When the ShinyHunters hacking group started hawking the personal data of millions of people on the Dark0de market early last month, it was notable because of the sheer number of records in play – and because of who was hacked. In addition to information on 400 million Facebook and a database of Instagram users, the load included data on 300 million users – including Social Security numbers for 40 million – from lead generation company Astoria Company LLC, whose network of websites gathers information on consumers seeking services like discounted car loans, medical insurance and payday loans.
Now, researchers at Night Lion Security have fleshed out how the Astoria Company hack happened and recounted interactions with “Seller13,” likely an alias for the broker known as Yousef, who also sold Astoria’s data on the Russian cybercrime forum Exploit and at least one other darkweb marketplace.
While “it is unclear whether Seller13 is using the ShinyHunters name as a type of misdirection, or if the two actors are actually working together,” the researchers said their conversations with the threat actor “seem to indicate that he and ShinyHunters are working together.”
Although the attack was “relatively commonplace,” and “the chain of events and reconnaissance performed in this particular breach are performed on a regular basis by threat actors globally,” according to Brandon Hoffman, CISO at Netenrich, the “details published by Night Lion Security provide some interesting insights,” said Alec Alvarado, threat intelligence team lead at Digital Shadows.
What Night Lion researchers found was, ultimately, a “multi-faceted attack taking advantage of a perfect storm of software vulnerability, system misconfiguration and insider hacks,” said Yaniv Bar-Dayan, CEO and cofounder at Vulcan Cyber.
Night Lion discovered a list of more than 400 domains registered to Astoria Company. A search for “publicly accessible code with potentially leaked credentials or AWS keys” yielded a list of vulnerable URLs across those domains. Further investigation uncovered a number of web shells and malicious scripts, including Corex.php and Adminer.php, on the Astoria Company domain, MortgageLeads.loans, the researchers said.
A closer look at the Corex web shell URL showed “a number of other exploit tools that were left on the system, including the adminer.php script,” they said.
“Visiting the http://mortgageleads.loans/adminer.php URL, we noticed immediately that the admin credentials for user “adminastoria” were pre-saved, allowing anyone complete access to the database from a public URL — no authentication needed,” the researchers said.
A malicious insider, which Astoria Company officials identified to Night Lion as a developer based in India, took advantage of a previously reported file disclosure vulnerability in Adminer that allows hackers to populate the connection window with their remote MySQL server.
After the two servers are connected, the attacker uses a MySQL misconfiguration to read files – including MySQL configuration and WordPress PHP files – on the victim’s server.
“The newly revealed details indicate the attack was not highly sophisticated, as admin database credentials were pre-saved, and a public URL reportedly provided full access,” Alvarado explained. “Although the credentials could have been pre-saved maliciously, as indicated by Astoria’s responses,” he said, that casts a harsh light on how the company managed its databases, heightened by the premium cybercriminals place on personal data.
“If just one of the attack vectors were mitigated or remediated,” Bar-Dayan said, “This data breach could have been avoided.”
The unique perspective offered by Seller13 can serve as a cautionary tale and offer guidance for defenders on how to harden their organizations against similar attacks, Alvarado said. Beyond being a lesson in how to better protect databases, with some simple steps, Night Lion researchers suggested the incident could be used to persuade legislators to get behind an “overarching” federal breach notification standard. More recently, Congress has leaned in that direction, but meaningful progress has sputtered and stuttered as lawmakers grapple with what the requirements under that legislation might include. Will the Astoria Company breach jumpstart those discussions? Perhaps. More likely, though, they will percolate on the back burner well into the future.