14 DAY TRIAL // A recently leaked report of the Verizon forensic investigation on the AntiSec breach of Stratfor (Strategic Forecasting, Inc.) systems back in 2011 showed that prior to the attack the company suffered from a massive lack of security.
Finished on February 15, 2012, the investigation revealed that the first signs of unauthorized access were recorded on September 29, more than a month before the breach.
There were numerous causes that allowed the intrusion to happen, the absence of file integrity monitoring instruments being at the head of the list, because this permitted the attacker(s) to insert custom scripts and execute them undetected.
The report notes that all the affected systems (web server, database server, mail server, Active Directory server) could be accessed remotely on a permanent basis, without the possibility to verify or log the sessions.
Access could be done either via SSH (Linux) or Windows Remote Desktop, and no restriction was enabled based on IP addresses or geolocation of the user.
According to the document, the back-end database for the e-commerce process of the company included Primary Account Number (PAN), expiry date and CVV2/CVC2 values, all of them stored in plain text.
Another security measure that was not available for the sensitive systems was a firewall, whose purpose would have been to filter the traffic or block it along with accompanying data. As a result, information on the e-commerce network could be exchanged unrestrictedly.
The forensics document notes that “systems interacting with the cardholder data were directly accessible from the systems within the corporate subnet with single-factor authentication.”
Separating server systems with various functionalities is a paramount security measure that guarantees network protection from various forms of exploitation.
Keeping the network segments separated by imposing communication restrictions between them is specifically designed to prevent an attack on one system to expand to the other parts of the network, thus minimizing the damage.
Furthermore, the leaked file points out that Stratfor did not maintain centralized logging to monitor on a frequent basis for suspicious activity or out of the ordinary security events.
Given the conclusions of the report, the attacker(s) benefited from a lot of help from the company. It appears that there was no password management policy in place either, since the same countersigns were sometimes used by several employees on multiple devices, which allowed targeted attacks designed to obtain the credentials.
Oftentimes, the same password was used by employees for accessing both the email and remote systems containing sensitive information.
On December 24, 2011, AntiSec group defaced Stratfor website and initiated the deletion routine using the “rm-rf” Unix command on the root directory with elevated privileges, causing the server to crash when critical systems were removed. A day later, on December 25, some of the information taken from Stratfor was dumped online.
The data exfiltrated during the breach contained customer names, email addresses, primary account numbers, expiration date of the cards and CVV2/CVC2 values.
A tweet from Anonymous on December 26, 2011, informed that the attacker(s) stole 860,000 usernames, 75,000 credit card details and more than 2.5 million company emails.
STRATFOR details: 860,000 usernames; 75,000 credit card data; +2.5 million Stratfor emails; 4 servers rooted/wiped | http://t.co/eVHSCuzn
— Anonymous (@YourAnonNews) December 27, 2011