Even during August’s holiday season, if you type ‘hacktivists’ in Google News – just for the last week you will get more than 300 news reports mentioning attacks conducted by famous hacktivists and hacking groups. However, not all of them are actually launched by the original “brand” owners.
Several weeks ago, a financial company contacted High-Tech Bridge (Disclosure: I founded High-Tech Bridge) to investigate a web security incident, allegedly committed by a famous hacktivist group. One of the company’s web portals was lightly defaced (using its admin panel functionality) with insulting slogans, criticizing the company for globalization.
A few moments later, attackers also erased all website content they had access to, including HTTP logs on the breached web server. A first internal notification about the incident came from a web administrator working at the company for 15 years. It also contained a link to zone-h defacement mirror saying that hacktivists compromised and probably backdoored the server, urging server re-installation from scratch. As the attackers were known, he recommended skipping the formal investigation process in order to reduce the downtime of the server. His management gave a green light to move forward without proper system mirroring for further forensics investigation.
The company and its internal security team had no doubts who was behind the attack, however they wanted to discover what exactly had happened and how. When we started the investigation, we found something unusual and even suspicious. Access logs from the corporate WAF, contained a recent and intensive scan by a commercial vulnerability scanner that hacktivists usually cannot afford to purchase and thus don’t use. However, as we later discovered, the customer had several licenses for this vulnerability scanner among its internal security arsenal.
Moreover, the scan was running during business hours, when the majority of hacktivists are usually at school, university or work. The IP addresses used for the scan belonged to a public Wi-Fi in a neighboring country (one hour’s drive from the company’s office), raising questions as to why Tor or an anonymous VPN were not used, typical for such attacks. Besides the scan, nothing related to this particular attack was found in WAF logs.
The compromised application allowed access to the admin panel only from a trusted range of IPs and with an additional layer of authentication, meaning that attackers could not access the admin panel directly even if they had managed to bruteforce admin credentials, steal admin cookies or extract admin’s login and hash from the database via an SQL injection. An RCE could be an option here, but it was not the case - the defacement was definitely done via existing functionality of the admin panel, without altering file content directly via a system command. Without the web server logs investigation was not trivial, but we were moving forward.
The most interesting and suspicious aspect was target selection. The victim company owned several highly visited websites that were running outdated and vulnerable CMSs, which would be easy targets for hacktivists looking to attract public attention – but none of them was hacked or even probed with a scanner. Instead, attackers selected a web application located on a low-traffic subdomain - meaning that the media effect from the attack would be small, if tangible. Moreover, as the web application contained sensitive data - it was pretty well protected in comparison to other web applications.
When we correlated all of the above-mentioned points, we checked if hacktivists had mentioned the attack on social networks, as they usually do. However, nothing was found in the public domain related to this particular incident. So far, the situation was quite clear for us, and we went directly to the web administrator who had initially reported the incident. He was about to successfully terminate his career due to his age, and was planning to move to a warm seaside town for retirement. However, his savings were not enough to buy a good house abroad. As we discovered later, a few months before the incident, he received an offer to sell corporate data [located at the breached web application] for a very attractive price. Finally, he decided to commit a perfect cybercrime, investigation of which (if ever started) would never lead to him.
He went out of the office one day, saying that he is going to a security conference, crossed the border and selected a discreet place without video surveillance to connect to a public Wi-Fi. He ran a security scanner on the web application to simulate pre-attack probing.
The next day, when everybody else has left the office, he logged-in into the web application admin interface (without passing via the public WAF gateway) and made a “deface”. Just after, he made a deface mirror and locally erased all the content of web root directory and web server logs. When he got a green light from the management to proceed with system re-installation, he reinstalled the virtual machine with the web server making further forensics almost impossible.
The remaining WAF logs didn’t contain anything pointing to him, while daily network backup was not yet run. As he was a loyal employee for years - no one has even thought to blame him, moreover he even received a bonus for his reactivity during the incident. However, small details betrayed him and he finished by confessing to the hack.
In the past, I have already written about professional Black Hats and cyber mercenaries using DDoS attacks to hide major data breaches, but cybercrime’s brand theft committed by insiders is a relatively new and probably an emerging trend we didn’t observe a lot in the past.
The scope of digital attacks, their vectors and sophistication become more and more complicated these days, however do remember that corporate cybersecurity is not a rocket science and can be managed pretty well using a common-sense approach.
This article is published as part of the IDG Contributor Network. Want to Join?