Chapter 3: Damage Control (Part 1)

NB: Think I’ll keep the format like this.  Probably easiest and cleanest.

“Good afternoon everybody, this is Evan Hastings with the Weekly Webwar Wrap! Unfortunately, before we launch into the latest behind the scenes chatter and strategies of the game you love, we have an important announcement to make. Megasys as you all know is the company that makes this game we all love. Unfortunately, last night some systems belonging to Megasys were hacked. We have to tell you this in accordance with the Consumer Data Protection Act of 2024, but we can say that there is no reason for alarm. This issue was simply an internal one and we have brought in outside consultants to get to the bottom of it. Around midnight last night someone gained unauthorized access to one of our databases. No payment or personally identifying information was released, and we are confident that our remaining systems were unaffected. We are sending password reset emails to each individual believed to have been affected. If we find further information, we will of course update everyone via this channel and official Megasys and Webwar social media and email. We appreciate your understanding in this; it is more annoying to us than the impact will affect you, and the sooner we are back to normal the better for all of us involved. Again, this is just a required notification under the Consumer Data Protection Act of 2024. We expect the impact to be minimal and those affected will be contacted or have already been contacted as we speak. The company has contracted with Coyote Security of Houston. Texas to resolve this incident and recommend improvements to any areas in which we fall short.

