In last couple of weeks we have been all witnesses of multiple compromises of (in some cases) pretty high profile web sites (and other servers). Today there was another victim of such a compromise, a well known security company.
The group which purportedly compromised most of these servers released their e-zine, named ZF0 (Zero For Owned). The e-zine is full of articles that show a lot of details that the group gathered from the compromised servers – the shown logs definitely confirm that this group managed to compromised all these servers as there was no other way to obtain the information pasted in the e-zine.
After going through all articles, it is still not possible to say how they managed to compromise the servers – I know that there was a lot of FUD about the OpenSSH 0-day exploit. However, even if such thing exists, it is impossible to say if they used it or not.
I spent some time going through the articles and in some cases it appears that the attackers managed to compromise the hosting server, through which they owned all other hosted web sites. This is, indeed, a very viable option since we have been witnesses of such cases for many times. The e-zine authors actually even mention this, to quote them: "So if a site on a shared host is being tested, just because site1.com is "secure" that does NOT in anyway mean that the server is secure, because site2.com could easily be vulnerable to all sorts of simple attacks.". This is very true – I wrote a diary about a very similar attack back in 2007 (see the diary Mass website hosting = mass defacements at http://isc.sans.org/diary.html?storyid=3078).
The issue here is that it can be very difficult to properly limit what each hosted web site and/or account can do in order to protect other customers on the same server. There were also cases when attackers simply bought a web hosting package (they can easily get it for $10 with a stolen credit card) and the web hosting company put their web on a server shared with other, high profile web sites. Of course, in this case, the attacker's job is much easier since in some cases they already have a relatively limited shell access to the server!
So what can we do to protect ourselves? As always, make sure that you remove any application that is not necessary and keep needed applications up to date, together with the operating system. If you use services such as SSH make sure that you use SSH keys, as well as limit access to only trusted IP addresses if possible. I would like to remind everyone to password protect their SSH keys – the worst case scenario is if an attacker gets access to one of your accounts and then just jumps through other (often internal) sites because you had those SSH keys in the open.
Finally, I hope that some of the high profile security sites that have been hit will be able to analyze the attacks and share some useful information about how the attackers got in.
I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Brussels February 2020