Seeweb, chronicle of an attack

The first reports, then the confirmations: in the last three days it has become clear the attack that unknown people have aimed at the users of Seeweb, an appreciated Italian hosting provider, an attack with which many sites hosted by Seeweb have become malware spreaders . Something similar had also happened to other operators in the sector just recently. What appears clear speaking with Seeweb, is that we are facing a new type of attack and, up to now, partially inexplicable .

“What is striking – explains to Punto Informatico the manager of Seeweb, Antonio Baldassarra – is that we are not faced with someone who has exploited some exploits of the systems of the attacked servers, which run more or less half on Linux and half on Windows, but to someone who has had access via ftp with the password, that is, having the password in hand ”. What did those who penetrated those sites had already partially explained yesterday PC safe: on those sites an iframe was deposited that redirects users to a shooter server, in particular Rootkit.DialCall, “with the criminal goal – Baldassarra confirmed to PI – to capture data from users’ computers ”.

We are therefore not faced with an attack by some script-kiddie or defacer intent on penetrating a site and modifying its pages or contents – especially since the analysis of the Seeweb experts on the compromised sites nothing else has been altered – but in front of someone who obtained the ftp login password and used it to distribute malware.

Seeweb has completed an extensive reconnaissance and analysis of the servers, a security assessment from which it emerged that the machines hosting the approximately one hundred compromised sites they do not suffer from known bugs, they are not subject to exploits “not even zero-day at the level of rumors”, emphasizes Baldassarra. Not only that: an analysis of the applications used by users on the affected sites indicated that they do not give the possibility of compromise, nor have cross-site attacks, mass defacements, etc. been detected. “All the attention – explains Baldassarra – is focused on understanding how the passwords were captured”.

From this point of view, thanks to an attack attempt recorded in August, there are many users who, upon Seeweb’s request, had already changed their passwords, which are not stored in clear text on servers accessible from the outside. And sites of users who had long ago changed passwords were attacked.

“All this – underlines Baldassarra – clearly indicates a sort of technological differential in the two phases of the attack. Subject number one, technology number one, is the one who learns the password. Subject number two, on the other hand, carries out a trivial attack, exploiting that password, that is, having little valuable information in hand, such as ftp access, and using it to obtain more valuable information, such as user data “. The feeling of Seeweb, in short, is that those who stole the passwords are not those who then exploited them . A feeling that, if confirmed, could give another, even more disturbing, depth to what happened.

Obviously, it is all but a certainty. “Ftp access – Seeweb explains to PI – is naturally done by compromised servers, typically in Russia or in other places where it is difficult to investigate. Our level of attention on the issue is naturally extreme, to prevent the spread of attacks ”. Seeweb ran for cover by further modifying the password management and modification infrastructure.

“The hypothesis – continues Baldassarra – is that there may be a sniffing of passwords outside our network”. And that’s why you are conducting one search for an element that unites affected customers . “For example – explains the Seeweb executive – to find out if the users involved connect to the Internet through a given operator, or a specific ftp client. To understand all this, the data mining of the logs of all the servers is being done, not so much to understand what the attacker is doing, which has already been determined, but precisely to identify a minimum common denominator among this kind of users “.

Are we facing a criminal organization that uses password sniffers for its own purposes? This is one of the most disturbing hypotheses behind an attack which, given the size of the Italian hosting subjects that are affected, risks becoming epidemic. And is there dialogue between the affected companies? “Of course – concludes Baldassarra – we are discussing together how to proceed”. The hope is to get to the decisive element, to the “way” in which the attack is carried out and the password stolen, in the shortest possible time.