Case Study: Pirates Hack Cargo Management System
Pirates used hacked information from a global shipping company’s servers to target and capture cargo ships on the high seas. Technology and communications specialist Verizon described the hack in its annual data breach post mortem released on Tuesday.
Verizon’s Post Mortem
The Verizon team was contacted by a global shipping conglomerate that advised they were having problems with piracy. Not software piracy, actual piracy.
Over the last several months, pirates had been attacking their ships traveling in shipping routes while on the high seas. Piracy wasn't a new problem for this (or any other) shipping company. However, in recent months, the pirates had changed their tactics somewhat, and in a manner that the victim found extremely disconcerting.
Rather than spending days holding boats and their crew hostage while they rummaged through the cargo, these pirates began to attack shipping vessels in an extremely targeted and timely fashion. Specifically, they would board a vessel, force the crew into one area and within a short amount of time they would depart. When crews eventually left their safe rooms hours later, it was to find that the pirates had headed straight for certain cargo containers.
It became apparent to the shipping company that the pirates had specific knowledge of the contents of each of the shipping crates being moved. They’d board a vessel, locate by bar code specific sought-after crates containing valuables, steal the contents of that crate, and that crate only, and then depart the vessel without further incident. Fast, clean and easy.
Response and investigation
With this background information in hand, Verizon began to enumerate where this type of information resided within the shipping company’s systems environment. What Verizon learned was that the company used a home-grown system to manage shipping inventories and specifically the various bills of lading associated with each of their shipping vessels.
The investigators then discovered that a malicious web shell had been uploaded onto the server. The hackers used an insecure upload script to upload the web shell and then directly call it as this directory was web accessible and had execute permissions set on it, no Local File Inclusion (LFI) or Remote File Inclusion (RFI) required.
Essentially, this allowed the hackers to interact with the webserver and perform actions such as uploading and downloading data as well as running various commands. It allowed them to pull down bills of lading for future shipments and identify sought-after crates and the vessels scheduled to carry them.
However, the hackers made several mistakes, which Verizon was able to capitalize on in its investigation. They failed to enable SSL on the web shell so all the commands were sent over the internet in plain text. This allowed Verizon to write code to extract these commands from the full packet capture (FPC) data.
The hackers were not highly skilled, and Verizon found numerous mistyped commands. The hackers also showed a lack of concern for their own operational security by failing to use a proxy and connecting directly from their home system.
Remediation and recovery
With all the information gathered, Verizon was able to provide a clear and concise timeline of actions, compromised web hosts and data that was at risk. The shipping company then shut down the compromised servers, which, although important, weren't immediately critical to business operations.
After blocking the threat actors’ IP address, the company reset all the compromised passwords and rebuilt the affected servers. Moving forward, they started regular vulnerability scans of their web applications and implemented a more formal patch management process.
The report is available here.