“It took less than 24 hours to root BJM’s server and copy all their data to our private servers,” stated the hacker group Anonymous, regarding their break-in of law enforcement websites and theft of government agency data.
As we discussed in our last blog and reported by Cisco, root-kit enabled APTs (Advanced Persistent Threats) are becoming the weapon of choice against governments, enterprises, mom-and-pop shops as well as national infrastructures.
What we want to focus on, however, is not the break-in but the response of the website administrators. What are the lessons to be learned? What could have been done to prevent or mitigate the damage in this situation?
The website operator in this case took the breached websites offline after the initial attack and tried to fix the problem by removing malware the hackers had placed on its sites. However, the company hadn’t removed all of the malware, which resulted in a second attack.
The hackers posted 10 GB of stolen data online, which contained confidential e-mails, passwords, Social Security numbers and credit card numbers. Apparently the IT administrator closed the security hole, but neglected to perform a full audit to check for other vulnerabilities or changes the attackers made. Therefore the malware remained undiscovered and allowed the hackers to re-compromise the system.
In fact, in the second attack a backdoor into the website’s online store was created which resulted in credit card numbers being stolen.
Lessons to be learned
- It’s not enough to “fix” a problem, you have to continue to assess, remediate and report on security
- Simply monitoring database access and regularly patching software could have thwarted many of the basic attacks
- Data-centric encryption techniques should have been used to protect credit card data
- Many organizations tend to fall behind in updating website plug-ins, making it a lucrative attack vector (e.g., blog software)
- Attackers exploited an SQL-injection vulnerability on the site. In this kind of attack, database commands are entered inside a form, such as a forum post, comment box or even log-in box, and if the developers didn’t enter proper error-handling methods in the code, the form would return data from the database server. There are several penetration testing tools available that automate the process of detecting and exploiting SQL injection flaws.
- Passwords, in a similar attack, were not encrypted
- Organizations must directly protect sensitive databases and not rely on perimeter defenses such as corporate firewalls and antivirus systems
- It’s not enough to “fix” a problem, you have to continue to assess, remediate and report on security (in case you missed it the first time)