Piracy is a known danger on the high seas, but one recent situation shows that the “arggghhh matey” business has evolved with the digital times. According to a recent RISK Labs report from Verizon, a global shipping company found itself dealing with uncommonly wired sea-pirates that used cyber-espionage to plot out their attacks ahead of time.
Although the shipping company’s dealings with pirates was nothing new, the tactics were seen to change over time, significantly. “It became apparent to the shipping company that the pirates had specific knowledge of the contents of each of the shipping crates being moved,” explained the report [PDF]. “They’d board a vessel, locate by bar code specific sought-after crates containing valuables, steal the contents of that crate—and that crate only—and then depart the vessel without further incident. Fast, clean and easy.”
And that meant that the whole business of hijacking a ship and holding crew hostage for days on end while the bad guys rifled through cargo to find something valuable effectively was set to go the way of the dodo.
It turns out that the pirates had exploited an unpatched vulnerability in the shipping company’s homegrown content management system (CMS), which is used to manage shipping inventories and specifically the various bills of lading associated with each of their shipping vessels. The threat actors merely established a back door, and from there were able to pull down bills of lading for future shipments and identify sought-after crates and the vessels scheduled to carry them.
“The threat actors used an insecure upload script to upload the web shell and then directly call it as this directory was web accessible and had execute permissions set on it—no Local File Inclusion (LFI) or Remote File Inclusion (RFI) required,” Verizon detailed in its report. “Essentially, this allowed the threat actors to interact with the webserver and perform actions such as uploading and downloading data, as well as running various commands.”
Perhaps because cyber-attacks aren’t their core focus, the pirates made a few errors that allowed their gambit to be uncovered and shut down (perhaps to the chagrin of the crew, for whom days-long stints as hostages have presumably become once again a threat).
To wit: The attackers didn’t use SSL (or any encrypted connection at all), sending commands over the internet in plain text. There were also numerous mistyped commands, and Verizon observed that the threat actors constantly struggled to interact with the compromised servers. They also showed a lack of concern for their own operational security by failing to use a proxy and connecting directly from their home system.
The scurvy dogs also didn’t get anywhere fast. “The threat actors tried, albeit in vain, to establish a reverse shell to directly interact with one of the compromised hosts,” Verizon explained. “Try as they might, the threat actors were unable to move laterally. This attempt was blocked by a network security appliance. The threat actors then attempted to pivot to other systems within the network. They spent considerable time attempting to do so and, although armed with freshly dumped passwords, were unable to succeed.”
Photo © Noel Powell