SEGA Europe Thoroughly Scrutinizes its Cloud Security

SEGA Logo

Security researcher Aaron Phillips worked with SEGA Europe to secure sensitive files that were inadvertently stored in a publicly accessible Amazon Web Services (AWS) S3 bucket. There were lapses in SEGA’s cloud security that could have potentially exposed SEGA’s users and workers to adverse effects. Luckily, the joint efforts of SEGA’s own cybersecurity team and external security researchers ensured no harm was done and all SEGA’s security measures were updated to today’s best practice standards. Users can safely access official SEGA websites and forums.

This report serves as a summary of the coordinated security efforts undertaken by the researchers. Cybercrime is rampant, unfortunately. Companies are encouraged to continuously scrutinize their security measures and protocols, and work with professionals to improve their cybersecurity strategy preemptively, as every company is exposed to certain vulnerabilities.

When vulnerabilities are discovered, information and knowledge sharing is of crucial importance. Organizations can learn from each other’s case studies and experiences, which enables them to better protect themselves and their users. In addition, it is much more desirable that a vulnerability is discovered and shared responsibly by a security researcher than by a hacker with criminal intentions.

Main findings

The affected Amazon bucket contained multiple sets of AWS keys with which it was possible to access many of SEGA Europe’s cloud services. Security researchers also recovered MailChimp and Steam keys that allowed access to those services in SEGA’s name.

Researchers found compromised SNS notification queues and were able to run scripts and upload files on domains owned by SEGA Europe. Several popular SEGA websites and CDNs were affected.

Infographic showing the security vulnerabilities in SEGA's systems

The compromised bucket could potentially also grant access to user data, including information on hundreds of thousands of users of the Football Manager forums at community.sigames.com. It’s crucial such information is stored properly and securely.

There are no indications malicious third parties accessed the sensitive data or exploited any of the mentioned vulnerabilities prior to the security researchers restricting access to the bucket.

SEGA Europe Cloud Security Vulnerabilities

Researchers found these vulnerabilities in SEGA Europe’s Amazon cloud:

FindingSeverity
Steam developer keyModerate
RSA keysSerious
PII and hashed passwordsSerious
MailChimp API keyCritical
Amazon Web Services credentialsCritical

These keys, credentials, and passwords could, in theory, be used for malicious purposes. They granted access to many SEGA cloud services. The researchers turned over any access keys, passwords, and certificates they found and SEGA Europe made sure the security of their cloud was properly updated.

SEGA Europe domains vulnerabilities

The AWS keys discovered allowed read and write access to SEGA Europe’s cloud storage. All of the critically affected domains were hosted in AWS S3 buckets.

S3 buckets are used to store data in the cloud. Each bucket is like a folder on a filesystem. It can contain files and subdirectories. Buckets can be used to host websites, store logs, hold data for mobile apps, and more. They are a general-purpose form of cloud storage.

Security researchers were able to upload files, execute scripts, alter existing web pages and modify the configuration of critically vulnerable SEGA domains.

Listed below are some of the affected domains, including their Moz.com domain authority score:

SEGA DomainsMoz Domain AuthoritySeverity
downloads.sega.com83Critical
cdn.sega.com83Critical
careers.sega.co.uk65Critical
influencer.sega.co.uk65Critical
cdn.sega.co.uk65Critical
bayonetta.com52Critical
whatif.humankind.game49Critical
makewarnotlove.com51Critical
vanquishgame.com46Critical
sega.com83Serious
forever.sega.com83Serious
totalwar.com77Serious
footballmanager.com71Serious
sonicthehedgehog.com61Serious
companyofheroes.com61Serious

26 public-facing domains controlled by SEGA Europe were affected. Researchers would have been able to upload files and modify content on domains considered ‘critically vulnerable’. It would have been possible to modify CloudFront distributions for the domains considered ‘seriously vulnerable’.

High authority domains affected

Many of the impacted domains have high domain authority scores. Sites with high domain authority appear higher in Google rankings, and they are more likely to be trusted. Users are more likely to interact with websites they trust.

For instance, the researchers were able to alter content on careers.sega.co.uk if they would have wanted.

SEGA Europe further secured the domains based on the research findings and it is no longer possible to upload arbitrary files.

Major SEGA CDNs analyzed

The security team was also able to upload and replace files on three of SEGA’s production CDNs. A CDN (content delivery network) stores images and software.

Often, third-party websites will link to a company’s CDN for an official version of an image or file. That creates the potential for a large secondary impact. A quick search revealed 531 domains with links to the affected CDNs:

CDNNumber of Domains LinkedSeverity
downloads.sega.com88Critical
cdn.sega.com438Critical
cdn.sega.co.uk5Critical

One can identify high-authority domains linked to the CDN breach using data from Moz.com. This breach would have enabled a hacker to spread malware on these sites (although there are no indications that this happened):

Affected DomainsMoz Domain Authority
eveonline.com (third-party site)80
somethingawful.com (third-party site)74
sega.co.uk65
sonicstadium.org (third-party site)64
sigames.com63
companyofheroes.com61
twcenter.net (third-party site)61
games2gether.com57

In particular, the CDN at downloads.sega.com hosts *.pdf and *.exe files. Malicious parties would potentially use CDNs to distribute malware and ransomware. SEGA Europe made sure attacks involving their CDNs aren’t possible any longer.

