[BreachExchange] Staminus Breach: Just How Bad Is It?

Audrey McNeil audrey at riskbasedsecurity.com
Mon Mar 14 19:21:14 EDT 2016


https://www.riskbasedsecurity.com/2016/03/staminus-breach-just-how-bad-is-it/

In terms of data security, 2016 is off to a pretty grim start, as we have
already tracked 510 data breaches exposing over 175 million records.  Just
last month, we posted about the potential devastating risks when a hosting
provider is compromised.Until a few days ago, many people had never heard
of a hosting provider called Staminus that claims to specialize in
Distributed Denial of Service (DDoS) protection. Over the last few days,
customers of Staminus have been very unhappy due to significant outage.
Their customers are likely to be even more upset, as we have confirmation
that personal data including credit cards has been compromised.

With Staminus being a hosting company, but also providing DDoS services,
the full impact of the compromise is still unclear at this point. However,
as expected with any hosting provider breach, there can be an incredible
amount of impacted companies and people. We have determined that there were
approximately 2,300 previous and current clients included as part of the
Staminus breach. These ranged from companies that also provided Internet
hosting services to small instances run as a hobby web site for one
individual.

So what exactly was leaked?

SQL files:

accountUpdate.sql 1.213kb
acctserver.sql 157kb
appliance_lan.sql 77kb
ip_limit.sql 444kb
ip_limit_history .sql 74kb
ip_limit_profile.sql 17kb
sp.sql 2,210kb
Full.sql 3.6GB
3-9-staminus2.sql 14.5GB

full.sql

Billing table contains 141,403 tracks of account billing from purchases.
Account table contains 4,415 users’ details with full addresses, contact
details, company details, emails, and encrypted passwords.
Credit_card table contains 2,042  with full card details.
Rest of the information seems to relate to Staminus sales, site
configuration, billing tracking and other configuration values related to
the systems.

3-9-staminus2.sql

Same data as Full.sql as well as data related to DDoS reporting, tickets,
and other server-related actions.
Full ticket history with user details, ticket content, and Staminus
responses
Staff details with encrypted passwords, email addresses, and Oauth
credentials in the format of tokens and generated user keys.

main.tar.gz

This contains all above SQL files as well as a my.cnf (mysql server
configuration), api.php (contains cleartext passwords and example
connection to staminus api)
PDOFunctions.php-copy (contains a full database connection for staminus
system as well as MySQL credentials.)

svn.tar.gz

229 MB, 4,172 Files, 376 Folders

Full source code.

openvpn.tar.gz

20.0 KB, 5 Files, 2 Folders
brandonh.crt
brandonh.key
ca.crt
and full configuration file for openvpn

chatbot.tar.gz

104 KB, 85 Files, 62 Folders
lita-staminus-gem
litabot
r2d2bot
stamvpn

lighttpd.tar.gz

304 KB, 81 Files, 5 Folders
lighttpd webserver configuration that contains alot of vhosts, not only for
staminus.net.

Site Configurations

api.staminus.net
clients.staminus.net
gb.staminus.net
mrtg.staminus.net
portal.staminus.net
saml.staminus.net
manage.gobig.co
staff.gobig.co
img.stamin.us
sarasafari.com
sw.digitalrogues.com
vhost.staminus.net
viawest.staminus.net
www.staminus.net
www.techblogs.us
www.vrazo.com
www2.staminus.net

Certificates

gobig.co_wildcard_02-15-13
img.stamin.us_02_12_14_1yr
staminus_ev_03-12-13_2yr
staminus_wildcard_05-16-10_2yr
staminus_wildcard_12-09-10_2yr
staminus_wildcard_12-09-14_2yr

Some of the websites hosted by Staminus had some additional controversy. As
previously disclosed, a website run by the Ku Klux Klan was included in the
breach as well. What was not mentioned in previous reports is that there
are quite a few similarly themed domains hosted (some old, defunct or very
small) with them as well:

whiterightsparty.com
whiteprideparty.com
saveouramericanheritage.com
kkk.biz
nationalwhitepridealliance.com
kukluxklan.tv
americankkk.com
Harrisonarkansaswebsites.com
kkk.com
americanheritagecommittee.com

It appears after the initial breach, when it was determined that these
sites were hosted by Staminus, the leakers took it upon themselves to
access and obtain additional information. When further examining the data,
not all of the domains appear to be active, and it is somewhat hard to
determine exactly the impact of the data that has been leaked.

