The Server Pirates

container-shipPiracy on the high seas has been a problem ever since the first boats set sail, but in recent times, with the vessels so huge and the cargo so valuable, the potential losses are greater than ever before, not to mention the risk to lives in possible hostage situations.

While attacks on ships in the waters off Somalia have fallen dramatically in recent years, new hotspots in south-east Asia have emerged, causing huge worry for shipping firms that ply the waters in that part of the world. And it doesn’t help that some of the pirates are getting smarter about the way they plan and execute the raids. One global shipping company noticed how the seaborne criminals suddenly started to carry out their raids with far greater efficiency, but couldn’t work out why. They’d board the boats, force the crew into a single area, head straight to specific containers, nab the targeted goods, and quickly slip away. Puzzled about the pirates’ new methods, the company contacted the Verizon RISK (Research, Investigations, Solutions, and Knowledge) Team, which carries out cyber investigations for hundreds of commercial enterprises and government agencies every year around the world. After some research, it turned out these particular pirates were a tech-savvy bunch.

Hacking the computer systems of the unnamed shipping company, they were able to access all the information they needed to plan methodical raids as precise as they were profitable. The pirates knew the ship, the route, the cargo, and the exact containers that held the goods they were after. “They’d board a vessel, locate by bar code specific sought-after crates containing valuables, steal the contents of that crate – and that crate only – and then depart the vessel without further incident. Fast, clean and easy,” Verizon said in its recently published security report. While undoubtedly more sophisticated than many of the sea-based attacks that’d gone before, these pirates evidently still had quite a bit to learn to carry out the perfect hack. For example, they failed to use proxies to hide their network address, and even sent all of their commands over the Internet in plain text, enabling RISK to get a clear handle on the nature of the pirates’ actions. “These threat actors, while given points for creativity, were clearly not highly skilled,” Verizon’s security team said. “For instance, we found numerous mistyped commands and observed that the threat actors constantly struggled to interact with the compromised servers.” Pirates used hacked information from a global shipping company’s servers to target and capture cargo ships on the high seas. Technology and communications specialist Verizon described the hack in its annual data breach post mortem released last week. The Verizon team was contacted by a global shipping conglomerate that advised they were having problems with piracy. Not software piracy, actual piracy.

Over the last several months, pirates had been attacking their ships traveling in shipping routes while on the high seas. Piracy wasn’t a new problem for this (or any other) shipping company. However, in recent months, the pirates had changed their tactics somewhat, and in a manner that the victim found extremely disconcerting. Rather than spending days holding boats and their crew hostage while they rummaged through the cargo, these pirates began to attack shipping vessels in an extremely targeted and timely fashion. Specifically, they would board a vessel, force the crew into one area and within a short amount of time they would depart. When crews eventually left their safe rooms hours later, it was to find that the pirates had headed straight for certain cargo containers. It became apparent to the shipping company that the pirates had specific knowledge of the contents of each of the shipping crates being moved. They’d board a vessel, locate by bar code specific sought-after crates containing valuables, steal the contents of that crate, and that crate only, and then depart the vessel without further incident. Fast, clean and easy.

With this background information in hand, Verizon began to enumerate where this type of information resided within the shipping company’s systems environment. What Verizon learned was that the company used a home-grown system to manage shipping inventories and specifically the various bills of lading associated with each of their shipping vessels. The investigators then discovered that a malicious web shell had been uploaded onto the server. The hackers used an insecure upload script to upload the web shell and then directly call it as this directory was web accessible and had execute permissions set on it, no Local File Inclusion (LFI) or Remote File Inclusion (RFI) required. Essentially, this allowed the hackers to interact with the webserver and perform actions such as uploading and downloading data as well as running various commands. It allowed them to pull down bills of lading for future shipments and identify sought-after crates and the vessels scheduled to carry them.

However, the hackers made several mistakes, which Verizon was able to capitalize on in its investigation. They failed to enable SSL on the web shell so all the commands were sent over the internet in plain text. This allowed Verizon to write code to extract these commands from the full packet capture (FPC) data. The hackers were not highly skilled, and Verizon found numerous mistyped commands. The hackers also showed a lack of concern for their own operational security by failing to use a proxy and connecting directly from their home system. With all the information gathered, Verizon was able to provide a clear and concise timeline of actions, compromised web hosts and data that was at risk. The shipping company then shut down the compromised servers, which, although important, weren’t immediately critical to business operations. After blocking the threat actors’ IP address, the company reset all the compromised passwords and rebuilt the affected servers. Moving forward, they started regular vulnerability scans of their web applications and implemented a more formal patch management process.