Independent record label Empire Distribution, a big name in the hip-hop music scene, has been left vulnerable to cyberattacks.
On February 4th, 2024, the Cybernews research team discovered that independent American record label Empire Distribution had left its data up for grabs via a misconfiguration of its systems.
Founded in 2010 and headquartered in San Francisco, the label boasts a diverse portfolio that includes various musical genres such as R&B, reggaeton, reggae, and primarily hip-hop. The label has worked with famous artists such as Kendrick Lamar, Tyga, Iggy Azalea, Busta Rhymes, 50 Cent, and Snoop Dogg.
The problem lies in a publicly accessible environment file containing sensitive credentials. An environment file (.env) is a text file storing crucial configuration settings. These settings often include database access details, API keys, and various variables essential for the application to function properly. That’s why securing access to the file is crucial.
In the hands of malicious actors, the label’s leaked credentials could have been used for unauthorized access to the critical systems of Empire Distribution, potentially leading to compromising sensitive information such as customer data, financial records, or intellectual property.
Cybernews has contacted the company, and access to the credentials has been secured. An official comment from the company has yet to be received.
Leaked data included:
- JSON Web Token secret
- Mailgun API and domain
- SES key and secret
- Multiple database credentials
- Memcached server credentials
Gateway to the company’s systems
The leaked environment file contained multiple database credentials that could potentially be used to access sensitive data. Even though the databases were located on private IP addresses, exposed credentials still pose a cybersecurity threat, especially if there are internal threats within the company.
Suppose attackers manage to infiltrate one part of the network. In that case, they might attempt to move laterally to other systems, which could result in additional compromises of sensitive data, elevated privileges, or other security breaches.
Leaked Memcached server credentials pose further threats for an inside attack. Memcached is a system that helps speed up dynamic web applications by storing data in memory, making it easily accessible to applications and reducing the need to fetch the same data from the database repeatedly.
While the company’s Memcached servers were not directly reachable from the internet, they could still be affected if attackers breach the victim's network. If attackers obtain access to the Memcached server using the compromised credentials, they could potentially retrieve data stored on it.
This data could then be exploited for lateral movement within the network or other unauthorized actions. Such a scenario could have significant repercussions for a company, especially if the Memcached server caches sensitive information or forms a crucial part of the infrastructure.
Our researchers also found a JSON Web Token (JWT) secret among the leaked data. JWTs are encoded tokens that are used to transmit information between parties securely. The secret is typically a long, randomly generated string known only to the parties involved in the JWT communication.
The exposure of this secret is particularly dangerous because of the threat of attackers generating legitimate tokens to get unauthorized access to the company’s systems.
Hijacking the company’s communication
Another piece of sensitive information observed was Mailgun API and domain, along with the SES credentials. Mailgun is a mailing service used for official company communication, and SES allows businesses to send transactional, marketing, and notification emails to customers and users.
Attackers could have used this exposed data to send emails on behalf of the company. This could lead to phishing attacks, spamming, or the distribution of malware, damaging the company's reputation and potentially leading to blacklisting by email service providers.
Your email address will not be published. Required fields are markedmarked