AAPT hack exploited 'very old' Cold Fusion hole

The vulnerability used by Anonymous hackers to breach and obtain data from AAPT and Queensland Government websites was "very old", sources have told iTnews' sister site SC Magazine.

AAPT yesterday confirmed a 12-month-old backup of its business website had been compromised with hackers retrieving two "historic" data files with "limited personal customer information" compromised. The data, which is yet to be released, could amount to 600,000 records kept in a 40 GB file.

The hackers involved in the attacks told SC they broke into the dedicated server, hosted by Melbourne IT, through an unpatched Adobe Cold Fusion vulnerability.

But an industry security expert close to the incident, and speaking on the condition of anonymity, said the flaw was "very old".

"We know that the version of Cold Fusion was very old at Melbourne IT, which from an incidence response point-of-view creates a series of challenges," they said.

"Something like Cold Fusion requires Java underneath it, and other packages — so responding to a threat means you have to scope the threat."

His report corroborates claims from some involved in the attack that the vulnerability has been publicly known since 2008.

Though it is expected the patching, upgrading and updating would have been a complex process, a spokesman for Melbourne IT said the issue was fixed "within the hour" on late Tuesday night.

The same Cold Fusion vulnerability was used in a twin attack on another dedicated server hosted by Melbourne IT in which hundreds of megabytes of seemingly benign databases owned by Queensland Government tourism sites were stolen and posted online.

The source said Melbourne IT was "flat out working with AAPT and law enforcement" and "providing some assistance to other customers".

The hosting provider did not respond to questions about whether it had contacted police. Questions to the Australian Federal Police about its involvement were deferred on without response to the Attorney-General's Department.

The Department's information security response agency, CERT Australia, condemned the attacks but would not confirm its involvement in incident response.

Victoria Police referred matters of its involvement to Melbourne IT.

Melbourne IT become aware of the vulnerability after hacked Queensland Government sites were defaced on Tuesday but AAPT data was stolen by the time the patch was applied.

"The server contained AAPT data that appears to match the data Anonymous is claiming to possess," spokesman Tony Smith told iTnews on Thursday

Though the Anonymous-linked hackers first threatened to release ISP data as early as 2pm on Tuesday, Smith said it had not approached AAPT until Wednesday afternoon.

The compromised server was later shut down at 9.30pm on Wednesday night.

"It was closed well before [AAPT was notified of the breach]," he said.

He said the company's engineers were still investigating the issue and scanning the hosting provider's remaining servers for the potential Cold Fusion vulnerability.

Security boffins at rival telcos were understood to have lent a hand to AAPT, but Melbourne IT refused to comment on details on its incident response handling.

A former electronic crimes police officer told SC that Melbourne IT, following best practice, would have moved to preserve data through a specialist third party forensic firm before calling police.

The high-profile hacks came in apparent protest to the Federal Government's proposed data retention regime, which would mandate telcos and internet service providers to collect and keep transmission data from users for up to two years.

Copyright © SC Magazine, Australia