* The blog was updated on the 5/20/2013 to make corrections with respect to the target of the analyzed hacked server screenshot *
Yesterday, EC Council was reported to have been compromised by a hacker called “Godzilla”. based on published materials in seems that the hacker got access to training course material of several certification programs.
This is not the first time that EC council related sites have been reported to be hacked. Two years ago hackers breached the academy site of the EC Council eccouncilacademy.org. here is the analysis of the EC council academy hack:
Looking into the published content by the hacker analyzing the screenshot from shows that the server was hacked by the upload of the WSO web shell code.
The malicious shell was probably uploaded due to an exploit of a known vulnerability in the Joomla CMS (Content Management System) used by the site – judging by the file date in the screenshot the system has not been updated since 2010.
What is the takeaway here?
While we can take the provocative approach of looking into a company that its revenue is mostly based on teaching professionals about security and gets hacked, lets be honest – this can happen to any company and history has proved this point valid. In this case, we would rather show the interesting direction around CMS exploitation becoming more and more popular.
The CMS Exploitation vector of attack is very common and in fact a simple search on one specific flavor (Joomla) resulted in 629 CVEs. Thousands exist in the CVE database and hundreds exist in 0day databases.
Why does this matter?
Businesses rely on 3rd party software and platforms to conduct their online business, and it is very common to use a CMS such as Joomla or similar and even Sharepoint to simplify delivering a rich website. However by doing so the website is exposed to vulnerabilities found within that CMS.
This brings up an interesting playfield for hackers, which can use Dork techniques and others to fingerprint many websites who use the specific CMS, easily locate many targets and exploit them with either a known (if the system is not up to date as it seems to have been the case here) or a 0day exploit, and have lots of surface covered.Here is an example of a search term that looks for a specific function in a known CMS which is known to be vulnerable, in order to identify potential targets, the result is astounding. ~263,000 potential targets.
What can an organization do to protect itself?
This hack could have been probably prevented by either constantly patching of all the 3rd party code of the application and/or by implementing a web application firewall in front of the application.
Where can I learn more?Going back to our HII report from January (“Lessons learned from the Yahoo hack”). We have shown how third party code may contain vulnerabilities and security holes that could result in a hack, this is of course not the same case, as the HII spoken of talks about a 3rd party service that got compromised, however the security implications are the same.