Over the weekend, nearly 50GBs of compromised data was published to the Web after an attacker completely compromised Staminus, a security firm focused on DDoS mitigations.
The Staminus breach impacts websites from a wide spectrum, such as domains in the Minecraft community, to hate websites maintained by the Ku-Klux-Klan (KKK).
On Friday, the person(s) responsible for the Staminus attack (a group known as FTA) posted a lengthy message detailing the company's ransacking, mocking their security posture and practices.
The message itself served as proof positive of the attack, complete with configuration files, network routing outlines, and database schemas. In addition, the post listed examples of poorly maintained customer passwords (MD5 with what appears to be a five character salt) and the use of a single root password across multiple critical systems (St4m|nu5).
Expert examines the attack:
Kyle Stone, Principal Consultant for Security Assessment Services at Redlegg, examined the attacker's message and walked away with a few key observations. No matter how you look at it, Staminus had some serious problems when it came to network setup and security.
First, the long outage Staminus experienced on Friday is clearly explained in the attacker's message, given that remote power could be shutdown from a public facing portal and the primary aggregation router was restarted.
Second, the poor password hygiene used by the company (
root: St4m|nu5) likely resulted in fast lateral movement for the attackers. So after the first SSH account was exposed – all others quickly followed.
The attacker's message also smacked Staminus for storing credit card data in plain text, and dismissing PDO (PHP Data Objects) as inconvenient – leading Stone to speculate that handcrafted code by Staminus had SQL Injection flaws. Moreover, the note criticized the company for failing to patch, upgrade, and audit critical systems.
Another item in the attacker's message stands out as serious critical flaw in operations, Stone explained, one that likely contributed to Staminus' customers being exposed.
"It appears they programmatically send emails to new customers on setup, with the passwords that apparently got logged and never changed - ROOT password at that," he said.
"How could you operate with this kind of internal risk and security posture with the threat model in the anti-DDoS ecosphere?"
Based on the public post made by the attacker and information released, Stone has a good idea of how this attack was pulled off.
The first likely attack scenario started with website reconnaissance, where the attackers found suspicious error messages after tampering with input. If so, then the website would be scanned with sqlmap or something similar to locate full SQL Injection vulnerabilities from the previously mentioned PDO-related problems. Once the SQL Injection flaws were exploited, the attackers dumped everything and started cracking the weak MD5 hashes in order to gain further access to the network.
It's also possible, Stone said, that the attackers grabbed user access with MySQL pivoting and used privilege escalation to get root access and additional usernames and passwords. With that access, they moved laterally within the network (thanks to poor password hygiene) and exfiltrated data that way.
The question is – How does a company not notice some 50GBs of data leaving their environment within such a short time frame? After the exfiltration was complete, the aggregate router was reset and power cut as a distraction.
Staminus issues an apology and statement:
Not long after the attacker's message was made public, the company's CEO confirmed the attack with a brief statement.
"...Based on the initial investigation, we believe that usernames, hashed passwords, customer record information, including name and contact information, and payment card data were exposed. It is important to note that we do not collect Social Security numbers or tax IDs.
"While the investigation continues, we have and will continue to put additional measures into place to harden our security to help prevent a future attack. While the exposed passwords were protected with a cryptographic hash, we also strongly recommend that customers change their Staminus password."
The "cryptographic" hashes proved to be of little challenge to those looking to crack them, particularly those hashes on the customer side of things.
Researchers who were trading the hashes online discovered that many of the KKK hashes were easily obtained by using selective variants of known racial slurs.
The compromised data taken from Staminus, coming in at 47.7 GB over several archives via a Torrent download, was published to the public on Saturday. Access to the compromised records is being provided by Thomas White, a researcher and activist known as Cthulhu.
Shortly after the download links became public, White stated on Twitter that he was experiencing DDoS issues, and mentions of the archive were removed from his account by Twitter after Staminus' lawyers filed a DMCA takedown request.
Staminus denies any connection to the DDoS attacks.
When the attack was first noticed, Staminus blamed it on a "rare event" – one that "cascaded across multiple routers" system wide. But when the truth was revealed, customers turned to the public communication channels (Facebook, Twitter) to vent their rage.
The company clearly had problems with infrastructure development and protection, as well as regulatory issues concerning cardholder data. And yet, hours after the attack started on Friday, several customers report that services have been restored to working order.
What isn't clear however, is how long those services will continue given the damage that's been done to the company's trust.