Posts Tagged: ColdFusion


18
Jun 15

OPM’s Database for Sale? Nope, It Came from Another US .Gov

A database supposedly from a sample of information stolen in the much publicized hack at the Office of Personnel Management (OPM) has been making the rounds in the cybercrime underground, with some ne’er-do-wells even offering to sell it as part of a larger package. But a review of the information made available as a teaser indicates that the database is instead a list of users stolen from a different government agency — Unicor.gov, also known as Federal Prison Industries.

Source: Unicor.gov

Source: Unicor.gov

Earlier this week, miscreants who frequent the Hell cybercrime forum (a “Deep Web” site reachable only via the Tor network) began passing around a text file that contained more than 23,000 records which appeared to be a user database populated exclusively by user accounts with dot-gov email addresses. I thought it rather unlikely that the file had anything to do with the OPM hack, which was widely attributed to Chinese hackers who are typically interested in espionage — not selling the data they steal on open-air markets.

As discussed in my Oct. 2014 post, How to Tell Data Leaks from Publicity Stunts, there are several simple techniques that often can be used to tell whether a given data set is what it claims to be. One method involves sampling email addresses from the leaked/hacked database and then using them in an attempt to create new accounts at the site in question. In most cases, online sites and services will allow only one account per email address, so if a large, random sampling of email addresses from the database all come back as already registered at the site you suspect is the breached entity, then it’s a safe guess the data came from that entity.

How to know the identity of the organization from which the database was stolen? In most cases, database files list the users in the order in which they registered on the site. As a result, the email addresses and/or usernames for the first half-dozen or more users listed in the database are most often from the database administrators and/or site designers. When all of those initial addresses have the same top-level domain — in this case “unicor.gov” — it’s a good bet that’s your victim organization.

Image: Unicor.gov

Image: Unicor.gov

According to Wikipedia, UNICOR is a wholly owned United States government corporation created in 1934 that uses penal labor from the Federal Bureau of Prisons to produce goods and services. It is apparently restricted to selling its products and services to federal government agencies, although recently private companies gained some access to UNICOR workforce. For instance, companies can outsource call centers to UNICOR. Case in point: If you call UNICOR’s main number off-hours, the voicemail message states that during business hours your call may be handled by an inmate! Continue reading →


17
Mar 14

The Long Tail of ColdFusion Fail

Earlier this month, I published a story about a criminal hacking gang using Adobe ColdFusion vulnerabilities to build a botnet of hacked e-commerce sites that were milked for customer credit card data. Today’s post examines the impact that this botnet has had on several businesses, as well as the important and costly lessons these companies learned from the intrusions.

cffailLast Tuesday’s story looked at two victims; the jam and jelly maker Smucker’s, and SecurePay, a credit card processor based in Georgia. Most of the companies contacted for this story did not respond to requests for comment. The few business listed that did respond had remarkably similar stories to tell about the ordeal of trying to keep their businesses up and running in the face of such intrusions. Each of them learned important lessons that any small online business would be wise to heed going forward.

The two companies that agreed to talk with me were both lighting firms, and both first learned of their site compromises after the credit card firm Discover alerted their card processors to a pattern of fraudulent activity on cards that were recently used at the stores.

Elightbulbs.com, a Maple Grove, Minn. based company that sells lighting products, was among those listed in the ColdFusion botnet panel. Elightbulbs.com Vice President Paul McLellan said he first learned of the breach on Nov. 7, 2013 from his company’s processor — Heartland Payment Systems.

elight

McLellan said the unpatched ColdFusion vulnerabilities on the company’s site was certainly a glaring oversight. But he said he’s frustrated that his company was paying a third-party security compliance firm upwards of $6,000 a year to test Elightbulbs.com for vulnerabilities and that the firm also missed the ColdFusion flaws.

“Shortly before we were told by Heartland, we paid $6,000 a year for a company to brutalize our server, for protection and peace of mind,” McLellan said. “Turns out this flaw had existed for two years and they never saw it. 

McLellan said the company received a visit from the FBI last year, and the agent said the group responsible for hitting Elightbulbs had compromised much more high-profile targets.

“The FBI investigator said, ‘Hey, don’t beat yourself up. We’ve got credit card processors and government institutions that run ColdFusion who were breached, this is small potatoes’,” McLellan said. “That was a small consolation.”

