13-03-2016, 10:53 #1
[EN] Staminus ransacked by hackersJuha Saarinen
Mar 13 2016
US anti-distributed denial of service firm Staminus has suffered a comprehensive attack that saw its systems taken offline and sensitive customer data posted on the internet.
Staminus this weekend had its company information posted on a paste website, with attackers disseminating a 15GB database on the anonymising TOR network.
Information on the hack was posted on Reddit's /r/sysadmin forum, where participants noted that attackers had discovered several glaring security holes on Staminus' network that allowed them to take full control of the infrastructure.
The leaked information included full credit card data stored in clear text without any form of encryption.
Staminus has confirmed the attack and that its systems were "temporarily taken offline" due to the intrusion.
According to chief executive Matt Mahvi, customer information including user names, hashed passwords, and names and contact information was exposed.
As credit and debit card data was also leaked, Mahvi advised Staminus customers to check their bank statements regularly for fraudulent and suspicious activity.
Exposed passwords "were protected with a cryptographic hash", Mahvi said, but nevertheless recommended that customers change their passwords.
The company said it restored services over the weekend, but parts of Staminus' website remained inaccessible.
13-03-2016, 10:57 #2
Home page - 13/03/2016 - 9:57 BRT
March 11th, 2016
To follow up on our communication from yesterday evening regarding the system outage, we can now confirm the issue was a result of an unauthorized intrusion into our network. As a result of this intrusion, our systems were temporarily taken offline and customer information was exposed. Upon discovering this attack, Staminus took immediate action including launching an investigation into the attack, notifying law enforcement and restoring our systems.
Based on the initial investigation, we believe that usernames, hashed passwords, customer record information, including name and contact information, and payment card data were exposed. It is important to note that we do not collect Social Security numbers or tax IDs.
While the investigation continues, we have and will continue to put additional measures into place to harden our security to help prevent a future attack. While the exposed passwords were protected with a cryptographic hash, we also strongly recommend that customers change their Staminus password.
I fully recognize that our customers put their trust in Staminus and, while we believe that the issue has been contained, we are continuing to take the appropriate steps needed to safeguard our clients’ information and enhance our data security policies.
We will provide updates, as appropriate, as the investigation continues.
1. Have you been able to restore service to customers?
Yes, global services, as well as most auxiliary services, are back online for our customers. Our engineering team is closely monitoring our network to help ensure service delivery.
2. Was the recent service outage due to an unauthorized intrusion into Staminus’ systems?
Based on the investigation into the outage, we can now conclude that it was the result of an unauthorized intrusion into our systems. Once we learned of the origin of the outage, we notified law enforcement, started work to harden our systems and launched a continued investigation into the attack.
The website will be updated, as appropriate, with additional information as the investigation continues.
3. Was customer information also exposed as a result of this attack?
Based on the initial investigation, we believe that customer usernames, hashed passwords, customer record information, including name and contact information, and payment card data were exposed. It is important to note that we do not collect Social Security numbers or tax IDs.
4. Are there steps customers need to take to protect their Staminus passwords?
Yes. While the exposed passwords were protected with a cryptographic hash, we also strongly recommend that customers change their Staminus password, as is best practice anytime your password may have been exposed.
5. What are some of the steps that customers can take who are concerned about their credit card possibly being exposed?
Immediately upon learning of a potential intrusion, we notified our payment processor and all card brands so that they could proactively monitor fraudulent activity. Customers should regularly check their credit and debit card statements to see whether there is any fraudulent or suspicious activity. If there is any unauthorized activity, you should call your bank or financial institution in order to report the issue.
6. Are there other steps customers should be taking to protect themselves?
You should also always be on the lookout for phishing schemes. Any email correspondence we may send regarding this matter will not contain a link, so if you receive an email appearing to be from us that contains a link, it is not from us, and you should not click on the link. Also, never provide sensitive information to unsolicited requests claiming to come from us, your bank or other organizations. We would never ask you for sensitive information via email.
Additionally, we highly recommend customers who utilize similar credentials across different platforms reset any passwords on accounts that may use the same or a similar password to their Staminus login.
7. Will consumers be liable for fraudulent charges?
Card issuers publish their own policies regarding fraudulent charges. Generally, issuers do not hold customers responsible for fraudulent charges if they are reported in a timely manner. Please contact your card brand or issuing bank for more information about the policy that applies to you.
8. Have you notified federal law enforcement about your investigation and are you working with them?
Yes, once we determined that that information was exposed, we notified the necessary authorities, including the FBI. We are ready to work with them as appropriate as the investigation continues.
Última edição por 5ms; 13-03-2016 às 11:11.
