Unprotected AWS Bucket Exposes 50.4 GB of Financial Giant’s Data

Another day, another AWS Bucket exposed to the public – This time the AWS Bucket belonged to Birst.

The Cyber Risk Team at Cloud security firm UpGuard have discovered a massive trove of data exposed due to an unprotected Amazon Web Services (AWS) S3 bucket. The database belonged to Birst, a Cloud Business Intelligence (BI) and Analytics firm.

The exposed database contained 50.4 GB worth of data of one of Birst’s users Capital One, a McLean, Virginia based financial services giant and eighth-largest commercial bank in the United States. The leaked data contained technical information on Birst appliance specially configured for Capital One’s cyberinfrastructure.

According to the official blog post from UpGuard, the data also contained passwords, administrative access credentials and private keys for use within Capital One systems by an on-premise Birst cloud environment. The exposed data was enough to guide an attacker on how Brist appliance used by Capital One could have been compromised and to dig deeper into the company’s IT system.

The data was discovered on January 15th, 2018 by Chris Vickery, Director of Cyber Risk Research at UpGuard and located at the subdomain “capitalone-appliance” and allowing anyone to access. 

One of the files identified by Vickery was labeled “Client.key” carrying encryption key to decrypt data. However, the key was stored with the encrypted appliance which could have allowed hackers to decrypt the encrypted appliance. This is like leaving the key and its lock in public”, explained Vickery.

Furthermore, Vickery claimed to identify usernames and their hashed password used by the company in the database for the appliance.

“Taken in full, the exposed Birst appliance provides a roadmap of where attackers would want to focus their energies in seeking to compromise Capital One’s wider systems. Of greatest interest are the locations of the ports connecting the Birst appliance with the other services that would feed its business intelligence dashboards,” said Vickery.

“The good news is that one would first need to compromise Capital One’s network to use the leaked credentials to attempt to compromise the Birst appliance. In itself, this cloud leak does not expose the private information stored in those other systems. Rather, this leak multiplies the effect of any successful attack– whether through phishing, malware, social engineering, or insider threat- to a potentially catastrophic scale, Vickery concluded.”

Remember, an exposed AWS bucket can now be used for cryptocurrency mining, for instance, a week ago Tesla, Inc.’s Amazon account was hacked to mine Monero coins. The incident also exposed company’s sensitive data in an Amazon S3 bucket.

Moreover, on 24th February a researcher identified a misconfigured Amazon AWS S3 storage bucket belonging to Los Angeles Times newspaper that was being used by hackers to mine Monero using CoinHive’s Javascript code. The code allowed hackers to mine Monero coins using the computer power of LA Time website visitors.

Update, 10:19 PM (UTC)

UpGuard has deleted their blog post about Birst’s exposed database. Originally, the post was available at this link. Also, the banking giant Capital One has denied its data was ever leaked. 

In an email to HackRead.com, spokeswoman for Capital One said that “At no time was any Capital One information exposed. This was simply an instance of a vendor’s software that was hosted in their cloud environment. The referenced passwords and credentials are generic and are used for installing this software. As a matter of standard practice, Capital One changes all default settings, including credentials, prior to deploying third-party software. Because of this, there is no impact to the security of Capital One systems and data.” 

Update 2 (10:57 PM, UTC)

UpGuard has now restored and updated its blog post according to which “Capital One has reached out to UpGuard to provide further comments on the intended use of the Birst appliance in their environment. This post will be updated as we receive more information from Capital One.” 

You can access their blog post here.

Image credit: Shutterstock

Related Posts