Just another day at the office. Anonymous hacked into a Federal Reserve computer. Wait, what? Don’t worry, the attackers did not make off with any money, as far as we can tell, or disrupt any critical functions. What did they get? Just the details of 4000 bank executives. The data has been posted to pastebin and hosted on several compromised sites including other government sites. Someone even sent me a link to the data hosted on a gov.cn server! Here is an example of the column headers of the stolen data:
As you can see this is a spearphishing bonanza and even a password reuse bonanza for whoever can crack the password hashes. It doesn’t look like any of these are internal Federal Reserve System accounts as those would have FRS AD UIDs associated with each account. Still this is about the most valuable account dump by quality I have seen in a while.
The Federal Reserve has admitted the breach was real and describes the reason as “The Federal Reserve System is aware that information was obtained by exploiting a temporary vulnerability in a website vendor product. The vulnerability was fixed shortly after discovery and is no longer an issue.” Edit: A few people have told me this is the website that was compromised: https://www.stlouisfed.org/bsr/ecs/index.cfm
The extension CFM tells us the application was programmed in cold fusion. The 6 top vulnerabilities in Cold Fusion from Veracodes SoSS are XSS, SQL Injection, Infoleak, Directory Traversal, CRLF injection, and OS Command Injection. All those vulnerabilities could be exploited to gain access to this type of data.
I wish they would just come out and say exactly what the problem was so that other users of the “website vendor product” could check to see if they are vulnerable and ask the vendor how to fix it. The attackers already know the vulnerability so it is likely many more sites are being exploited with the same vulnerability. Who exactly is the Fed protecting by not releasing this information? The security community needs your help.
So we are left to speculate on what could have gone wrong. Websites are often made up of a mix of commercial, open source and custom web application code. Any of the applications could be configured incorrectly which might give access to a file or a database that contained the compromised information. It is also very possible it was an application vulnerability such as SQL injection, directory traversal, or authorization bypass, that could have allowed the attackers to get at the data.
The testing and remediation for these problems is typically not difficult so it is surprising that an organization like the Federal Reserve would have this type of vulnerability on a web site containing sensitive information. I can only surmise that the Fed does not have a supply chain security testing program to help handle its S.O.U.P. With a supply chain security testing program, any commercial, open source, or otherwise 3rd party software would need to have security testing performed on it and vulnerabilities remediated before being deployed on a server.
I hope that we can find out further details of the breach so we can all protect ourselves in the short term if we have the same vulnerability and that we can learn how this could have been prevented with better IT security processes and supply chain security testing.
A final thought. What do you think the cost of this breach is? The Ponemon survey data shows that the average cost per financial services record breached is $247. Using that calculation the breach cost $247 x 4607 = $1,137,929. I would argue a breach of this type will cost much, much more. That is because thousands of organizations are currently resetting executives passwords on all the systems where there may have been password reuse and are following their incident response protocols.