13-03-2016, 11:22 #3
"Based on the initial investigation, we believe that usernames, hashed passwords, customer record information, including name and contact information, and payment card data were exposed."
File Name File Size SHA1 SHA256 3-9-staminus2.sql 14.5GB ABAB89E9EBC9A20BE505DBD73E2B5DE71686FBA9 98AA11030929FBE8947F57ACF747368EFFD6AF1EA2454F9804 22AE90460EFD58 accountUpdate.sql 1.2MB 48E0B065975F482BB361585FBADBABC0E53E1246 5060E1298F7CAFC4CCCCA7C841CDB8578C90571758AFA3018E 1062ADF4D06E05 acctserver.sql 157KB 0C21A96817A7CE8DA6D554373F868668E791552D 3FBCC08BBC3645CD2E3242E1750A628A6C752381A975D7DE20 39DED322DE4E69 american.tar.gz 185MB D5806CE0E383C028D1762085D66F917123BF0934 FF7FC3D7DEDC0A95593238E1DCC2BE10999DDDD76BC2F737D0 8A82B4AF912879 appliance_lan.sql 77KB 9AA14B48545F17E55C92AE4F433D2793AFD2A95B 77731D6F08539211FA0BA058E58CFBAF9D4A0E0008C261AE2A 85CC226A458F0D chatbot.tar.gz 160KB 7427BD061EB173BA45B38AA44C6453160D799645 CE3360B5BFEC4DC6BE12D1B0609A4F2BDB61B1D482718307AA 8805BD31A034BB fucked.dump 440MB A872061F19FE174BF5745652DA1C71FD3463B305 0FA031FAB489A62EB935CE90E7488C7CDF3A3435016183FF2E 347028B257C0FB full.sql 3.77GB F5E68CE834BE70A76E6A36B643911DEA496D0FA8 6369CACAA97218334418C13C795B969C8F82DFB94B310B221A E05A9562EECEBE harrisonarkansas.tar.gz 164KB 2A122BE874665EDCCC7EA073E875EFBDDD9A2D0C AD352EEC266DF474768FBCB23FFFC371F8793820A200312328 80E55E1DD17669 ip_limit.sql 444KB 96F7B853767CB47E2AB2C491D9687AB9D09AFA45 17C268DF03C3AF95579B3E22D3E1749F958B624035884E1F39 685AB2DC4D1A5B ip_limit_history.sql 74KB 73C3F481373087E8C1FDD6C64D349BC7D34A9B0C D39288C9ED83F1849F2CE84330218AE186E79B46A5498D5E74 5E8CF257E85475 ip_limit_profile.sql 17KB 8A868EB3FF16F1EC14832C0F190B63FF11F64AC4 B0FC744BF5F23C7460ACE243C1C3554DF934C0739F4E69D9B5 A437724EC8F566 kkkcom.tar.gz 24.1MB A4492D660171A5C9F80815E28D8AFAD31285E558 6087FC83984703A9991832698045A8C5AB6402ACDFDFB87AAD 542BB91B30A71D kkkpen6.tar.gz 1.84GB CFF21B4244D77E9D742ADB76545FA390BBE27B37 27EB0E7B2760FE83DFEBB0B92B9B1287E50303E6BFE63145C0 D1D5C60F53942B kkkradio.tar.gz 17.65GB ED320918E09F737C1474598E74209E9704912955 56A27BA6B8D11AF27BF8F0D8467531C9C806BC67668525EBF0 CDF3B8EA1A23E8 lighttpd.tar.gz 51KB C8BE2FC6474F6F3970A6C91D8E454E8625A381BF 8D8C65F99CDA84D95037FB196FBC109A9640334CD06B7112C0 FA43678DEAD4E4 main.tar.gz 10.75GB 7EF7AB62ECF3A1D890F1303C66CFE07E03BFC057 CF9F162DD5BB8B509593DA3345727489CF3E2CF7372536B02E 3E0EDE60157EEC openvpn.tar.gz 5KB A8120EC6C1CF0C9E936DEDF719B7ABF9EE82E083 2F76709D6FD221E9FAE69760F99C912925A00E6134C33AA6A0 0748040EC30308 sp.sql 2.2MB B98C97FCAABCE52EA2048A750C52D76507BAA22D A8B3F4B2969303B6BE2726A20AA4292429AFBC7065066AF984 FC5036171D5980 svn.tar.gz 481MB 2DE74A753278D7C01E4C3CB9A8C1B1AD2C658286 A78D76650FBCE1E9A078EF4271E4A046761FE35D61C7F33D9E 90D6053779882C www2.tar.gz 562MB 5BE118D88214253253B7B635E84370B42C48A186 11F261668D961977B38BA69014B193C5D18F09F839CA01FA4F 889A45706A8525
Última edição por 5ms; 13-03-2016 às 11:25.
