New Details on Astoria Company Hack Emerge

When the ShinyHunters hacking group started hawking the personal data of millions of people on the Dark0de market early last month, it was notable because of the sheer number of records in play – and because of who was hacked. In addition to information on 400 million Facebook and a database of Instagram users, the load included data on 300 million users – including Social Security numbers for 40 million – from lead generation company Astoria Company LLC, whose network of websites gathers information on consumers seeking services like discounted car loans, medical insurance and payday loans.

Now, researchers at Night Lion Security have fleshed out how the Astoria Company hack happened and recounted interactions with “Seller13,” likely an alias for the broker known as Yousef, who also sold Astoria’s data on the Russian cybercrime forum Exploit and at least one other darkweb marketplace.

While “it is unclear whether Seller13 is using the ShinyHunters name as a type of misdirection, or if the two actors are actually working together,” the researchers said their conversations with the threat actor “seem to indicate that he and ShinyHunters are working together.”

Although the attack was “relatively commonplace,” and “the chain of events and reconnaissance performed in this particular breach are performed on a regular basis by threat actors globally,” according to Brandon Hoffman, CISO at Netenrich, the “details published by Night Lion Security provide some interesting insights,” said Alec Alvarado, threat intelligence team lead at Digital Shadows.

What Night Lion researchers found was, ultimately, a “multi-faceted attack taking advantage of a perfect storm of software vulnerability, system misconfiguration and insider hacks,” said Yaniv Bar-Dayan, CEO and cofounder at Vulcan Cyber.

Night Lion discovered a list of more than 400 domains registered to Astoria Company. A search for “publicly accessible code with potentially leaked credentials or AWS keys” yielded a list of vulnerable URLs across those domains. Further investigation uncovered a number of web shells and malicious scripts, including Corex.php and Adminer.php, on the Astoria Company domain, MortgageLeads.loans, the researchers said.

A closer look at the Corex web shell URL showed “a number of other exploit tools that were left on the system, including the adminer.php script,” they said.

“Visiting the http://mortgageleads.loans/adminer.php URL, we noticed immediately that the admin credentials for user “adminastoria” were pre-saved, allowing anyone complete access to the database from a public URL — no authentication needed,” the researchers said.

A malicious insider, which Astoria Company officials identified to Night Lion as a developer based in India, took advantage of a previously reported file disclosure vulnerability in Adminer that allows hackers to populate the connection window with their remote MySQL server.

After the two servers are connected, the attacker uses a MySQL misconfiguration to read files – including MySQL configuration and WordPress PHP files – on the victim’s server.

“The newly revealed details indicate the attack was not highly sophisticated, as admin database credentials were pre-saved, and a public URL reportedly provided full access,” Alvarado explained. “Although the credentials could have been pre-saved maliciously, as indicated by Astoria’s responses,” he said, that casts a harsh light on how the company managed its databases, heightened by the premium cybercriminals place on personal data.

“If just one of the attack vectors were mitigated or remediated,” Bar-Dayan said, “This data breach could have been avoided.”

The unique perspective offered by Seller13 can serve as a cautionary tale and offer guidance for defenders on how to harden their organizations against similar attacks, Alvarado said. Beyond being a lesson in how to better protect databases, with some simple steps, Night Lion researchers suggested the incident could be used to persuade legislators to get behind an “overarching” federal breach notification standard. More recently, Congress has leaned in that direction, but meaningful progress has sputtered and stuttered as lawmakers grapple with what the requirements under that legislation might include. Will the Astoria Company breach jumpstart those discussions? Perhaps. More likely, though, they will percolate on the back burner well into the future.

Featured eBook
7 Must-Read eBooks for Security Professionals

7 Must-Read eBooks for Security Professionals

From AppSec to SecOps, Security Boulevard eBooks deliver in-depth insights into hot topics that matter to the Cybersecurity and DevSecOps professionals. Our staff of writers are the best in the business, with decades of practical and award-winning experience and credentials. We are excited to share our 2019 favorites. Take a look and download some of ... Read More
Security Boulevard
Avatar photo

Teri Robinson

From the time she was 10 years old and her father gave her an electric typewriter for Christmas, Teri Robinson knew she wanted to be a writer. What she didn’t know is how the path from graduate school at LSU, where she earned a Masters degree in Journalism, would lead her on a decades-long journey from her native Louisiana to Washington, D.C. and eventually to New York City where she established a thriving practice as a writer, editor, content specialist and consultant, covering cybersecurity, business and technology, finance, regulatory, policy and customer service, among other topics; contributed to a book on the first year of motherhood; penned award-winning screenplays; and filmed a series of short movies. Most recently, as the executive editor of SC Media, Teri helped transform a 30-year-old, well-respected brand into a digital powerhouse that delivers thought leadership, high-impact journalism and the most relevant, actionable information to an audience of cybersecurity professionals, policymakers and practitioners.

teri-robinson has 142 posts and counting.See all posts by teri-robinson