The original leak was published and for undisclosed reasons seemingly
removed within 24 hours. As we have covered previously, @CthulhuSec has
jumped in to properly host a leak when there have been issues, and this
leak was no different.

Now what follows next is a bit unique and worth mentioning, as @CthulhuSec
shares that he is being DDoS’d again, and even points a finger in the
direction of Staminus.

The CEO of Staminus (allegedly based on a recommendation from the grugq)
reached out to @CthulhuSec regarding the data that was collected, and they
ended up of having a conversation.

Here are some key snippets:

(5:15:59 PM) mattm at blah.im/Matt-Air: We’re *not* incentivized to DDoS you,
nor anyone else. It’s illegal and useless. Data is out and has been for
days. Did you want protection?

(5:17:42 PM) CthulhuSec: Bit you are the only party who would have any real
interest in doing it. Data has been out for days, and exactly 0 people
managed to get a hold of it because of the way the person tried to
distribute it.

(5:21:40 PM) CthulhuSec: And legal or not, I’ve seen companies do more
illegal stuff than those who are pretty open about breaking the law. Being
a company is no disqualifier for flagrant disregard. Although, I haven’t
actually accused anyone yet. I don’t keep logs quite intentionally, so I
would never have that information anyway.

(5:23:49 PM) mattm at blah.im/Matt-Air: You radically give no fucks, and that
radically makes you a target of quite a few people, especially in other
countries, especially Turkey. Let me be very clear. Staminus has no
intention of DDoSing you, nor has Staminus DDoS’d you.

(5:25:03 PM) mattm at blah.im/Matt-Air: And we haven’t contract anyone to do
so either.

(5:26:09 PM) CthulhuSec: You seem awfully bothered about that, even though
I made no charge it was you.

(5:27:49 PM) CthulhuSec: You filed a copyright complaint against the link.
That is interesting. You do realise at this point, that is perhaps the
worst approach to take given this has happened plenty of times and never
succeeded?

(5:29:57 PM) mattm at blah.im/Matt-Air: Are you sure it’s us?

(5:30:37 PM) CthulhuSec: == Copyright owner: Staminus Communication, Inc.
== Name: Kate Lucente
== Company: DLA Piper LLP (US)
== Job title: Attorney
== Email address: kate.lucente at dlapiper.com

(5:30:57 PM) CthulhuSec: Must be authorised to act on behalf of you, or
they have just committed a crime themselves.

(5:32:22 PM) CthulhuSec: Is your intention to allow them to continue to
uphold the complaint, or is it to be withdrawn?

(5:39:58 PM) mattm at blah.im/Matt-Air: Our lawyers are being lawyers.

As of this posting, it appears that the DDoS on @CthulhuSec has not been
successful.

Finally, Matt Mahvi, the CEO of Staminus has posted a statement to their
main website.

March 11th, 2016

Statement

To follow up on our communication from yesterday evening regarding the
system outage, we can now confirm the issue was a result of an unauthorized
intrusion into our network. As a result of this intrusion, our systems were
temporarily taken offline and customer information was exposed. Upon
discovering this attack, Staminus took immediate action including launching
an investigation into the attack, notifying law enforcement and restoring
our systems.

Based on the initial investigation, we believe that usernames, hashed
passwords, customer record information, including name and contact
information, and payment card data were exposed. It is important to note
that we do not collect Social Security numbers or tax IDs.

While the investigation continues, we have and will continue to put
additional measures into place to harden our security to help prevent a
future attack. While the exposed passwords were protected with a
cryptographic hash, we also strongly recommend that customers change their
Staminus password.

I fully recognize that our customers put their trust in Staminus and, while
we believe that the issue has been contained, we are continuing to take the
appropriate steps needed to safeguard our clients’ information and enhance
our data security policies.

We will provide updates, as appropriate, as the investigation continues.

Regards,

Matt Mahvi

CEO, Staminus

With so much data left to analyze and questions remaining it is clear there
is more to this story before we truly understand the impact (and how bad it
is)!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160314/75ba6ec4/attachment.html>


More information about the BreachExchange mailing list