Kwic ISP Misconfiguration Nightmare
Kwic Internet, a Canadian Internet Service Provider, accidentally exposed terabytes of data to the public internet through synchronization services that lacked authentication. This data trove included credit card numbers and expiration dates, many dozens of MySQL databases, internal company email archives, client email archives, and mountains of passwords scattered throughout.
Curiously, one of the database backups for Annex Media Publishing, a Kwic client, contained the details of all 38 million breached Ashley Madison accounts. What is a publishing company doing with the Ashley Madison dump? Steve Ragan, of CSOOnline (http://www.csoonline.com) hasnt been able to get an answer about that from the company.
Im calling this a near-worst-case-scenario due to only small evidence of infiltration by malicious entities. An r57 PHP shell was located within these backups, which suggests that bad guys have been able to gain at least moderate access to the live production side of one or more Kwic servers. I also saw plenty of support emails discussing clients claiming their websites, hosted by Kwic, were hacked.
If someone with criminal intent had indeed found this motherlode, and really wanted to cause trouble, they could be combing through the mountains of backed up emails in which Kwic staffers regularly pass along plaintext customer passwords. Heres a censored sample:
Site is dev.securitypages.ca
As an American, I must admit Im not entirely familiar with Canadian breach notification laws. However, if there is any kind of mandatory reporting, this could quickly turn into a real nightmare situation. Not only would Kwic need to notify thousands of business and residential clients, those clients would then need to turn around and notify all their own clients. Thats the nature of high-level breaches where one company is hosting another companys data. Think of it as a trickle-down notification process.
Welcome to the consequences of cloud-style hosting.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.
Do you have security tips or suggestions? Contact: firstname.lastname@example.org