Attacks/Breaches

7/11/2018
06:35 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Hacker Exploits 2-Year Old Router Issue To Steal Sensitive US Military Data

A moderately skilled hacker managed to steal export-restricted data pertaining to the Reaper drone and Abrams tank from computers belonging to two US Army officials.

Sensitive US military documents, including training materials for the MQ-9A Reaper drone and an operations manual for the M1 Abrams tank, were recently available for sale on the Dark Web.

A single hacker with apparently moderate technical skills accessed one set of the leaked documents from the computer of a captain at 432d Aircraft Maintenance Squadron Reaper AMU OIC, at the Creech AFB in Nevada, says intelligence firm Recorded Future. The data that was stolen included Reaper maintenance books and the list of airmen assigned to the military drone program at the base.

The source of the other document — pertaining to the M1 Abrams tank — is not clear. But it appears to be part of a larger set of military documents that the same hacker obtained from a separate computer belonging to a US Army official.  The second dataset included information on a training course for a tank platoon, documentation on mitigation tactics for an improvised explosive device, and a crew survival course. The documents, while not classified, contained sensitive, export-controlled data, according to Recorded Future in a report detailing its findings.

In both instances of data theft, the threat actor exploited a previously known issue with Netgear routers that allows remote attackers to access data on storage devices connected to the router if the default FTP authentication credentials are not updated. Recorded Future says its research shows more than 4,000 routers worldwide continued to be exposed to the issue — more than 1,430 of them in the US.

Researchers from Insikt Group, Recorded Future's threat intelligence team, established contact with the threat actor after coming across advertisements for the stolen data in underground forums in early June.  The individual — a newly registered, English-speaking member of a hacking forum — claimed he had used the Shodan search engine to search for and find Netgear routers that use a standard port 21 from which he could steal data.

"According to the actor, the data was stolen from two separate computers, and it was released within a week of each other," says Andrei Barysevich, director of advanced collection at Recorded Future. "In the case of the US Army captain, the hacker had access for a somewhat prolonged period. He lost access to the second computer within a day."

On days when the actor was not looking for victims, he watched live video footage from border surveillance cameras, airplanes, and a M1-1 Predator drone over Choctawhatchee Bay in the Gulf of Mexico, Recorded Future says. He used the same Shodan engine to search for unprotected Full Motion Video (FMV) streams as he did to find the vulnerable Netgear routers.

But unlike the case with the stolen data, the hacker shared access to the full-motion video streams for free, Barysevich says. "Not only was the actor able to access surveillance footage from drones but also from southern border checkpoints," he says. "Access to such streams could be invaluable for drug cartels and human traffickers."

The full ramifications of the data breaches are still unclear. But the fact that a hacker with average skills was able to identify military computers and steal sensitive information from them in a week's time is concerning, Recorded Future says. "[It] is a disturbing preview of what a more determined and organized group with superior technical and financial resources could achieve," the vendor said.

That the threat actor exploited a 2-year-old vulnerability in Netgear routers suggests the sensitive military data was stored on a system connected to an unpatched or unmanaged wireless access point, says Sherban Naum, senior vice president of corporate strategy and technology at Bromium.

For the military, the question now is whether the documents were on a personal device or a government-issued computer. If the data was stored on a personal device, the question would be why the data was there in the first place. If the data was accessed from a government-issued computer, the question would be why it was connected to an unprotected network, Naum says.

Related Content:

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
7/12/2018 | 8:32:36 AM
Re: Recalling Internet Census 2012 and Carna
All good points and add one more - the military complex generally (here we go) OUTSOURCES support to those wonderful firms such as Computer Sciences Corp (now CSRA for public accounts) and they are awful in every single way.  I know!  CSC destroyed Aon group after outsourced in 2004-2005 and to this day it is a horror.  Know nothing of security and their only concern per client is to GET PAID. 
No SOPA
50%
50%
No SOPA,
User Rank: Ninja
7/11/2018 | 8:03:44 PM
Recalling Internet Census 2012 and Carna
I don't know how many folks remember Carna and the paper published based on its Internet scanning findings "Internet Census 2012: Port scanning /0 using insecure embedded devices", but this article calls to mind some my more radical ideas about "getting there first". Breaches like this are painful because they feel so simple to have prevented in the first place.

Consider (putting aside whatever your ideas of privacy currently are) what happened here. As a result of 1) lack of implemented security standards for networked hardware configuration, 2) failure to upgrade networked hardware and/or firmware, 3) failure to properly secure sensitive documents and streaming data and 4) research on a publicly accessible search engine for networked devices, what can be considered a critical military breach occurred.

For those who recall Carna, an Internet "researcher" ran a bot that scanned for all intents and purposes the entire Internet, collecting over 9TB of data on connected devices, including those with open access due to poor configuration. Back in 2011/2012 almost anyone could do this; especially with search engines like Shodan online, literally anyone can do this. In many cases, exploits are a question of who "gets there first". With so much publicly accessible data on hackable systems attached to the Internet, how is it on a daily basis the "good guys" aren't "getting there first" and closing the holes?

As I said, putting aside all opinions on privacy, breaches like this happen for really basic and stupid reasons. But with those opinions set to the side, what's to say the military can't also be sitting in front of Shodan and looking for its own networked devices that are in danger of being compromised? Whats to say hardened versions of Carna can't be running out of financial institutions and monitored 24/7 to help them harden networks, or from military bases globally to keep the random laptops from popping up, maybe on a U.S. military base in Kandahar, that have holes ready to exploit?

I've always been a proponent of combative security, and it seems natural to suggest that as easy as this breach was to commit, it could have been just as easy to prevent with the right people on the other side of it looking for the same thing as the cybercriminals, but "getting there first" thanks to using the same techniques.

But of course, these techniques are not legal in most contexts (not sure if it's a crime to RSS Shodan data, but that alone isn't really sufficient to arm yourself and your network against potential intruders), so until we can iron out that detail we may continuing seeing these breaches happen due to painfully simple failures in security protocol and executed in painfully simple and publicly accessible methods.
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
Most Malware Arrives Via Email
Dark Reading Staff 10/11/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-1744
PUBLISHED: 2018-10-15
IBM Security Key Lifecycle Manager 2.5, 2.6, 2.7, and 3.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 148423.
CVE-2018-1747
PUBLISHED: 2018-10-15
IBM Security Key Lifecycle Manager 2.5, 2.6, 2.7, and 3.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 148428.
CVE-2018-18324
PUBLISHED: 2018-10-15
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has XSS via the admin/fileManager2.php fm_current_dir parameter, or the admin/index.php module, service_start, service_fullstatus, service_restart, service_stop, or file (within the file_editor) parameter.
CVE-2018-18322
PUBLISHED: 2018-10-15
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has Command Injection via shell metacharacters in the admin/index.php service_start, service_restart, service_fullstatus, or service_stop parameter.
CVE-2018-18323
PUBLISHED: 2018-10-15
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has Local File Inclusion via directory traversal with an admin/index.php?module=file_editor&file=/../ URI.