Accenture Accidentally Exposes Internal Data, Clients’ Private Keys, And Customer Information To The Public
Accenture, one of the largest corporate consulting and management firm, had left four Amazon Web Services (AWS) S3 storage buckets open and downloadable to the public, revealed researchers at the security firm, Upguard.
The storage buckets of Accenture PLC based in Dublin, Ireland contained software for its “Accenture Cloud Platform enterprise” – a multi-cloud management platform – used by Accenture’s customers, which “include 94 of the Fortune Global 100 and more than three-quarters of the Fortune Global 500.” Also, besides this, the unsecured cloud-based storage servers included customer information, authentication credentials, secret API data, certificates, decryption keys, and other internal sensitive data that were exposed to the cybercriminals for exploit.
“Taken together, the significance of these exposed buckets is hard to overstate. In the hands of competent threat actors, these cloud servers, accessible to anyone stumbling across their URLs, could have exposed both Accenture and its thousands of top-flight corporate customers to malicious attacks that could have done an untold amount of financial damage,” wrote Chris Vickery, director of Cyber Risk Research at UpGuard in a detailed blog post on the findings.
“It is possible a malicious actor could have used the exposed keys to impersonate Accenture, dwelling silently within the company’s IT environment to gather more information. The specter of password reuse attacks also looms large, across multiple platforms, websites, and potentially hundreds of clients.”
On September 17, 2017, Vickery discovered that four AWS S3 storage buckets was configured for public access and downloadable to anyone who accessed the sites using their Web address. Vickery promptly notified Accenture regarding the four unsecured AWS servers, which were then secured the next day.
On September 18, 2017, a cursory analysis of the four exposed buckets (labelled: “acp-deployment,” “acpcollector,” “acp-software,” and “acp-ssl) revealed that it contained highly sensitive details regarding Accenture Cloud Platform, its internal workings and how clients can use it. “All were maintained by an account named ‘awsacp0175’, a possible indication of the buckets’ origin.”
Further, the “acp-deployment” bucket contained internal access keys and credentials for use by the Identity API, and most importantly it contained “a plaintext document containing the master access key for Accenture’s account with Amazon Web Service’s Key Management Service, exposing an unknown number of credentials to malicious use,” said Vickery.
One bucket, “acpcollector”, was used to store data that was needed to have visibility into and maintenance of Accenture’s cloud stores. There were VPN keys used in the production for Accenture’s private network, which meant exposing a master view of Accenture’s cloud ecosystem.
“Also contained in the bucket are logs listing events occurring in each cloud instance, enabling malicious actors to gain far-reaching insight into Accenture’s operations,” read the blog post.
The “acp-software” bucket contained huge database dumps that included credentials, some being of Accenture clients. “While many of the passwords contained here are hashed, nearly 40,000 plaintext passwords are present in one of the database back-ups,” the blog post added.
“Access keys for Enstratus, a cloud infrastructure management platform, are also exposed, potentially leaking the data of other tools co-ordinated by Enstratus. Information about Accenture’s ASGARD database, as well as internal Accenture email info, are also contained here,” Vickery said.
The final “acp-ssl” bucket contained more private keys and certificates that could have been used to decrypt the traffic between Accenture and its clients.
Also, contained in the bucket were several “client.jks” files that were stored in some cases beside what is believed to be the plaintext password necessary to decrypt the file. While it is not known exactly what the keys in “clients.jks” could be used to access, however, the private signing keys exposed within these files giving an important tool in the hands of anyone who came across it.
When Accenture was contacted to comment on the issue, a spokesperson for the company said: “There was no risk to any of our clients – no active credentials, PII (personally identifiable information) or other sensitive information was compromised.
“We have a multi-layered security model, and the data in question would not have allowed anyone that found it to penetrate any of those layers. The information involved could not have provided access to client systems and was not production data or applications.”