13-03-2016, 11:36 #4
Hackers Target Anti-DDoS Firm Staminus
The e-zine posted online Thursday following an outage at Staminus Communications.
Staminus Communications Inc., a California-based Internet hosting provider that specializes in protecting customers from massive “distributed denial of service” (DDoS) attacks aimed at knocking sites offline, has itself apparently been massively hacked. Staminus’s entire network was down for more than 20 hours until Thursday evening, leaving customers to vent their rage on the company’s Facebook and Twitter pages. In the midst of the outage, someone posted online download links for what appear to be Staminus’s customer credentials, support tickets, credit card numbers and other sensitive data.
Newport Beach, Calif.-based Staminus first acknowledged an issue on its social media pages because the company’s Web site was unavailable much of Thursday.
“Around 5am PST today, a rare event cascaded across multiple routers in a system wide event, making our backbone unavailable,” Staminus wrote to its customers. “Our technicians quickly began working to identify the problem. We understand and share your frustration. We currently have all hands on deck working to restore service but have no ETA for full recovery.”
Staminus now says its global services are back online, and that ancillary services are being brought back online. However, the company’s Web site still displays a black page with a short message directing customers to Staminus’s social media pages.
Meanwhile, a huge trove of data appeared online Thursday, in a classic “hacker e-zine” format entitled, “Fuck ’em all.” The page includes links to download databases reportedly stolen from Staminus and from Intreppid, another Staminus project that targets customers looking for protection against large DDoS attacks.
The authors of this particular e-zine indicated that they seized control over most or all of Staminus’s Internet routers and reset the devices to their factory settings. They also accuse Staminus of “using one root password for all the boxes,” and of storing customer credit card data in plain text, which is violation of payment card industry standards.
Staminus so far has not offered any additional details about what may have caused the outage, nor has it acknowledged any kind of intrusion. Several Twitter accounts associated with people who claim to be Staminus customers frustrated by the outage say they have confirmed seeing their own account credentials in the trove of data dumped online.
I’ve sent multiple requests for comment to Staminus, which is no doubt busy with more pressing matters at the moment. I’ll update this post in the event I hear back from them.
It is not unusual for attackers to target Anti-DDoS providers. After all, they typically host many customers whose content or message might be offensive — even hateful — speech to many. For example, among the company’s many other clients is kkk-dot-com, the official home page of the Ku Klux Klan (KKK) white supremacist group. In addition, Staminus appears to be hosting a large number of internet relay chat (IRC) networks, text-based communities that are often the staging grounds for large-scale DDoS attack services.
Última edição por 5ms; 13-03-2016 às 11:39.
13-03-2016, 11:46 #5
Para quem necessita de mitigação, os problemas da OVH podem ser mitigados comparados com as 20+ horas de downtime e o roubo de dados de clientes da Staminus.
13-03-2016, 12:09 #6
“tips when running a security company”Sean Gallagher
Mar 11, 2016
The servers and routers of Staminus Communications—a Newport Beach, California-based hosting and distributed denial of service (DDoS) protection company—went offline at 8am Eastern Time on Thursday in what a representative described in a Twitter post as "a rare event [that] cascaded across multiple routers in a system wide event, making our backbone unavailable."
That "rare event" appears to have been intentional. A data dump of information on Staminus' systems includes customer names and e-mail addresses, database table structures, routing tables, and more. The data was posted to the Internet this morning, and a Staminus customer who wishes to remain anonymous confirmed his data was part of the dump.
The authors of the dump claim to have gained control of Staminus' routers and reset them to factory settings.
The dump, in a hacker "e-zine" format, begins with a note from the attacker.
Sarcastically titled "TIPS WHEN RUNNING A SECURITY COMPANY," it details the security holes found during the breach:
- Use one root password for all the boxes
- Expose PDU's to WAN with telnet auth
- Never patch, upgrade or audit the stack
- Disregard PDO [PHP Data Objects] as inconvenient
- Hedge entire business on security theatre
- Store full credit card info in plaintext
- Write all code with wreckless [sic] abandon
No credit card data was displayed in the dump viewed by Ars Technica, but storing credit card data unencrypted is a violation of Payment Card Industry (PCI) security standards and would be a major error for any company. It's much more egregious for a company marketing itself as a security firm.
DDoS mitigation companies attract a wide range of customers; those in the Staminus breach included a number of small gaming companies (including Minecraft server operators) and hosting firms.
Última edição por 5ms; 13-03-2016 às 12:15.