Reefa Posted February 6, 2014 Share Posted February 6, 2014 Hackers broke into at least 34 servers belonging to Comcast yesterday, dumping what appears to be a list of the company’s mail servers, passwords and a link to the root file that contains the vulnerability they used to penetrate the system. The hacktivist collective NullCrew has claimed to have hacked a handful of corporations over the years, Sony, PayPal, Orange Telecom and Ford just to name a few, and took credit for the attack against Comcast Wednesday, on its official Twitter handle, @NullCrew_FTS.“Fun Fact: 34 Comcast mail servers are victims to one exploit,” the group boasted yesterday afternoon before posting a Pastebin document full of leaked information as proof.The compromised mail servers apparently run on Zimbra, a groupware email server client whose Lightweight Directory Access Protocol (LDAP) directory service was the target of the attack.NullCrew was able to exploit a local file inclusion (LFI) vulnerability in LDAP to secure access to the credentials and passwords.A LFI vulnerability can allow a hacker to add local files to web servers via script and execute PHP code. OWASP’s definition notes that hackers can take advantage of the vulnerability when sites allow user-supplied input without proper validation, something Comcast is apparently guilty of.Through the vulnerability, NullCrew was able to access localconfig.xml, a file that contains Comcast LDAP administrative credentials, including LDAP passwords and credentials for MySQL and Nginx.With the information they could be able to make an API call and then execute a privilege escalation, according to a chat log from a few weeks ago, posted today between two hackers familiar with the vulnerability, _MLT_, formerly of TeaMp0isoN and C0RPS3, also formerly of TeaMp0isoN but now with NullCrew.The hack is the second that Nullcrew has taken credit for in the past week following telecom company Bell Canada’s announcement that it was breached on Sunday and that more than 22,000 usernames, passwords and some credit card numbers belonging to the phone company’s small business customers had been leaked.While Bell acknowledged the breach over the weekend, blaming it on an Ottawa-based third-party supplier, NullCrew publicized the company’s insecurities in mid-January, even posting a warning it issued to a company support representative about the vulnerabilities. NullCrew delivered on Saturday, posting a link on Twitter to a Pastebin document, since deleted, full of Bell customer data.While user information, including five valid credit card numbers, was breached in the Bell attack, Comcast customer information is not expected to be implicated in yesterday’s attack.Requests for comment directed to Comcast, who have not made a public statement about the hack yet, were not immediately returned on Thursday.Source Link to comment Share on other sites More sharing options...
anuseems Posted February 7, 2014 Share Posted February 7, 2014 (edited) Hacker group NullCrew claims to have broken into Comcast's servers today, exploiting a vulnerability reported in December 2013, but not patched.Over the weekend of 01 February 2014 the hacker group also claimed credit (?) for performing a SQL injection attack against telecom provider Bell Canada.They were able to access account login and password details for more than 22,000 small business customers of Bell's internet service.The attackers allegedly contacted Bell customer support two weeks before the disclosure. The problem? Bell's support staff seemingly didn't know how to report the security incident upstream.The customer service representative clearly didn't understand the gravity, nor did they escalate to someone who did.You need to be sure that your staff knows how to report an alleged security incident to the appropriate staff so it can be investigated and handled properly.From what we can tell the same thing happened when NullCrew hacked Comcast.It appears that Comcast, the largest internet service provider in the United States, uses Zimbra as an internal communications platform.NullCrew exploited an unpatched security vulnerability, CVE-2013-7091, to gain access to usernames, passwords and other sensitive details from Comcast's environment.They posted the purloined data on pastebin and taunted the company on Twitter.Sometimes it appears there is nothing we can do to protect ourselves, but in this case I think there is a valuable lesson.The vulnerability exploited by the attackers was disclosed and fixed in December 2013. While that isn't forever ago, it is enough time that it could have been remedied.None of us can assume that it will take time, especially 60 days, for criminals to determine they can take advantage of flaws in our programs.We may have had the luxury of waiting 30 or even 120 days in the past, but today we must maintain an accurate and up to date inventory of all software that is deployed and patch it immediately.http://nakedsecurity.sophos.com/2014/02/06/comcast-servers-compromised-by-same-attackers-as-bell-canada/ Edited February 7, 2014 by anuseems Link to comment Share on other sites More sharing options...
Recommended Posts