How Verizon Shut Down Real-Life Pirates on the High Seas
Software piracy is a problem in the world of technology, but what about real-life piracy? In a recent cybersecurity report, Verizon said that it helped save a shipping company from actual pirates hacking into its content management system and gaining access to confidential information on schedules and cargo aboard various ships.
The pirates took a modern approach to plundering its victim's vessels, according to Verizon’s Data Breach Digest. Instead of holding ships and their crews hostage while they went through cargo in search of something valuable, these pirates began to attack shipping vessels in more targeted ways.
After boarding a vessel, the pirates would force the crew into one area of the ship, but the pirates would be gone shortly thereafter. During their investigation, crew members would find that the pirates had headed directly for certain cargo containers. "It became apparent to the shipping company that the pirates had specific knowledge of the contents of each of the shipping crates being moved," according to the report.
How did they know where to go? It turned out that the shipping company used a homegrown content management system (CMS) to manage shipping inventories, specifically the various bills of lading associated with each of their vessels. Verizon studied the network traffic surrounding the CMS that was managing shipping routes and found that a malicious Web shell had been uploaded onto the server.
The pirates used an insecure upload script to upload the Web shell and gain access to the directories on a ship’s computer directories, which were accessible via the Web. That allowed the pirates to interact with the Web server and perform such actions as uploading and downloading data and running various commands. It also let them pull down bills of lading for future shipments and identify valuable crates and the dates they were scheduled to be on board.
Although the scam worked a few times, the pirates weren’t especially skilled hackers. They failed to enable SSL on the Web shell, meaning all their commands were sent over the Internet in the form of plain text. That allowed Verizon, during its investigation, to write code that could extract these commands from the full packet capture data.
The hackers also sent several mistyped commands. In addition, they didn’t use a proxy, instead connecting directly from a home computer system. Verizon was able to build a timeline of actions, compromised Web hosts and at-risk data. The shipping company shut down the compromised servers, which it was able to do because the servers weren’t immediately critical to its business operations.
After blocking the pirates’ IP address, Verizon reset all the compromised passwords and rebuilt the affected servers. They also started regular vulnerability scans of their Web applications and implemented a more formal patch management process.
This account was part of a series of reports of unusual data breach scenarios uncovered by Verizon’s RISK Team, which performs cyber investigations for commercial enterprises and government agencies annually all over the world.