Brian Krebs of KrebsOnSecurity said that the identity theft entrepreneurs that hit LexisNexis, Dun & Bradstreet and HireRight/Kroll also set their sites on the cybersecurity organization. Krebs’ analysis of the web server that was used to control the hacked PCs inside the data brokers showed that it also had at least one infected system for 11 weeks this summer inside of the NW3C, from about May 28 to Aug. 17.
The target seems on the surface somewhat of an odd choice: The NW3C and the FBI run the Internet Crime Complaint Center (IC3), which accepts online internet crime complaints from victims of cybercrime. NW3C analysts are also consultants: they typically look at publically available information and try to establish criminal patterns. “Information obtained through public database searches can assist investigations by locating suspects, establishing property ownership and finding hidden assets, just to name a few of the benefits,” its mission statement reads.
The intruders set about plundering local databases and offloading stolen data, including, Krebs said, stealing 10 years’ worth of consumer complaint information. Krebs found 2.659 million records from the IC3 on the attacker’s server.
“The stolen IC3 data indicate that the attackers sought to grab and offload all of the data they could access, but the IC3 database itself isn’t particularly useful, except perhaps for spamming and phishing,” Krebs said.
Other database queries show the attackers had access to systems at NW3C that could look up records which appear to be related to ongoing criminal and possibly civil cases. For instance, it looked up a list of foreign law enforcement agents who were working active criminal cases with the organization.
Alex Holden from security consulting firm Hold Security LLC told Krebs that that while some of the information stolen from the NW3C may not be particularly useful for traditional cybercriminal purposes, “other entities that might be interested in this data include foreign governments. These guys may also be passing or selling this data off to other nations as well.”
FBI Spokeswoman Lindsay Godwin told Krebs only that the FBI was “looking into it.” The NW3C had no comment.
In terms of method, “the attackers appear to have compromised a public-facing server at NW3C that was designed to handle incoming virtual private network (VPN) communications,” Krebs wrote in a lengthy analysis. “The attackers uploaded a file — nbc.exe — designed to open up an encrypted tunnel of communications from the hacked VPN server to their botnet controller on the public Internet. This appears to be the same nbc.exe file that was found on the two hacked servers at LexisNexis.”
The attackers then broke into the NW3C using a Web-based attack tool that focuses on exploiting recently-patched weaknesses in servers powered by Adobe ColdFusion, he added. Once inside the NW3C’s network, they scanned all of the organization’s systems for security vulnerabilities and database servers, and uploaded a Web-based “shell” which let them gain remote access to the hacked server via a Web browser.
Krebs said that he plans to continue to investigate the operation.