Continue reading →


4
Mar 14

Thieves Jam Up Smucker’s, Card Processor

Jam and jelly maker Smucker’s last week shuttered its online store, notifying visitors that the site was being retooled because of a security breach that jeopardized customers’ credit card data. Closer examination of the attack suggests that the company was but one of several dozen firms — including at least one credit card processor — hacked last year by the same criminal gang that infiltrated some of the world’s biggest data brokers.

Smuckers's letter to visitors.

Smucker’s alerts Website visitors.

As Smucker’s referenced in its FAQ about the breach, the malware that hit this company’s site behaves much like a banking Trojan does on PCs, except it’s designed to steal data from Web server applications.

PC Trojans like ZeuS, for example, siphon information using two major techniques: snarfing passwords stored in the browser, and conducting “form grabbing” — capturing any data entered into a form field in the browser before it can be encrypted in the Web session and sent to whatever site the victim is visiting.

The malware that tore into the Smucker’s site behaved similarly, ripping out form data submitted by visitors — including names, addresses, phone numbers, credit card numbers and card verification code — as customers were submitting the data during the online checkout process.

What’s interesting about this attack is that it drives home one important point about malware’s role in subverting secure connections: Whether resident on a Web server or on an end-user computer, if either endpoint is compromised, it’s ‘game over’ for the security of that Web session. With Zeus, it’s all about surveillance on the client side pre-encryption, whereas what the bad guys are doing with these Web site attacks involves sucking down customer data post- or pre-encryption (depending on whether the data was incoming or outgoing).

Continue reading →


12
Nov 13

Zero-Days Rule November’s Patch Tuesday

Microsoft today issued security updates to fix at least 19 vulnerabilities in its software, including a zero-day flaw in Internet Explorer browser that is already being actively exploited. Separately, Adobe has released a critical update that plugs at least two security holes in its Flash Player software.

crackedwinThree of the eight patches that Microsoft released earned its most dire “critical” label, meaning the vulnerabilities fixed in them can be exploited by malware or miscreants remotely without any help from Windows users. Among the critical patches is an update for Internet Explorer (MS13-088) that mends at least two holes in the default Windows browser (including IE 11). MS13-089 is a critical file handling flaw present in virtually every supported version of Windows.

The final critical patch — MS13-090 — fixes essentially another IE flaw (ActiveX) that showed up in targeted attacks late last week. Microsoft says attackers used a second, “information disclosure” vulnerability in tandem with the ActiveX flaw, but that the company is still investigating that one. It noted that its Enhanced Mitigation Experience Toolkit (EMET) tool successfully blocked the ActiveX exploit.

Nevertheless, it’s important for IE users to apply these updates as quickly as possible. According to Rapid7, exploit code for the ActiveX vulnerability appeared on Pastebin this morning.

“It was known to be under some targeted exploitation, but that will probably expand now that the exploit is public,” said Ross Barrett, senior manager of security engineering at Rapid7. “I would call patching this issue priority #1.” For what it’s worth, Microsoft agrees, at least according to this suggested patch deployment chart.

Today’s patch batch from Redmond did not include an official patch for yet another zero-day vulnerability that has been under active exploitation, although Microsoft did release a stopgap Fix-It tool last week to help blunt the threat. The company also is once again advising Windows users to take another look at EMET.

Check out Microsoft’s Technet blog for more information on these and other updates that the company released today.

brokenflash-aIn a separate patch release, Adobe issued a fix for its Flash Player software for Windows, Mac, Linux and Android devices. The Flash update brings the ubiquitous player to v. 11.9.900.152 on Mac and Windows systems. Users browsing the Web with IE10 or IE11 on Windows 8.x should get the new version of Flash (11.9.900.152) automatically; IE users not on Windows 8 will need to update manually if Flash is not set to auto-update.

To check which version of Flash you have installed, visit this page. Direct links to the various Flash installers are available here. Be aware that downloading Flash Player from Adobe’s recommended spot — this page — often includes add-ons, security scanners or other crud you probably don’t want. Strangely enough, when I visited that page today with IE10 , the download included a pre-checked box to install Google Toolbar and to switch my default browser to Google Chrome.

Continue reading →


4
Nov 13

Hackers Take Limo Service Firm for a Ride

A hacker break in at a U.S. company that brokers reservations for limousine and Town Car services nationwide has exposed the personal and financial information on more than 850,000 well-heeled customers, including Fortune 500 CEOs, lawmakers, and A-list celebrities.

CorporateCarOnline says: "Trust Us: Your Data is Secure"

CorporateCarOnline says: “Trust Us: Your Data is Secure”

The high-value data cache was found on the same servers where hackers stashed information stolen from PR Newswire, as well as huge troves of source code data lifted from Adobe Systems Inc. — suggesting that the same attacker(s) may have been involved in all three compromises.

In this case, the name on the file archive reads “CorporateCarOnline.” That name matches a company based in Kirkwood, Missouri which bills itself as “the leading provider of on-demand software management solutions for the limousine and ground transportation industry.”

I reached out several times over almost two weeks seeking comment from CorporateCarOnline.com. At length, I reached owner Dan Leonard, who seemed to know what I was calling about, but declined to discuss the matter, saying only that “I’d prefer not to talk to anybody about that.”

It’s understandable why the company would decline to comment: Inside the plain text archive apparently stolen from the firm are more than 850,000 credit card numbers, expiry dates and associated names and addresses. More than one-quarter (241,000) of all compromised card numbers were high- or no-limit American Express accounts, card numbers that have very high resale value in the cybercrime underground.

Alex Holden, chief information security officer at Hold Security LLC and a key collaborator on the research in this post, said CorporateCarOnline confirmed to him that the data was stolen from its systems.

“While the target is not a household name, it is, arguably, the highest socially impacting target yet,” Holden said. “By its nature, limo and corporate transportation caters to affluent individuals and VIPs.”

Further pointing to a compromise at the site is the presence of a vulnerability in its implementation of ColdFusion, a Web application platform that has become a favorite target of the attackers thought to be responsible for this and other aforementioned breaches of late.

Below are some of the rich and famous whose pick up and drop-off information — and in some cases credit card data — was in the stolen archive. Nearly all of these individual records were marked with “VIP” or “SuperVIP!” notations. Included in quotes are notes left for the chauffeur.

CELEBRITIES

Photo: Keith Allison

Photo: Keith Allison

LeBron James – Thomas & Mack Center sports arena, athlete entrance, July 22, 2007; “Call Lynn upon arrival.”

Tom Hanks – Chicago Midway, June 19, 2013; “VVIP. No cell/radio use with passenger/prepaid. 1500 W. Taylor Street Chicago, Rosebud, Dinner Reser @8pm”

Aaron Rodgers – Duncan Aviation, Kalamazoo, Mich., June 26, 2010; “Kregg Lumpkin and wife. 3 Bottle Waters. Greg Jennings Foundation.”

LAWMAKERS

-House Judiciary Committee Chairman Rep. John Conyers, (D-Mich.), July 4, 2011, Indianapolis International Airport; “Meet and Greet Baggage Claim. US Congressman. A DFTU situation” [not quite sure what this stands for, but my guess is “Don’t F*** This Up”]

Sen. Mark Udall (D-Colo.), chair of the Senate Armed Services Committee’s Subcommittee on Strategic Forces. Boston Logan Intl. Airport, Sept. 14, 2009; “Contact if need be Yolanda Magallanes [link added]. Client will have golf clubs with him.”

Other current members of Congress whose information appears in this database include Rep. Joe Garcia (D-Fla.); Rep. Gus Bilirakis (R-Fla.); Rep. Jim Matheson (D-Utah); Rep. Lynn Westmoreland, Rep. Joe Baca (D-Calif.), Rep. Mario Diaz-Balart (R-Fla.).

A number of former lawmakers were passengers with limo companies that gave their customer data to CorporateCarOneline, including:

Sen. Tom Daschle (D-SD), Des Moines, Iowa, July 21, 2010; “Ag Innovation Committee. Passengers plus luggage. Passengers: Lori Captain, Mary Langowski, Jonathan Sallet, Tom West, Jim Collins, Senator Tom Daschle, JB Penn, Anthony Farina.”

Sen. John Breaux (D-La.), Aug. 27, 2010; “Ambassador Steven Green & Senator Breaux. ***VIP***DO NOT COLLECT”

Rep. James Saxton (R-NJ), Rep. William Delahunt (D-Mass.), Rep. Billy Tauzin (R-La.),

Continue reading →


3
Oct 13

Adobe To Announce Source Code, Customer Data Breach

Adobe Systems Inc. is expected to announce today that hackers broke into its network and stole source code for an as-yet undetermined number of software titles, including its ColdFusion Web application platform, and possibly its Acrobat family of products. The company said hackers also accessed nearly three million customer credit card records, and stole login data for an undetermined number of Adobe user accounts.

A screen shot of purloined source code stolen from Adobe, shared with the company by KrebsOnSec

A screen shot of purloined source code stolen from Adobe, shared with the company by KrebsOnSec

KrebsOnSecurity first became aware of the source code leak roughly one week ago, when this author — working in conjunction with fellow researcher Alex Holden, CISO of Hold Security LLC — discovered a massive 40 GB source code trove stashed on a server used by the same cyber criminals believed to have hacked into major data aggregators earlier this year, including LexisNexis, Dun & Bradstreet and Kroll. The hacking team’s server contained huge repositories of uncompiled and compiled code that appeared to be source code for ColdFusion and Adobe Acrobat.

Shortly after that discovery, KrebsOnSecurity shared several screen shots of the code repositories with Adobe. Today, Adobe responded with confirmation that it has been working on an investigation into a potentially broad-ranging breach into its networks since Sept. 17, 2013.

In an interview with this publication earlier today, Adobe confirmed that the company believes that hackers accessed a source code repository sometime in mid-August 2013, after breaking into a portion of Adobe’s network that handled credit card transactions for customers. Adobe believes the attackers stole credit card and other data on approximately 2.9 million customers, and that the bad guys also accessed an as-yet-undetermined number of user names and passwords that customers use to access various parts of the Adobe customer network.

ColdFusion source code repository found on hacker's server.

ColdFusion source code repository found on hacker’s server.

Adobe said the credit card numbers were encrypted and that the company does not believe decrypted credit card numbers left its network. Nevertheless, the company said that later today it will begin the process of notifying affected customers — which include many Revel and Creative Cloud account users —  via email that they need to reset their passwords.

In an interview prior to sending out a news alert on the company’s findings, Adobe’s Chief Security Officer Brad Arkin said the information shared by this publication “helped steer our investigation in a new direction.” Arkin said the company has undertaken a rigorous review of the ColdFusion code shipped since the code archive was compromised, and that it is confident that the source code for ColdFusion code that shipped following the incident “maintained its integrity.”

“We are in the early days of what we expect will be an extremely long and thorough response to this incident,” Arkin said. The company is expected to publish an official statement this afternoon outlining the broad points of its investigation so far.

Arkin said Adobe is still in the process of determining what source code for other products may have been accessed by the attackers, and conceded that Adobe Acrobat may have been among the products the bad guys touched. Indeed, one of the screen shots this publication shared with Adobe indicates that the attackers also had access to Acrobat code, including what appears to be code for as-yet unreleased Acrobat components (see screen grab above).

“We’re still at the brainstorming phase to come up with ways to provide higher level of assurance for the integrity of our products, and that’s going to be a key part of our response,” Arkin said. He noted that the company was in the process of looking for anomalous check-in activity on its code repositories and for other things that might seem out of place.

“We are looking at malware analysis and exploring the different digital assets we have. Right now the investigation is really into the trail of breadcrumbs of where the bad guys touched.”

The revelations come just two days after KrebsOnSecurity published a story indicating that the same attackers apparently responsible for this breach were also involved in the intrusions into the  networks of the National White Collar Crime Center (NW3C), a congressionally-funded non-profit organization that provides training, investigative support and research to agencies and entities involved in the prevention, investigation and prosecution of cybercrime. As noted in that story, the attackers appear to have initiated the intrusion into the NW3C using a set of attack tools that leveraged security vulnerabilities in Adobe’s ColdFusion Web application server.

While Adobe many months ago issued security updates to plug all of the ColdFusion vulnerabilities used by the attackers, many networks apparently run outdated versions of the software, leaving them vulnerable to compromise. This indeed may have also been the vector that attackers used to infiltrate Adobe’s own networks; Arkin said the company has not yet determined whether the servers that were breached were running ColdFusion, but acknowledged that the attackers appear to have gotten their foot in the door through “some type of out-of-date” software.

Stay tuned for further updates on this rapidly-moving story.

Update 4:38 p.m. ET: Adobe has released a statement about these incidents here and here. A separate customer security alert for users affected by this breach is here. Also, in a hopefully unrelated announcement, Adobe says it will be releasing critical security updates next Tuesday for Adobe Acrobat and Adobe Reader.

Update, Oct. 5, 4:35 p.m. ET: Rakshith Naresh, a product manager at Adobe, said in a Tweet yesterday that the breach did not involve ColdFusion vulnerabilities.

Update, Oct. 9, 12:50 p.m. ET: Naresh’s Tweet stating that the breach didn’t involve ColdFusion servers was deleted at some point. I followed up with Adobe via email: An Adobe spokesperson said the company’s investigation is still ongoing, and that “at this time we have not identified the initial attack vector to include or exclude a ColdFusion server.”