Table of contents
Security researcher Aaron Phillips worked with SEGA Europe to secure sensitive files that were inadvertently stored in a publicly accessible Amazon Web Services (AWS) S3 bucket. There were lapses in SEGA’s cloud security that could have potentially exposed SEGA’s users and workers to adverse effects. Luckily, the joint efforts of SEGA’s own cybersecurity team and external security researchers ensured no harm was done and all SEGA’s security measures were updated to today’s best practice standards. Users can safely access official SEGA websites and forums.
This report serves as a summary of the coordinated security efforts undertaken by the researchers. Cybercrime is rampant, unfortunately. Companies are encouraged to continuously scrutinize their security measures and protocols, and work with professionals to improve their cybersecurity strategy preemptively, as every company is exposed to certain vulnerabilities.
When vulnerabilities are discovered, information and knowledge sharing is of crucial importance. Organizations can learn from each other’s case studies and experiences, which enables them to better protect themselves and their users. In addition, it is much more desirable that a vulnerability is discovered and shared responsibly by a security researcher than by a hacker with criminal intentions.
Main findings
The affected Amazon bucket contained multiple sets of AWS keys with which it was possible to access many of SEGA Europe’s cloud services. Security researchers also recovered MailChimp and Steam keys that allowed access to those services in SEGA’s name.
Researchers found compromised SNS notification queues and were able to run scripts and upload files on domains owned by SEGA Europe. Several popular SEGA websites and CDNs were affected.
The compromised bucket could potentially also grant access to user data, including information on hundreds of thousands of users of the Football Manager forums at community.sigames.com. It’s crucial such information is stored properly and securely.
There are no indications malicious third parties accessed the sensitive data or exploited any of the mentioned vulnerabilities prior to the security researchers restricting access to the bucket.
SEGA Europe Cloud Security Vulnerabilities
Researchers found these vulnerabilities in SEGA Europe’s Amazon cloud:
| Finding | Severity |
|---|---|
| Steam developer key | Moderate |
| RSA keys | Serious |
| PII and hashed passwords | Serious |
| MailChimp API key | Critical |
| Amazon Web Services credentials | Critical |
These keys, credentials, and passwords could, in theory, be used for malicious purposes. They granted access to many SEGA cloud services. The researchers turned over any access keys, passwords, and certificates they found and SEGA Europe made sure the security of their cloud was properly updated.
SEGA Europe domains vulnerabilities
The AWS keys discovered allowed read and write access to SEGA Europe’s cloud storage. All of the critically affected domains were hosted in AWS S3 buckets.
S3 buckets are used to store data in the cloud. Each bucket is like a folder on a filesystem. It can contain files and subdirectories. Buckets can be used to host websites, store logs, hold data for mobile apps, and more. They are a general-purpose form of cloud storage.
Security researchers were able to upload files, execute scripts, alter existing web pages and modify the configuration of critically vulnerable SEGA domains.
Listed below are some of the affected domains, including their Moz.com domain authority score:
| SEGA Domains | Moz Domain Authority | Severity |
|---|---|---|
| downloads.sega.com | 83 | Critical |
| cdn.sega.com | 83 | Critical |
| careers.sega.co.uk | 65 | Critical |
| influencer.sega.co.uk | 65 | Critical |
| cdn.sega.co.uk | 65 | Critical |
| bayonetta.com | 52 | Critical |
| whatif.humankind.game | 49 | Critical |
| makewarnotlove.com | 51 | Critical |
| vanquishgame.com | 46 | Critical |
| sega.com | 83 | Serious |
| forever.sega.com | 83 | Serious |
| totalwar.com | 77 | Serious |
| footballmanager.com | 71 | Serious |
| sonicthehedgehog.com | 61 | Serious |
| companyofheroes.com | 61 | Serious |
26 public-facing domains controlled by SEGA Europe were affected. Researchers would have been able to upload files and modify content on domains considered ‘critically vulnerable’. It would have been possible to modify CloudFront distributions for the domains considered ‘seriously vulnerable’.
High authority domains affected
Many of the impacted domains have high domain authority scores. Sites with high domain authority appear higher in Google rankings, and they are more likely to be trusted. Users are more likely to interact with websites they trust.
For instance, the researchers were able to alter content on careers.sega.co.uk if they would have wanted.
SEGA Europe further secured the domains based on the research findings and it is no longer possible to upload arbitrary files.
Major SEGA CDNs analyzed
The security team was also able to upload and replace files on three of SEGA’s production CDNs. A CDN (content delivery network) stores images and software.
Often, third-party websites will link to a company’s CDN for an official version of an image or file. That creates the potential for a large secondary impact. A quick search revealed 531 domains with links to the affected CDNs:
| CDN | Number of Domains Linked | Severity |
|---|---|---|
| downloads.sega.com | 88 | Critical |
| cdn.sega.com | 438 | Critical |
| cdn.sega.co.uk | 5 | Critical |
One can identify high-authority domains linked to the CDN breach using data from Moz.com. This breach would have enabled a hacker to spread malware on these sites (although there are no indications that this happened):
| Affected Domains | Moz Domain Authority |
|---|---|
| eveonline.com (third-party site) | 80 |
| somethingawful.com (third-party site) | 74 |
| sega.co.uk | 65 |
| sonicstadium.org (third-party site) | 64 |
| sigames.com | 63 |
| companyofheroes.com | 61 |
| twcenter.net (third-party site) | 61 |
| games2gether.com | 57 |
In particular, the CDN at downloads.sega.com hosts *.pdf and *.exe files. Malicious parties would potentially use CDNs to distribute malware and ransomware. SEGA Europe made sure attacks involving their CDNs aren’t possible any longer.
