An unnamed shipping company had its unpatched content management system hacked by sea-pirates, who then sorted the ships at sea by the value of their cargo to help prioritize attacks to maximize the take.
The Web shell used by the attackers didn't support SSL, so all their activities were logged to the webserver, enabling Verizon's RISKS team to analyze their actions. Though the idea of attacking cargo ships by hacking their CMS is a sophisticated one by the standards of sea-pirates, the attackers weren't sophisticated enough to run their attacks through a VPN, enabling the RISKS team to trace the attack back to the hackers' home IP address.
The RISK Team quickly narrowed down the problem to the firm's outdated custom-built CMS, which featured an insecure upload script. As the Verizon team explained, a hacker, either part of the sea pirates group or hired by them, had uploaded a Web shell via this insecure form. In turn, this shell was uploaded inside a Web-accessible directory.
To make things worse, that particular folder also had "execute" permissions, meaning the hacker could send commands to the Web shell via URL parameters and have them executed without any further exploit chaining.
Using this access to the shipping firm's database, the hacker pulled down BoLs (bills of lading), future shipment schedules, and ship routes so the pirates could plan their attack and identify crates holding valuable content.
Sea Pirates Hacked Shipping Company to Plan Attacks, Find Valuable Cargo
(Image: Container Ship, NOAA's National Ocean Service, CC-BY)