A look into the EC Council hack
Update: Wednesday, 22 May 2013 – Tal Be’ery: “We had analyzed a screenshot of what we had thought at the time the current EC council site hack. Later we had found out that this screenshot was actually related to a previous breach of some other EC council related site – the academy site of the EC Council eccouncilacademy.org. and not of the current attack.”
EC Council was reported to have been compromised by a hacker called Godzilla. Based on published materials it seems that the hacker got access to training course material of several certification programs.
Looking into the published content by the hacker and analyzing the screenshots shows that the server was hacked by the upload of the WSO web shell code (click for large version):
The malicious shell was probably uploaded due to an exploit of a known vulnerability in the Joomla CMS (Content Management System) used by the site – judging by the file date in the screenshot the system has not been updated since 2010.
While we can take the provocative approach of looking into a company that its revenue is mostly based on teaching professionals about security and gets hacked, lets be honest – this can happen to any company and history has proved this point valid. In this case, we would rather show the interesting direction around CMS exploitation becoming more and more popular.
The CMS Exploitation vector of attack is very common and in fact a simple search on one specific flavour (Joomla) resulted in 629 CVEs. Thousands exist in the CVE database and hundreds exist in 0day databases:
Businesses rely on 3rd party software and platforms to conduct their online business, and it is very common to use a CMS such as Joomla or similar and even Sharepoint to simplify delivering a rich website. However by doing so the website is exposed to vulnerabilities found within that CMS.
This brings up an interesting playfield for hackers, which can use Dork techniques and others to fingerprint many websites who use the specific CMS, easily locate many targets and exploit them with either a known (if the system is not up to date as it seems to have been the case here) or a 0day exploit, and have lots of surface covered.
Here is an example of a search term that looks for a specific function in a known CMS which is known to be vulnerable, in order to identify potential targets, the result is astounding. ~263,000 potential targets.
This hack could have been prevented by either constantly patching of all the 3rd party code of the application and/or by implementing a web application firewall in front of the application.
Author: Tal Be’ery, Imperva’s Web Research Team Leader.