Now that’s out of the way, let’s talk Webwar! Warriors’ Championship last weekend was intense action, wasn’t it? We have a whole bunch of different topics and lessons learned from it, though I will start off by saying we are going to review some components of the fencing style and the Shanghai arena for potential tweaks that may need to be made as part of the evolving nature of the game…” Mikhail switches off his web radio app. The Weekly Wrap was something that he always loved to tune in to regardless of what happened. As much as he wanted to pay attention to the latest changes, especially since he just happened to loathe that stupid unbalanced Shanghai arena, he had work to do. After a quick wordless lunch at a sandwich shop a few blocks away, Mikhail had returned to several emails from everyone from Matt Jones lauding his efforts from back in Houston to Scott asking for a resolution. Now that this had hit the news media, he was officially in the spotlight. It was the part of the investigation he was always least fond of - even the dreaded task of documenting everything and compiling the reports was not as bad as having to deal with the pressure of the spotlight. Typically that particular joy was somewhat insulated from him by a more senior member of the team, but Mikhail just had a sneaking suspicion that he might not have the peace and quiet he was accustomed to as part of this assignment. After all, why would those guys go to Houston about an investigation in Seattle? He dials a number on his phone before stepping back into Megasys’ headquarters. After a few rings a calm female voice picks up on the other end. “Hey Sallie, it’s Mikhail in Seattle. I take it you have seen the news by now? Yeah, well, anyway, I’m going to send a hash value from the case to your email. Can you put it into that big sweeper script you’ve got? I would absolutely love it if I could find out if that hash shows up anywhere. Thanks!” He hangs up, slipping the phone into his pocket. The email could wait until he was back inside the building, where there were fewer people to potentially snoop on his screen. Sallie Hayes was a remarkable young woman out of Carnegie Mellon University in Pittsburgh. The unspoken thought when she arrived in the office fresh after graduation was that the hire might have been more part of the diversity and women in tech initiatives pressed by the last few American Presidents, but she had very quickly proven herself in the eyes of her colleagues and even others in the field. Her degree in computer science certainly carried some weight, but it was more what she showed that she was able to do that impressed even the graying old veterans who had been in the field since before Mikhail himself had been born. Sallie seemed to have an almost preternatural sense of how to search the internet. It was not just a case where she could find what she was looking for on Google with a minimal amount of effort; such a task was almost part of the job requirements itself. Rather, she seemed to just innately understand how information on the net ended up being stored and how to find it. Even if the information was not on the so-called “clear” net that everybody uses, but rather on the internet’s version of the criminal underworld, she had not come up empty yet. It was almost as if the PhD from Pennsylvania was Google incarnate. If the broader world could get to something online, no matter how convoluted the path might be, so could her script. And fundamentally, that was what Mikhail needed to know - whether the information he had found on the coffee maker had made its way out to the wider internet. Once back at his desk, Mikhail turns his attention to the scan he had left running before lunch. The scan had taken a lot longer than he had originally expected, but given the flurry of activity that his findings had unleashed it was perhaps not too surprising. The scanner he was using had the ability to adapt to network conditions such that he appeared only as another user doing normal internet things would on the network. Anyone directly monitoring the traffic would immediately see that he was very much not conducting typical business, but ordinary users and even the casual technical eye would not be any the wiser. Finally, it finishes and displays the results on Mikhail’s screen. The AutoJoe coffee maker had a number of ports open that took Mikhail by surprise - it was a coffee machine after all! It appeared to have a web portal, email protocols, and even a number of file sharing protocols that had been in use at one point or another. It appeared that someone had covertly converted the coffee machine into a makeshift file server. That would certainly explain the files that appeared to share the names of various movies and video games being there, but not necessarily how an attacker would have stored and subsequently copied out a dump from the database. There also appeared to be a number of remote access ports. The Secure Shell, sure, Mikhail could see a purpose of that even if it had default credentials - the manufacturer still needed to update it somehow. That was not the way Mikhail would have done it, but it was still a big problem in the industry: security best practices just were not at the top of mind of the makers of devices like the AutoJoe. But what if the attacker did not even need to go that far? Mikhail rolls his eyes when he notices it. Port 23: Open. Telnet. Freaking Telnet. Mikhail mutters something to himself as he types the necessary command to try and connect to it. The AutoJoe does not even ask for credentials when connecting via this method. Mikhail’s mutters become an audible swear. The more things changed, the more they stayed the same. Telnet vulnerabilities were so commonplace, so pedestrian, that it was still almost more noteworthy when a device did not leave itself open to such things! It was a class of misconfiguration so common that it often barely even warranted a footnote in the reports Mikhail and his coworkers issued. Certainly it did not ever really merit any discussion. Just an “oh by the way, we found this. We formally recommend that you stop being dumb and turn it off.” The reports were in more formal language than that of course, and usually had a boilerplate explanation of just why it was bad, but anyone with a scanner or a script and enough time on their hands could find and take advantage of those openings. On connecting to the coffee maker again, Mikhail notices a file that he had missed in his excitement before. Simply, it was called ‘sup.txt’, and it contained a single line: “Yo, sup! Onetr1ckpwny was HERE! Proof? Logz or GTFO!” Mikhail had thought the hack to be beyond a typical script kiddie - after all, this was an internal database that had been hit rather than a public-facing web page. What motivation would they have to hit something like this, even if they had managed to get past the multiple layers of defenses that Megasys almost certainly employed? Halfway chuckling to himself, Mikhail goes to check the log files for the telnet service. Sure enough, the logs reveal one - surprisingly only one - connection to the AutoJoe using the telnet protocol other than Mikhail’s own. That entry matched the entry of the device sitting at the edge of Megasys’ network - quite literally the gate between the company and the outside world. Mikhail connects to the device over a more secure protocol using the credentials Scott Mitchell had given him, and immediately notices that its firmware version was quite outdated. Normally for a device like this that was not a particularly big deal - nobody, not even Coyote Security, kept 100% up to date with all their edge devices. It was just too much of a hassle. Unfortunately, this one was running a known vulnerable version of the Secure Shell daemon - one that allowed for a sufficiently persistent or bored attacker to guess the root password. Mikhail recognized the version identifier almost instantaneously. He had had to personally call up several clients when the notice went out of the vulnerability since it was such a big deal. There were certainly ways to reduce the impact in place, but that was a question best left for Scott and the rest of the security team. For now, Mikhail just makes a note of it and checks the connection logs. One entry stands out from the others, just by virtue of the fact that it was from an external address. The time of last successful connection was within minutes of the connection to the coffee maker.

Charles Herrera avatar
About Charles Herrera
John Doe's true identity is unknown. Maybe he is a successful blogger or writer. Nobody knows it.