US intelligence blabs classified Linux VM to world via leaky S3 silo
Gigabytes of Army, NSA files found out in the open online
Updated A classified toolkit for potentially accessing US military intelligence networks was left exposed to the public internet, for anyone to find, according to security researchers today.
A Linux-based virtual machine designed to safely receive and handle secret material, and connect to protected Pentagon computers, was discovered, we're told, in a misconfigured cloud storage service. Anyone with an Amazon Web Services account could have found and delved into the unsecured AWS S3 silo and pulled out the US government's software files.
This does not mean the code, when run, would grant automatic access to US Department of Defense networks; merely, it's a software kit for officials and agents to log into government computers to download sensitive reports, presumably while in the field. There were hashed passwords, and private keys belonging to a US military contractor, found alongside the code. However, it is unclear how useful these would have been to miscreants.
The find comes hot on the heels of the US military accidentally spilling the guts of its global social-media spying program onto the web from a badly configured AWS S3 bucket, which we reported earlier this month.
This latest exposed file store, in a silo marked "inscom," belonged to the US Army Intelligence and Security Command (INSCOM), a joint US Army and National Security Agency (NSA) Defense Department intelligence gathering group. The documents – 47 viewable and three downloadable – were labeled a mix of classified, top secret – and NOFORN, meaning so secret that they couldn't be shared with America's foreign allies.
The virtual machine was an Oracle virtual appliance that ran on the database giant's VirtualBox hypervisor. The VM's hard drive had six partitions, varying in size from 1GB to 69GB. There was also some documentation, and custom code for training g-men on how to categorize classified materials.
Uncle Sam's privates were glimpsed by Upguard's Chris Vickery, a master at discovering misconfigured S3 buckets. He made this find on September 27, before Amazon introduced new controls to prevent people from leaving their S3 buckets open to the world, and promptly alerted the US government. The exposed silo has now vanished from public view.
Don't panic, Chicago, but an AWS S3 config blunder exposed 1.8 million voter recordsREAD MORE
The software appeared to have been collated by Invertix, a military contractor that has since merged with another biz. The bucket included the private keys of Invertix administrators and hashed passwords.
Several documents in the bucket appeared to be related to the US military's Red Disk system, a $5bn boondoggle that was sold as a way to bring real-time information to troops in the field. It never worked properly, and served only to enrich military contractors – who it seems were as good at security as they were at product development.
"Plainly put, the digital tools needed to potentially access the networks relied upon by multiple Pentagon intelligence agencies to disseminate information should not be something available to anybody entering a URL into a web browser," Upguard's Dan O'Sullivan explained in a blog post.
"Although the UpGuard Cyber Risk Team has found and helped to secure multiple data exposures involving sensitive defense intelligence data, this is the first time that clearly classified information has been among the exposed data."
Describing the contents of the file store, O'Sullivan said: "The largest file is an Oracle Virtual Appliance (.ova) file titled 'ssdev,' which, when loaded into VirtualBox, is revealed to contain a virtual hard drive and Linux-based operating system likely used for receiving Defense Department data from a remote location.
"While the virtual OS and HD can be browsed in their functional states, most of the data cannot be accessed without connecting to Pentagon systems – an intrusion that malicious actors could have attempted, had they found this bucket."
A spokesperson for INSCOM was not available for immediate comment. ®
Updated to add
A spokesperson for Uncle Sam has been in touch to say:
The US Army is aware of reports claiming data was found on a third-party data server. We are investigating the matter and are unable to provide any additional information at this time.
It is important to stress that an Army network was not breached. The Army is always actively trying to strengthen its cyberspace posture and the responsible handling of sensitive information related to military programs.