Another Cloud Storage Leak Exposes Verizon IT Files

Security researchers have found yet another Amazon S3 storage container with sensitive data that was publicly accessible to anyone on the internet. The S3 bucket contained around 100MB of data, including internal files, usernames, passwords and email messages from U.S. telecommunications provider Verizon Wireless.

Many of the files were associated with an internal middleware application used by Verizon called Distributed Vision Services (DVS) that’s used to link front-end applications to billing data.

“Although no customers data are involved in this data leak, we were able to see files and data named ‘VZ Confidential’ and ‘Verizon Confidential,’ some of which contained usernames, passwords and these credentials could have easily allowed access to other parts of Verizon’s internal network and infrastructure,” researchers from Kromtech Alliance, who found the exposed S3 bucket, said in a report.

There were also over 100 Outlook email messages that contained production logs, descriptions of the server architecture and more passwords and login credentials.

According to the Kromtech researchers, the storage bucket wasn’t owned or managed by Verizon itself, but by a Verizon engineer in a personal capacity. Nevertheless, this is the second time in several months when Verizon data is found in a misconfigured Amazon Web Services (AWS) S3 container.

In July, researchers from security firm UpGuard found a similarly misconfigured storage bucket containing the names, addresses, account details and personal identification numbers (PINs) of as many as 14 million Verizon customers. That bucket actually belonged to a third-party vendor called NICE Systems that was being used by Verizon.

Other companies have experienced data leaks over the past few months due to misconfigured cloud storage services, especially on AWS S3. This is somewhat surprising because S3 buckets are private by default and can only be accessed by their owners. This means that in those cases administrators specifically modified the default configuration to allow for public unauthenticated access and that’s never a good idea.

“Given the high number of incidents involving exposed S3 buckets that we have seen in the past few months, it is baffling that every organization is not carefully looking into the configurations and exposure levels of their storage in the cloud,” said Zohar Alon, CEO of cloud compliance firm Dome9. “Protecting data in the cloud from accidental exposure and theft is a business priority.”

Hackers Inject Javascript-based Cryptocurrency Miners in Websites

Attackers have found a new way to monetize their access to compromised websites: They inject JavaScript code into web pages that hijacks the CPU resources of visitors’ computers in order to mine Monero, a type of cyptocurrency.

Researchers from web security firm Sucuri have investigated multiple website compromises over the past few days that had such infections. They identified two separate attack campaigns: one targeting WordPress websites and one targeting Magento e-commerce shops.

Both campaigns used a copy of the JavaScript files from Coinhive, a web-based Monero mining service, but the Magento infection was more serious because the attackers stored the code in the sites’ databases and encrypted it to hide it from website scanners.

“One thing is clear – the release of JavaScript coin miners for websites was not unnoticed by the bad guys,” said Denis Sinegubko, a senior malware researcher at Sucuri, in a blog post. “They immediately began to look for the ways to abuse it, and we expect to see mass infections switching their attention to crypto-miners instead of traditional types of malicious payloads, and not just on WordPress and Magento.”

Since cryptocurrency miners consume CPU resources, users will observe a serious performance degradation of their browsing and computing experience when visiting websites infected with such scripts. This means that such infections can lead to reputation damage and permanent loss of visitors for affected websites, something that the owners of The Pirate Bay recently experienced when they intentionally ran such a script on their site.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin