Pirates used backdoor in shipping company’s website to target freighters.
by Sean Gallagher – Ars Technica – Mar 3, 2016 1:35pm EST
Pirates like those shown here aboard a dhow in waters off western Malaysia in January 2006 were using data stolen from a shipping company’s systems to target cargo ships and steal specific crates of valuables in hit-and-run attacks.
When the terms “pirate” and “hacker” are used in the same sentence, usually it’s a reference to someone breaking digital rights management on software. But that wasn’t the case in an incident detailed in the recently released Verizon Data Breach Digest report, unveiled this week at the RSA security conference. Verizon’s RISK security response team was called in by a global shipping company that had been the victim of high-seas piracy aided by a network intrusion.
The shipping company experienced a series of hit-and-run attacks by pirates who, instead of seeking a ransom for the crew and cargo, went after specific shipping containers and made off with high-value cargo.
“It became apparent to the shipping company that the pirates had specific knowledge of the contents of each of the shipping crates being moved,” the RISK team recounted in the report. “They’d board a vessel, locate by bar code specific sought-after crates containing valuables, steal the contents of that crate—and that crate only—and then depart the vessel without further incident.”
The targeted nature of the attack made it clear to the shipper that the pirates were somehow getting intelligence directly from their computer systems. The response team discovered that the company used a “homegrown” Web-based content management system (CMS) to manage bills of lading for their cargo ships. An examination of network traffic to the CMS revealed a Web shell script had been uploaded to the server through a vulnerability in the software. The shell script backdoor gave attackers remote access to the server, allowing the upload and download of files—in this case, specifically downloading the bills of lading for the company’s ships. The attackers had compromised a number of system passwords in the process as well.
However, the attackers made a number of mistakes. The shell script used straight HTTP rather than taking advantage of the site’s SSL encryption—so the contents of the traffic was easily discovered by packet captures. “We were ultimately able to capture every command the threat actors issued, which painted a very clear picture,” the RISK team wrote. “These threat actors, while given points for creativity, were clearly not highly skilled. For instance, we found numerous mistyped commands and observed that (they) constantly struggled to interact with the compromised servers.”
While they had managed to get initial access to a number of servers, the attackers weren’t able to install shell scripts on them because of a network security appliance. Ultimately their activities were limited to the server they had initially gained access through.
But their most damning mistake? “The threat actors also showed a lack of concern for their own operational security by failing to use a proxy and connecting directly from their home system,” the RISK team noted. The shipping company shut down the server to fix the vulnerability, and they then blocked the IP address of the pirate’s hacker—ending the targeted attacks.