An unnamed shipping company had its unpatched content management system hacked by sea-pirates, who then sorted the ships at sea by the value of their cargo to help prioritize attacks to maximize the take.
The Web shell used by the attackers didn't support SSL, so all their activities were logged to the webserver, enabling Verizon's RISKS team to analyze their actions. Though the idea of attacking cargo ships by hacking their CMS is a sophisticated one by the standards of sea-pirates, the attackers weren't sophisticated enough to run their attacks through a VPN, enabling the RISKS team to trace the attack back to the hackers' home IP address.
The RISK Team quickly narrowed down the problem to the firm's outdated custom-built CMS, which featured an insecure upload script. As the Verizon team explained, a hacker, either part of the sea pirates group or hired by them, had uploaded a Web shell via this insecure form. In turn, this shell was uploaded inside a Web-accessible directory.
To make things worse, that particular folder also had "execute" permissions, meaning the hacker could send commands to the Web shell via URL parameters and have them executed without any further exploit chaining.
Using this access to the shipping firm's database, the hacker pulled down BoLs (bills of lading), future shipment schedules, and ship routes so the pirates could plan their attack and identify crates holding valuable content.
Sea Pirates Hacked Shipping Company to Plan Attacks, Find Valuable Cargo
(Image: Container Ship, NOAA's National Ocean Service, CC-BY)
Thomas Piketty, the French economist behind 2014's game-changing Capital in the 21st Century, has a new book, Capital and Ideology (out in France now, coming in English in 2020), which uses the same long-run economic series that Capital 21C benefited from to understand the relationship between wealth and ideology. Central to Piketty's thesis: that it's […]
The real estate bubble is in trouble: London's luxury housing market has been in freefall for years, and New York's retail vacancy has been soaring, even as global super-luxe housing is also tanking.
Maria Farrell admits that comparing smartphones to abusive men (they try to keep you from friends and family, they make it hard to study or go to work, they constantly follow you and check up on you) might seem to trivialize domestic partner violence, but, as she points out, feminists have long been pointing out […]
There’s reading for pleasure, and then there’s reading for fuel; absorbing the great ideas in nonfiction books so you can apply them in your own life. In today’s hectic pace, it can be difficult to find the time to do that reading – especially for the entrepreneurs and professionals who can benefit the most from […]
Breaking into the big leagues as a project manager isn’t done overnight, but there are principles that anyone can learn, and they’re applicable to nearly any business. No matter what your field, if there are multiple teams working toward a common goal, you’re going to need a roadmap. The Project Management Professional Certification Training Suite […]
On the one hand, nostalgia is “a corruption of the historical impulse,” according to William Gibson. On the other hand, “Super Mario Bros.” will never not be cool. Luckily, there’s a way to satisfy that retro gaming while still keeping an eye on the future: The GameShell Kit. This thing is simultaneously the last handheld […]