Hacks and Incidents

Hacked Cybercrime Forum Exposes Nearly 20,000 “Bad Actors”

Hacked Cybercrime Forum Exposes Nearly 20,000 “Bad Actors”: Cyber-criminals targeted an online community and stole member information and login credentials from the site’s forum database late Tuesday. What sets this attack apart from similar data breaches is the fact that the victims were part of a community of Eastern European cyber-criminals.

Schadenfreude, indeed.

“Verified” happens to be one of the largest online communities for Eastern European cyber-criminals, according to security firm IntelCrawler, who disclosed details of the incident to SecurityWeek. Many of the topics posted on the forums had something to do with committing online banking fraud against financial institutions in the U.S., Australia, and the United Kingdom.

The attack against Verified seems to be the work of a group of administrators from a rival cyber-crime forum.

This incident shows the cyber-crime community is just as vulnerable to attack as legitimate businesses and ordinary Internet users, IntelCrawler researchers said. There is still a good lesson to be learned here about managing vulnerabilities in software.

How The Attack Worked

The attackers exploited a PHP vulnerability (CVE-2007-2087) in CNStats STD 4.3, a Web-based application used by site administrators to monitor traffic and other statistics. The breach exposed all the attachments that had been uploaded to the forum since 2011, and the attackers also downloaded the MySQL database containing user information and login credentials for the forums.

The stolen database, all 80.92 MB, has since been uploaded to Sendspace, exposing the information for more than 18,894 “bad actors,” IntelCrawler said. Verified was created back in 2005, and its membership roster included the likes of “SEVERA,” a famous spammer who worked with Alan Ralsky, the “Spam King” who pled guilty to spam and fraud in 2009.

Law enforcement types would be able to use the profile information as a form of “deep e-crime intelligence” and make some arrests, the researchers speculated.

According IntelCrawler, the community became popular for trading of new exploit kits, and was even used by recently arrested “Paunch”, the alleged author of the Blackhole exploit kit.

Unpatched Software A Risk Every data breach is a learning opportunity, and this incident is no difference, highlighting patching and software vulnerability management. The bug was originally discovered back in 2007 in CNStats 2.12 software. Based on the description posted by vulnerability management company Secunia, the issue remains unpatched,2 major versions and almost seven years later.

Secunia rated this vulnerability “highly critical” because, if exploited successfully, could give remote attackers the ability to execute arbitrary PHP codes remotely. The vulnerability is such that the attacker won’t even need authentication to succeed in gaining system access.

People using CNStats should apply workarounds since there is no patch available for this particular flaw. Secunia noted that in order for the attack on this flaw to succeed, the “register_globals” value in PHP configuration has to be enabled and that the support for “.htaccess” files is disabled. Users using CNStats should turn register_globals off. In fact, it should be turned off by default at all times.

It’s important to keep on top of these vulnerability reports, and installing fixes when necessary. If there is no patch available, one option is to stop using the software and switch to another, preferably one with less critical vulnerabilities. Application developers have to be shown that customers won’t tolerate insecure software.

Standard