D9D1E2

Datalekken in Nederland

2013

Circa twee miljoen inloggegevens aangetroffen op botnetserver (2013-12-03)

[Organisatie | Verwerking | Betrokkenen | Soort (persoons)gegevens | Type incident | Beschrijving van het incident | Respons van de organisatie | Nasleep van het incident | Bronnen]

Organisatie

Diverse organisaties, waaronder ADP (Automatic Data Processing, Inc.).

"As one might expect, most of the compromised web log-ins belong to popular websites and services such as Facebook, Google, Yahoo, Twitter, LinkedIn, etc. You can also spot the notable presence of vk.com and odnoklassniki.ru, two social network websites aimed at Russian-speaking audiences, which probably indicates that a decent portion of the victims comprised were Russian speakers. Another interesting item on the list is the payroll service provider adp.com. It is only natural to have such domains in the mix, but it is surprising to see it ranked #9 on the top domains list." [SpiderLabs Anterior, 2013-12-03]

Verwerking

Inloggen op webdiensten.

Betrokkenen

Gebruikers van de betreffende webdiensten.

"A quick glance at the geo-location statistics [...] would make one think that this attack was a targeted attack on the Netherlands. Taking a closer look at the IP log files, however, revealed that most of the entries from NL IP range are in fact a single IP address that seems to have functioned as a gateway or reverse proxy between the infected machines and the Command-and-Control server, which resides in the Netherlands as well. This technique of using a reverse proxy is commonly used by attackers in order to prevent the Command-and-Control server from being discovered and shut down--outgoing traffic from an infected machine only shows a connection to the proxy server, which is easily replaceable in case it is taken down. While this behavior is interesting in-and-of itself, it does prevent us from learning more about the targeted countries in this attack, if there were any. Looking at the very bottom of image, we can see that there are 92 more countries that are not shown on the list above, indicating that the attack is fairly global and that at least some of the victims are scattered all over the world." [SpiderLabs Anterior, 2013-12-03]

"Of het botnet dat wachtwoorden achterhaalt ook gericht is op Nederlandse gebruikers is niet te zeggen. Op de lijst met benaderde accounts staan tientallen landen, maar de verdeling is vertekend. Nederland staat helemaal bovenaan de lijst met 97 procent van de gestolen wachtwoorden. Dat komt echter omdat er een Nederlandse proxyserver gebruikt is. Daardoor lijkt het alsof al het verkeer uit Nederland komt. Het verkeer wordt door deze server gesluisd om de locatie van het command and control center te verhullen. Als de proxyserver gevonden wordt, kan deze eenvoudig worden vervangen door een ander." [Nutech.nl, 2013-12-04]

Soort (persoons)gegevens

"[...] stolen credentials for approximately two million compromised accounts [...]" [SpiderLabs Anterior, 2013-12-03]

"The cache also included credentials for e-mail addresses, FTP accounts, remote desktops, and secure shells." [Ars Technica, 2013-12-04]

"Ook zijn er circa 8000 logingegevens aanwezig voor ADP, een systeem dat door bedrijven wordt gebruikt om informatie over hun medewerkers bij te houden. Die gegevens bevatten onder meer volledige loonstrookjes. Hoeveel logingegevens van ADP van Nederlanders zijn, is niet te achterhalen." [Tweakers, 2013-12-04]

Type incident

Inbreuk op de vertrouwelijkheid van de verwerkte gegevens.

Beschrijving van het incident

"Every once in a while we get to peek into the lion’s den, this time we’ll be checking out a fairly large instance of the Pony botnet controller, containing a large amount of stolen credentials and other goodies. Pony, for those of you who have not yet had the pleasure of encountering it, is a bot controller much like any other: It has a control panel, user management, logging features, a database to manage all the data and, of course, statistics. It also seems to be doing these things right, as it appears to be popping up quite a bit lately. [...] You may not think it by looking at these fairly professional statistics that wouldn’t put a dignified piece of software to shame, but Pony’s main business still remains theft: stolen credentials for websites, email accounts, FTP accounts, anything it can get its hands on- grabbed and reported back home." [SpiderLabs Anterior, 2013-06-30]

"With the source code of Pony leaked and in the wild, we continue to see new instances and forks of Pony 1.9. One of the latest instances we've run into is larger than the last with stolen credentials for approximately two million compromised accounts." [SpiderLabs Anterior, 2013-12-03]

"It's unclear exactly how the credentials were originally obtained. One possibility is that they were captured using keyloggers or similar malware installed on compromised machines of end users. It could also be the case that the credentials were pilfered using phishing websites or other types of social engineering attacks." [Ars Technica, 2013-12-04]

"What’s happened here is clear. Innocent users’ computers have become infected with malware, which grabbed login details as they were entered by users. This data was then transmitted to the cybercriminals – either so they could access the accounts themselves or (more likely) sell on the details to other online criminals." [Graham Cluley, 2013-12-04]

"Dinsdag kwam de beveiliger een server tegen waarop 2 miljoen uit browsers gestolen wachtwoorden stonden, die in de loop van een langere periode verzameld waren. Sommige passwords waren zelfs al verlopen. Trustwave noemt dat ongebruikelijk, omdat Pony meestal ingezet wordt om snel heel veel gegevens te stelen, en dan weer verdwijnt. Deze hackers hadden zich echter verscholen achter een proxy in Nederland, en zijn nog niet gevonden." [AG, 2013-12-05]

Respons van de organisatie

"ADP, Facebook, LinkedIn and Twitter told CNNMoney they have notified and reset passwords for compromised users. Google [...] declined to comment. Yahoo did not provide immediate responses. [...] in a statement, ADP said that, 'To [its] knowledge, none of ADP's clients has been adversely affected by the compromised credentials.'" [CNN, 2013-12-04]

"Daarnaast vond Trustwave 8000 wachtwoorden voor de Duitse verloner ADP, die volgens dat bedrijf eerder al vervangen zijn nadat men er met een phishingcampagne werd geconfronteerd." [AG, 2013-12-05]

Nasleep van het incident

[Nog onbekend.]

Bronnen

2013-06-30

2013-12-03

2013-12-04

2013-12-05

.