|
|
|
|
|
|
by mmaunder
3730 days ago
|
|
|
We're just reporting what we know at this point and what we think is likely. What we know is that their web server had access to _client data_ (the client portal). Two websites had vulnerabilities - both the WP site and the Drupal site. And it is _client data_ that was exfiltrated. So in my opinion it's highly likely that the client data was taken via either a Drupal or WP attack vector. Even if this beach didn't happen, the client data eventually would have been stolen via one of these vectors. There are thousands of bot scripts that are exploiting revslider every day and so it's inevitable the site would have been hacked repeatedly and someone would have noticed a 2.6TB database that the web server had permission to access. To illustrate: I've seen scripts running in real-time coming into a honeypot that run 'show databases;' and then dump everything to a .sql file in a public web directory and hit that URL to download. An attacker might have gotten a partial dump and then gone OMG and gone back for seconds... and thirds, and fourths... |
|
|
You're right, data was exfiltrated... Do we know if the portal was on the same server as the website? You seem to be making that connection, but that hasn't been illustrated.
So if you're opinion is that it was either a Drupal or WordPress attack vector, why not highlight that in your article or subsequent email? Based on your email, you imply it was WordPress but fail to make this point...