store logs, hold data for mobile apps, and more. They are a general-purpose form of cloud storage. Security researchers were able to upload files, execute scripts, alter existing web pages and modify the configuration of critically vulnerable SEGA domains. Listed below are some of the affected domains, including their Moz.com domain authority score: 26 public-facing domains controlled by SEGA Europe were affected. Researchers would have been able to upload files and modify content on domains considered ‘critically vulnerable’. It would have been possible to modify CloudFront distributions for the domains considered ‘seriously vulnerable’.
High authority domains affected
Many of the impacted domains have high domain authority scores. Sites with high domain authority appear higher in Google rankings, and they are more likely to be trusted. Users are more likely to interact with websites they trust. For instance, the researchers were able to alter content on careers.sega.co.uk if they would have wanted. SEGA Europe further secured the domains based on the research findings and it is no longer possible to upload arbitrary files.
Major SEGA CDNs analyzed
The security team was also able to upload and replace files on three of SEGA’s production CDNs. A CDN (content delivery network) stores images and software. Often, third-party websites will link to a company’s CDN for an official version of an image or file. That creates the potential for a large secondary impact. A quick search revealed 531 domains with links to the affected CDNs: One can identify high-authority domains linked to the CDN breach using data from Moz.com. This breach would have enabled a hacker to spread malware on these sites (although there are no indications that this happened): In particular, the CDN at downloads.sega.com hosts *.pdf and *.exe files. Malicious parties would potentially use CDNs to distribute malware and ransomware. SEGA Europe made sure attacks involving their CDNs aren’t possible any longer.
SEGA AWS cloud services affected
Researchers were able to access and change these cloud services belonging to SEGA Europe: The researchers used the AWS credentials they recovered to scan SEGA’s cloud. Then they created a complete log of the services they could access. When they finished, they shared the logs with SEGA Europe cybersecurity.
SNS notification queues compromised
An attacker using the leaked credentials could craft and send malicious SNS alerts to subscribers. The team found high-impact SNS queues that could have been targeted:
Additionally, this breach exposed the email addresses of eight SEGA engineers and two internal email relays. Hackers could have targeted them to gain even more access to SEGA Europe’s cloud. SEGA fixed the breach and their SNS queues are now secure.
Steam API breached
Researchers were able to recover a confirmed Steam API key, which could be used to access the Steam Partner API:
The API key has been revoked by SEGA to prevent any possibility of abuse.
RSA keys
The research team discovered two sets of private RSA keys belonging to SEGA Europe, but they were unable to use the RSA keys to access SEGA services. The keys were left in the filesystem of server images shared to the cloud. One set of files contained expired keys. SEGA cybersecurity revoked the rest of the keys.
MailChimp and messaging service compromised
The researchers recovered a MailChimp API key that could grant the ability to send mail from donotreply@footballmanager.com. The team was able to alter existing MailChimp templates and create their own. A hacker could use those privileges to create a malicious email based on official SEGA templates. A fraudulent email sent through the MailChimp API would appear to be official. No additional email addresses were exposed when MailChimp was compromised. SEGA detected the use of their API key and revoked it during the investigation.
Timeline of Events
This is the timeline of the recent SEGA Europe vulnerability analysis: SEGA also made us aware of their Hacker One page. Researchers are advised to submit new reports affecting SEGA Sammy Group there.
Conclusion
A closer look at SEGA Europe’s cloud highlights the importance of sandboxing in two ways. First, companies have to keep their public and private cloud separate. Companies regularly accidentally leave private credentials in their public cloud, which causes breaches. Second, we think storage within a private cloud should be sandboxed. There should ideally not be a single “bucket” key that unlocks an organization’s complete cloud storage. Access to S3 buckets should be segmented. There are zero indications that malicious actors actively exploited any vulnerabilities in the case of SEGA. SEGA’s cyber security team acted quickly once they were made aware of the vulnerabilities by the research team. It is good practice for organizations to regularly test their security practices. Penetration testing enables organizations to identify potential vulnerabilities and patch them adequately before threat actors have a chance to exploit them. SEGA’s security measures were tested by security researchers and were ameliorated based on relevant findings.