Hackers steal security firm's domain name in 10-hour attack potentially compromising customer data
If security firms can't stay secure, what chance for anyone else?
Cyber crooks recently conducted a successful attack on a Dutch IT security firm enabling them to penetrate the firm's servers and get access to confidential data.
In a blog post, Fox-IT revealed that the hackers were able to bypass its security infrastructure and obtain customer login credentials among other data.
As reported by Arstechnica, the hackers conducted a "man-in-the-middle attack, which took place for 10 hours and 24 minutes. However, the company claims that it successfully contained the attack within that timeframe.
The company explained that, thanks to the security procedures in place, the attack was contained.
"As a result of the multi-layered security protection, detection and response mechanisms we had in place, the incident was both small and contained, but as a cyber security specialist it has made us look long and hard at ourselves," the company admitted.
According to the firm, the attackers used a third-party domain registrar to gain initial access to its systems.
They then tampered with the domain name and IP address information for the company's client portal, giving them almost full access to the company's Fox-it.com domain and its traffic.
"In the early morning of September 19 2017, an attacker accessed the DNS records for the Fox-IT.com domain at our third-party domain registrar," said the company.
"The attacker initially modified a DNS record for one particular server to point to a server in their possession and to intercept and forward the traffic to the original server that belongs to Fox-IT.
"The attack was specifically aimed at ClientPortal, Fox-IT's document exchange web application, which we use for secure exchange of files with customers, suppliers and other organizations."
The hackers were able to decrypt traffic and impersonate the domain. Although the company kept the situation under control, the criminals still got access to some files.
"We couldn't prevent the attacker from intercepting a small number of files and information that they should not have had access to," added the company.
"An important first step in our response was to contact Law enforcement and share the necessary information with them to enable them to start a criminal investigation."