So, some time ago, the site of a customer of ours gets breached, because they used a version of Joomla that's older than my shoes.
Suddenly, all their visitors are forced to mine crypto currencies in their browsers, which tends to be a tad annoying for them.
Suddenly, all their visitors are forced to mine crypto currencies in their browsers, which tends to be a tad annoying for them.
But no problem, hey? Can happen to anyone. That's why you call a security team - to fix up your shit that's messed up.
Sysadmin doesn't give us full access to their system because "security". We're given access only to the webroot folder.
Sysadmin doesn't give us full access to their system because "security". We're given access only to the webroot folder.
We clean up the crypto mining scripts but find something else.
Somebody has installed a web shell. Whoever could enter through that web shell has wider access to the system than is given to us for investigating it.
Somebody has installed a web shell. Whoever could enter through that web shell has wider access to the system than is given to us for investigating it.
We report the situation to the sysadmin, including the fact that we have removed the crypto mining scripts and that we have found a web shell giving wide access to the system to the attacker.
We're still not granted additional access for investigating any further. "You removed the scripts, right? System is clean now, right? Problem solved."
We point out that they are running outdated and vulnerable software and that it's only a matter of (not very long) time until they get breached again.
At this point the sysadmin goes ballistic. "I'm just the sysadmin! It's not my job to do software updates! I don't even know what that software is! Talk to whoever designs the web site!"
We talk to the web designer, because what else can we do?
He goes ballistic too. "Hey, I just design web sites! I know how to use this software, so I have this software installed. It's not my job to fix security problems in it!"
He goes ballistic too. "Hey, I just design web sites! I know how to use this software, so I have this software installed. It's not my job to fix security problems in it!"
At this point we give up, because there is nothing else we can do and at least their visitors aren't cryptomining any more.
A few days ago their users start receiving the currently fashionable extortion spam that tells the recipient "this is your password, I recorded you watching porn, pay a ransom for me to keep silent" and the password is indeed their password.
You think the two incidents might be somehow related? Nahh, probably not.
This being a Bulgarian institution on a state budget (read: no money), paying the ransom isn't an issue here.
The issue is that someone has probably compromised the bulk of their passwords (many but not all) and might still have God knows what installed on their system.
The issue is that someone has probably compromised the bulk of their passwords (many but not all) and might still have God knows what installed on their system.
Remember, kids, the third law of computer security:
"If you run the bad guy's program on your computer, that's no longer your computer."
"If you run the bad guy's program on your computer, that's no longer your computer."
If your system is compromised (sometimes even if you just suspect it to be so), the right thing to do is "burn it to the ground" - i.e., format, re-install, and make sure everything is patched.
But these aren't our machines. We can only advise; we can't bash their heads in and do the right thing. That's up to them.
End of story.
End of story.
