We have previously talked about the systemic risk that exists with cloud providers and hosting solutions. While on the surface, it may appear to be a compromise of a single company, a hosting provider breach represents a much larger issue with possible far-reaching catastrophic impact.
Today we saw another similar systemic issue as Anonymous Italy have leaked data that affects over 40 sites belonging to an Italian web agency called Engitel.
News of the breach was originally posted on an Anonymous news blog with the actual data being posted to the file sharing site MEGA. The leak was posted in six parts which includes a total of 321MB of compressed data, and when extracted totals 553MB made up of 2,859 files over 124 folders.
Engitel was founded in 1994 to “create Internet and web solutions” using their own Content Management System (CMS), and by providing many other services. At the time of publishing this article, the affected sites appear to still be active, which is no surprise considering it's the weekend and systems administrators for Engitel are most likely out enjoying a day or two off.
From our investigation, this breach does not appear to be like most that we cover. We are not seeing troves of user accounts dumped in SQL format, but rather we are seeing the leaked credentials all in HTML format. Furthermore, some of the data leaked is from one of Engtiel’s products called Contact Manager and it contains supporting file types such as JS, CSS, and images for the HTML files. While not confirmed, this suggests the leak data was obtained by an administration panel, most likely using information from Engitel.
Anonymous Italy, the initial source of the leak, claimed there were over four million records and ~1.8 million of them user data. The news website Hackread published an early report providing details confirming this breach but also claimed that there had been "hundreds of thousands" people affected. However, at this point we are not able to confirm this statement as analysis appears to show only about 20,000 unique user names and email address combinations. As with many dumps, not everything is current and it appears that some of the sites impacted are old and only partial credit card information is included.
As mentioned, this leak is a bit messy, but the biggest immediate issue does appear to be that the credentials for Engitel’s clients are present, and they appear to be valid as it has lead to several of their clients being compromised. Several have been defaced for well over eight hours.
This breach was carried out by a new Anonymous Operation headed by Anonymous Italy, called OpNessunDorma. The operation is focused on exposing and bringing to light the employment issues in Italy and helping with an ongoing fight about new labor laws.
The websites affected in this breach range from job agencies, private business, consulting companies, to personal sites. We can also confirm as Hackread reported that there is a zip file containing contact information of many executives from well-known companies such as MTV Italia, Italian newspaper La Repubblica (The Republic), Facebook Italy, Gucci, FastWeb, Microsoft, Wind Italy, Ducati Italy, and more.
It will take more time and deeper analysis to fully grasp the impact of this breach, but without a doubt highlights again why it is important to understand resource aggregation and systemic risks.
A quick lesson learned is that if your organization is currently working (or has in the past) with service providers or outside consulting firms, it is absolutely critical to ensure that they do not have access to production credentials. As Engitel has demonstrated quite painfully to their clients, once a service provider has your credentials, there is a good chance that they will always have them… and maybe even unintentionally share them with the public.