AAPT hack exploited 'very old' Cold Fusion hole

Powered by SC Magazine
 

Stolen data held on dedicated server.

The vulnerability used by Anonymous hackers to breach and obtain data from AAPT and Queensland Government websites was "very old", sources have told SC Magazine.

AAPT yesterday confirmed a 12-month-old backup of its business website had been compromised with hackers retrieving two "historic" data files with "limited personal customer information" compromised. The data, which is yet to be released, could amount to 600,000 records kept in a 40 GB file.

The hackers involved in the attacks told SC they broke into the dedicated server, hosted by Melbourne IT, through an unpatched Adobe Cold Fusion vulnerability.

Continuing coverage of the AAPT breach

But an industry security expert close to the incident, and speaking on the condition of anonymity, said the flaw was "very old".

"We know that the version of Cold Fusion was very old at Melbourne IT, which from an incidence response point-of-view creates a series of challenges," they said.

"Something like Cold Fusion requires Java underneath it, and other packages — so responding to a threat means you have to scope the threat."

His report corroborates claims from some involved in the attack that the vulnerability has been publicly known since 2008.

Though it is expected the patching, upgrading and updating would have been a complex process, a spokesman for Melbourne IT said the issue was fixed "within the hour" on late Tuesday night.

The same Cold Fusion vulnerability was used in a twin attack on another dedicated server hosted by Melbourne IT in which hundreds of megabytes of seemingly benign databases owned by Queensland Government tourism sites were stolen and posted online.

The source said Melbourne IT was "flat out working with AAPT and law enforcement" and "providing some assistance to other customers".

The hosting provider did not respond to questions about whether it had contacted police. Questions to the Australian Federal Police about its involvement were deferred on without response to the Attorney-General's Department.

The Department's information security response agency, CERT Australia, condemned the attacks but would not confirm its involvement in incident response.

Victoria Police referred matters of its involvement to Melbourne IT.

Melbourne IT become aware of the vulnerability after hacked Queensland Government sites were defaced on Tuesday but AAPT data was stolen by the time the patch was applied.

"The server contained AAPT data that appears to match the data Anonymous is claiming to possess," spokesman Tony Smith told SC Magazine sister site iTnews on Thursday

Though the Anonymous-linked hackers first threatened to release ISP data as early as 2pm on Tuesday, Smith told ITnews it had not approached AAPT until Wednesday afternoon.

The compromised server was later shut down at 9.30pm on Wednesday night.

"It was closed well before [AAPT was notified of the breach]," he said.

He said the company's engineers were still investigating the issue and scanning the hosting provider's remaining servers for the potential Cold Fusion vulnerability.

Security boffins at rival telcos were understood to have lent a hand to AAPT, but Melbourne IT refused to comment on details on its incident response handling.

A former electronic crimes police officer told SC that Melbourne IT, following best practice, would have moved to preserve data through a specialist third party forensic firm before calling police.

The high-profile hacks came in apparent protest to the Federal Government's proposed data retention regime, which would mandate telcos and internet service providers to collect and keep transmission data from users for up to two years.

Copyright © SC Magazine, Australia


AAPT hack exploited 'very old' Cold Fusion hole
 
 
 
Top Stories
ATO shaves $4m off IT contractor panel
Reform cuts admin burden, introduces KPIs.
 
Turnbull introduces data retention legislation
Still no definition of metadata to be stored.
 
Crime Commission prepares core systems overhaul
Will replace 30 year-old national criminal database.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  27%
 
Sourcing and strategy
  13%
 
IT infrastructure (servers, storage, networking)
  21%
 
End user computing (desktops, mobiles, apps)
  14%
 
Software development
  25%
TOTAL VOTES: 437

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  54%
 
No
  46%
TOTAL VOTES: 210

Vote