When the Brilliant hunters The hacking group started peddling the personal data of millions of people in the Dark0de marketplace at the start of last month, this was remarkable because of the sheer number of in-game records – and because of who got hacked. Along with information on 400 million Facebook users and an Instagram user database, the load included data on 300 million users – including 40 million social security numbers – from lead generation company Astoria Company. LLC, whose network of websites collects information about consumers seeking services. like low cost auto loans, medical insurance, and payday loans.

Now researchers from Night Lion Security have explained how the Astoria company hack happened and have recounted interactions with “Seller13,” presumably an alias of the broker known as Yousef, who also sold the data from the company. ‘Astoria on the Russian Exploit Cybercrime Forum and at least one other darkweb marketplace.

While “it’s not clear whether Seller13 is using the ShinyHunters name as a type of bad direction, or whether the two actors are actually working together,” the researchers said their conversations with the threatening actor “seem to indicate that he and ShinyHunters work together. “

Although the attack was “relatively mundane” and “the chain of events and reconnaissance carried out in this particular breach is carried out regularly by threat actors around the world,” according to Brandon Hoffman, CISO at Netenrich, “Details released by Night Lion Security provide some interesting insight,” said Alec Alvarado, head of the threat intelligence team at Digital Shadows.

What the Night Lion researchers discovered was, in the end, a “multi-faceted attack leveraging a perfect storm of software vulnerability, system misconfiguration, and inside hacks,” said Yaniv Bar-Dayan. , CEO and co-founder of Vulcan Cyber.

Night Lion discovered a list of over 400 domains registered with the Astoria Company. A search for “publicly available code with potentially leaked credentials or AWS keys” yielded a list of vulnerable URLs in these domains. Further investigation uncovered a number of malicious web shells and scripts, including Corex.php and Adminer.php, on Astoria company’s domain, MortgageLeads.loans, the researchers said.

A closer look at the Corex web shell URL showed “a number of other operating tools that were left on the system, including the adminer.php script,” they said.

“Upon visiting the URL http://mortgageleads.loans/adminer.php, we immediately noticed that the administrator credentials for user ‘adminastoria’ were pre-registered, allowing anyone full access to the database from a public URL – no authentication required, ”the researchers said.

A malicious insider, which Astoria company officials identified to Night Lion as an India-based developer, took advantage of a previously reported file disclosure vulnerability in Adminer that allows hackers to fill the login window with their remote MySQL server .

After the two servers are connected, the attacker uses a misconfiguration MySQL to read files – including MySQL configuration and PHP WordPress files – on the victim’s server.

“The newly revealed details indicate that the attack was not very sophisticated, as the administrative database credentials were pre-registered and a public URL would have provided full access, ”Alvarado explained. “While the credentials may have been pre-registered in a malevolent fashion, as Astoria’s responses indicate,” he said, this sheds a harsh light on how the company has handled its databases, reinforced by the importance cybercriminals place on personal data.

“If only one of the attack vectors were mitigated or corrected,” said Bar-Dayan, “This data breach could have been avoided.”

The unique perspective offered by Seller13 can serve as a caveat and offer guidance to advocates on how to strengthen their organizations against similar attacks, Alvarado said. Besides being a lesson in how to better protect databases, with a few simple steps, researchers at Night Lion suggested the incident could be used to persuade lawmakers to support a “comprehensive” federal standard. notification of violations. More recently, Congress has leaned in that direction, but significant progress has stuttered and stuttered as lawmakers grappled with what the requirements of this legislation might include. Will the breach of the Astoria company revive these discussions? May be. More likely, however, they will seep into the back burner well into the future.