SEGA AWS cloud services affected
Researchers were able to access and change these cloud services belonging to SEGA Europe:
| Service name | Number of affected instances |
|---|---|
| S3 Storage Buckets | 147 |
| Cloudfront Distributions | 24 |
| EC2 Servers | 27 |
| SNS Notification Topics | 20 |
The researchers used the AWS credentials they recovered to scan SEGA’s cloud. Then they created a complete log of the services they could access. When they finished, they shared the logs with SEGA Europe cybersecurity.
SNS notification queues compromised
The team was able to access some of SEGA Europe’s Simple Notification Service (SNS) queues and subscribers. Amazon SNS sends email alerts to members of SEGA’s IT staff. A typical SNS queue might forward server alerts to an administrator.
An attacker using the leaked credentials could craft and send malicious SNS alerts to subscribers. The team found high-impact SNS queues that could have been targeted:
Additionally, this breach exposed the email addresses of eight SEGA engineers and two internal email relays. Hackers could have targeted them to gain even more access to SEGA Europe’s cloud.
SEGA fixed the breach and their SNS queues are now secure.
Steam API breached
Researchers were able to recover a confirmed Steam API key, which could be used to access the Steam Partner API:
The API key has been revoked by SEGA to prevent any possibility of abuse.
RSA keys
The research team discovered two sets of private RSA keys belonging to SEGA Europe, but they were unable to use the RSA keys to access SEGA services. The keys were left in the filesystem of server images shared to the cloud. One set of files contained expired keys. SEGA cybersecurity revoked the rest of the keys.
MailChimp and messaging service compromised
The researchers recovered a MailChimp API key that could grant the ability to send mail from donotreply@footballmanager.com.
The team was able to alter existing MailChimp templates and create their own. A hacker could use those privileges to create a malicious email based on official SEGA templates. A fraudulent email sent through the MailChimp API would appear to be official.
No additional email addresses were exposed when MailChimp was compromised. SEGA detected the use of their API key and revoked it during the investigation.
Timeline of Events
This is the timeline of the recent SEGA Europe vulnerability analysis:
| Event | Date |
|---|---|
| Exploration of a public S3 bucket containing invoices belonging to SEGA Amusements Intl. | Oct 18th, 2021 |
| Discovery of SQL backup and nginx.img | Oct 18th, 2021 |
| Security researchers reported the first findings back to SEGA | Oct 18th, 2021 |
| AWS credentials and RSA keys discovered | Oct 19th, 2021 |
| Access gained to AWS s3 Buckets | Oct 19th, 2021 |
| www.bayonetta.com could be accessed | Oct 21st, 2021 |
| sgaas-service.img, a database password, and additional AWS credentials discovered | Oct 22-24, 2021 |
| Access gained to AWS Cloudfront distributions and EC2 instances | Oct 25-26, 2021 |
| Steam Developer key and MailChimp key discovered | Oct 26, 2021 |
| Access gained to the email account donotreply@footballmanager.com | Oct 27, 2021 |
| SEGA was again notified of any additional findings | Oct 28, 2021 |
| SEGA Europe Cybersecurity assessed and patched any discovered vulnerabilities | Oct 28, 2021 |
SEGA also made us aware of their Hacker One page. Researchers are advised to submit new reports affecting SEGA Sammy Group there.
Conclusion
A closer look at SEGA Europe’s cloud highlights the importance of sandboxing in two ways. First, companies have to keep their public and private cloud separate. Companies regularly accidentally leave private credentials in their public cloud, which causes breaches.
Second, we think storage within a private cloud should be sandboxed. There should ideally not be a single “bucket” key that unlocks an organization’s complete cloud storage. Access to S3 buckets should be segmented.
There are zero indications that malicious actors actively exploited any vulnerabilities in the case of SEGA. SEGA’s cyber security team acted quickly once they were made aware of the vulnerabilities by the research team. It is good practice for organizations to regularly test their security practices. Penetration testing enables organizations to identify potential vulnerabilities and patch them adequately before threat actors have a chance to exploit them. SEGA’s security measures were tested by security researchers and were ameliorated based on relevant findings.
Time after time, investigations show how easily misconfigured Amazon AWS Buckets can jeopardize the digital infrastructure of even the largest corporations. This cybersecurity report should serve as a wake-up call for businesses to assess their cloud security practices. We hope other organizations follow SEGA’s lead by examining and closing apparent vulnerabilities before they are exploited by cybercriminals.
For organizations that use Amazon’s cloud services, the company provides guidance on how to properly and securely configure S3 buckets.