SEGA AWS cloud services affected

Researchers were able to access and change these cloud services belonging to SEGA Europe:

Service nameNumber of affected instances
S3 Storage Buckets147
Cloudfront Distributions24
EC2 Servers27
SNS Notification Topics20

The researchers used the AWS credentials they recovered to scan SEGA’s cloud. Then they created a complete log of the services they could access. When they finished, they shared the logs with SEGA Europe cybersecurity.

SNS notification queues compromised

The team was able to access some of SEGA Europe’s Simple Notification Service (SNS) queues and subscribers. Amazon SNS sends email alerts to members of SEGA’s IT staff. A typical SNS queue might forward server alerts to an administrator.

An attacker using the leaked credentials could craft and send malicious SNS alerts to subscribers. The team found high-impact SNS queues that could have been targeted:

Compromised SNS Notification Queues

Additionally, this breach exposed the email addresses of eight SEGA engineers and two internal email relays. Hackers could have targeted them to gain even more access to SEGA Europe’s cloud.

SEGA fixed the breach and their SNS queues are now secure.

Steam API breached

Researchers were able to recover a confirmed Steam API key, which could be used to access the Steam Partner API:

Recovered Steam Developers Key Sega

The API key has been revoked by SEGA to prevent any possibility of abuse.

RSA keys

The research team discovered two sets of private RSA keys belonging to SEGA Europe, but they were unable to use the RSA keys to access SEGA services. The keys were left in the filesystem of server images shared to the cloud. One set of files contained expired keys. SEGA cybersecurity revoked the rest of the keys.

MailChimp and messaging service compromised

The researchers recovered a MailChimp API key that could grant the ability to send mail from [email protected].

The team was able to alter existing MailChimp templates and create their own. A hacker could use those privileges to create a malicious email based on official SEGA templates. A fraudulent email sent through the MailChimp API would appear to be official.

No additional email addresses were exposed when MailChimp was compromised. SEGA detected the use of their API key and revoked it during the investigation.

Timeline of Events

This is the timeline of the recent SEGA Europe vulnerability analysis:

EventDate
Exploration of a public S3 bucket containing invoices belonging to SEGA Amusements Intl.Oct 18th, 2021
Discovery of SQL backup and nginx.imgOct 18th, 2021
Security researchers reported the first findings back to SEGAOct 18th, 2021
AWS credentials and RSA keys discoveredOct 19th, 2021
Access gained to AWS s3 BucketsOct 19th, 2021
www.bayonetta.com could be accessedOct 21st, 2021
sgaas-service.img, a database password, and additional AWS credentials discoveredOct 22-24, 2021
Access gained to AWS Cloudfront distributions and EC2 instancesOct 25-26, 2021
Steam Developer key and MailChimp key discoveredOct 26, 2021
Access gained to the email account [email protected]Oct 27, 2021
SEGA was again notified of any additional findingsOct 28, 2021
SEGA Europe Cybersecurity assessed and patched any discovered vulnerabilitiesOct 28, 2021

SEGA also made us aware of their Hacker One page. Researchers are advised to submit new reports affecting SEGA Sammy Group there.

Conclusion

A closer look at SEGA Europe’s cloud highlights the importance of sandboxing in two ways. First, companies have to keep their public and private cloud separate. Companies regularly accidentally leave private credentials in their public cloud, which causes breaches.

Second, we think storage within a private cloud should be sandboxed. There should ideally not be a single “bucket” key that unlocks an organization’s complete cloud storage. Access to S3 buckets should be segmented.

There are zero indications that malicious actors actively exploited any vulnerabilities in the case of SEGA. SEGA’s cyber security team acted quickly once they were made aware of the vulnerabilities by the research team. It is good practice for organizations to regularly test their security practices. Penetration testing enables organizations to identify potential vulnerabilities and patch them adequately before threat actors have a chance to exploit them. SEGA’s security measures were tested by security researchers and were ameliorated based on relevant findings.

Time after time, investigations show how easily misconfigured Amazon AWS Buckets can jeopardize the digital infrastructure of even the largest corporations. This cybersecurity report should serve as a wake-up call for businesses to assess their cloud security practices. We hope other organizations follow SEGA’s lead by examining and closing apparent vulnerabilities before they are exploited by cybercriminals.

For organizations that use Amazon’s cloud services, the company provides guidance on how to properly and securely configure S3 buckets.

Cyber security researcher
Aaron Phillips is a programmer and cyber security professional working out of Seattle, WA, with 20 years of experience in the tech industry.