[BreachExchange] Anonymous Italy Targets Web Agency Engitel; Several Organizations Compromised

Audrey McNeil audrey at riskbasedsecurity.com
Mon Apr 11 19:04:55 EDT 2016


https://www.riskbasedsecurity.com/2016/04/anonymous-italy-targets-web-agency-engitel-several-organizations-compromised/

We have previously talked about the systemic risk that exists with cloud
providers and hosting solutions. While on the surface, it may appear to be
a compromise of a single company, a hosting provider breach represents a
much larger issue with possible far-reaching catastrophic impact.

Today we saw another similar systemic issue as Anonymous Italy have leaked
data that affects over 40 sites belonging to an Italian web agency called
Engitel.

News of the breach was originally posted on an Anonymous news blog with the
actual data being posted to the file sharing site MEGA. The leak was posted
in six parts which includes a total of 321MB of compressed data, and when
extracted totals 553MB made up of 2,859 files over 124 folders.

Engitel was founded in 1994 to “create Internet and web solutions” using
their own Content Management System (CMS), and by providing many other
services. At the time of publishing this article, the affected sites appear
to still be active, which is no surprise considering it’s the weekend and
systems administrators for Engitel are most likely out enjoying a day or
two off.

>From our investigation, this breach does not appear to be like most that we
cover.  We are not seeing troves of user accounts dumped in SQL format, but
rather we are seeing the leaked credentials all in HTML format.
Furthermore, some of the data leaked is from one of Engtiel’s products
called Contact Manager and it contains supporting file types such as JS,
CSS, and images for the HTML files. While not confirmed, this suggests the
leak data was obtained by an administration panel, most likely using
information from Engitel.

Anonymous Italy, the initial source of the leak, claimed there were over
four million records and ~1.8 million of them user data.  The news website
Hackread published an early report providing details confirming this breach
but also claimed that there had been “hundreds of thousands” people
affected. However, at this point we are not able to confirm this statement
as analysis appears to show only about 20,000 unique user names and email
address combinations. As with many dumps, not everything is current and it
appears that some of the sites impacted are old and only partial credit
card information is included.

As mentioned, this leak is a bit messy, but the biggest immediate issue
does appear to be that the credentials for Engitel’s clients are present,
and they appear to be valid as it has lead to several of their clients
being compromised. Several have been defaced for well over eight hours.

This breach was carried out by a new Anonymous Operation headed by
Anonymous Italy, called OpNessunDorma. The operation is focused on exposing
and bringing to light the employment issues in Italy and helping with an
ongoing fight about new labor laws.

The websites affected in this breach range from job agencies, private
business, consulting companies, to personal sites. We can also confirm as
Hackread reported that there is a zip file containing contact information
of many executives from well-known companies such as MTV Italia, Italian
newspaper La Repubblica (The Republic), Facebook Italy, Gucci, FastWeb,
Microsoft, Wind Italy, Ducati Italy, and more.

It will take more time and deeper analysis to fully grasp the impact of
this breach, but without a doubt highlights again why it is important to
understand resource aggregation and systemic risks.

A quick lesson learned is that if your organization is currently working
(or has in the past) with service providers or outside consulting firms, it
is absolutely critical to ensure that they do not have access to production
credentials. As Engitel has demonstrated quite painfully to their clients,
once a service provider has your credentials, there is a good chance that
they will always have them… and maybe even unintentionally share them with
the public.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160411/68717eb1/attachment-0001.html>


More information about the BreachExchange mailing list