| This article is speculative and does the security community a huge disservice. There is nothing interesting about this research, outside of spreading FUD via marketing scamy techniques like using link bait taking advantage of something that has global attention. Allow me to explain why and how I’ve come to this conclusion: 1 - It all starts with the email they sent out: “We performed an analysis of MF's network and it seems that the breach may have been caused by an outdated WordPress plugin: Revolution Slider. It turns out that not updating your WordPress plugins may result in the fall of world leaders and the largest data breach to journalists in history.” I get it, they need people to click... 2 - In the Forbes article they reference, it reads: “its portal used by customers to access sensitive data was most likely run on a three-year-old version of Drupal, 7.23. That platform has at least 25 known vulnerabilities at the time of writing, two of which could have been used by a hacker to upload their own code to the server and start hoovering up data.” but of those 25 potential vulnerabilities, the key one according to WordFence was: “Viewing this link on the current MF website to a Revolution Slider file reveals the version of revslider they are running is 2.1.7. Versions of Revslider all the way up to 3.0.95 are vulnerable to attack.” I don’t buy it... the Drupal vulnerability at that time was actually more serious... as referenced in the same Forbes article: http://www.forbes.com/sites/thomasbrewster/2014/10/30/did-dr... 3 - In the same Forbes article they reference it states: “In a letter, dated April 1 and posted on Wikileaks’Twitter profile, the firm told customers it was investigating an email server hack.” So naturally, WordFence needed to connect the dots for the readers: “Their web server was on the same network as their mail servers based in Panama.” and here: “Looking at their IP history on Netcraft shows that their IP was on the same network as their mail servers.” Got it, they’re on the same network… but nowhere to they describe the process for traversing the network and any potential roadblocks they’d find… but then later after connecting the dots to the mail server, they revert to the data in the portal.. explained later... 4 - They create this video showing how to use a script to exploit the RevSlider vuln. They then type a number of commands to show you how exhaustive the control us: Commands like: - ls -la (listing what’s in a folder)
- pwd (showing what directory they are in) and to really show their control they navigate to /var/www/html (in other words to the same exact directory they’re supposed to have access to under the user they have control of). They then proceed to make statements how “they have full control of the server”. They have control of the web directory which is what they would have access too. To have full access to the server they’d need to show some form of privilege escalation that gives actual control of the server… The argument the author makes to this point on his blog states: “In the case of MF, they made client data accessible via a web interface to their customers. That means a web server had access to client data. So, as per my explanation above, all they had to do was break into the web server as www-data or whatever user the web server ran as and they have client data.” So what's the point of the email reference above, if it was on the web server as they theorize? Additionally, this only makes sense if the portal was on the same web server. There is no proof that the “portal” is on the same server as the web server. I understand why they didn't, using their own tool they didn't have the information: http://toolbar.netcraft.com/site_report?url=portal.mossfon.c... If the vector was Drupal, it’d be more realistic that they leveraged a SQLi vulnerability to siphon the data if that was the vector at all… On that same note, if the user was the same web user, how is that known? Because they don’t update their website doesn’t mean they don’t apply basic sysadmin steps.. again, it’s speculative on both side, but that’s the issue when you don’t know enough… Additionally, this is a lot of data we’re talking about.. It'd be very curious if they managed to store that amoutn of data on a web server and not some form of database server… 5 - In the same video they show how they can see the network cards are attached by using ifconfig… but again show no examples of how that information was used to tunnel into the rest of the environment and how they would have gone about doing something like that…. from their own admission, they show how the mail servers were on the same network, but that itself doesn’t make them susceptible.. there are a number of things that have to happen to be successful… The web server could be on it’s own DMZ, there could be a number of firewalls isolating parts of the network, there could be a number of things…. Additionally, they speculate it was WordPress … the platform for their main website, when in reality Drupal was the CMS used for the client portal.. wouldn’t it be more realistic to think it’d be Drupal where the real data resides? 6 - There are also statements to how attackers work.. using automated scripts to scan websites for potential vulnerabilities like Revsliders… while it’s true… the logic is flawed… these crawlers pull thousands of websites at any given time… a site like “mossfon.com” is not a high value target, unless it’s being targeted.. these scripts are automated, so are most of their attacks which will automatically upload their scripts and payloads… if the lists are scanned they’re looking for valuable targets, unfortunately mossfon.com isn’t one, unless you know what it is… this logic defies reason and understanding of how attacks happen… In any event, those are my thoughts... unfortunate... Thanks!
- Truth Finder |