October 31, 2012, 2:56 PM — Hackers are brazenly infiltrating corporate networks to steal valuable data for purposes of sharing it with other companies or nation-states -- and they're getting away with it, say security researchers sharing war stories at the Hacker Halted conference in Miami this week.
"Unfortunately, IDS [intrusion-detection systems] didn't detect them," said Gianni Gnesa, security researcher at Ptrace Security, based in Switzerland, who described a recent attack on a Swiss firm to steal important data.
It started by targeting an employee after he had placed an inquiry on Craigslist related to furniture. The email he got back redirected him to a dynamic-exploit delivery page created by an attacker, which successfully exploited Windows Internet Explorer on his Windows 7 machine to compromise it. This MS12-037 exploit, though not a zero-day attack then, did not have a patch available for it at the time, Gnesa said.
Once into the compromised employee machine, the attacker used a collection of tools and a sniffer to look for where valuable content might be stored in the Swiss company's network. Though he found an application server, he couldn't get into it. But the attacker did break into the network printer, a Toshiba, and went on to check for passwords. "The administration password was in the HTML code," said Gnesa. "And unfortunately, that password was also used on another machine."
Eventually the attacker made his way to documents, diagrams and other valuable intellectual property stored on a Linux file server. Although the server was well-kept in terms of security, the backup for it was not, and by using what Gnesa referred to as the phpMyAdmin 3.4.1 swekey RCEexploit, the attacker got to the remote shell on the backup server. With yet another trick, the Linux 2.6.x umount exploit, he got to the root shell and had access to every file and directory, said Gnesa.