Hacker group NullCrew claims to have broken into Comcast’s servers today, exploiting a vulnerability reported in December 2013, but not patched.
Over the weekend of 01 February 2014 the hacker group also claimed credit (?) for performing a SQL injection attack against telecom provider Bell Canada.
They were able to access account login and password details for more than 22,000 small business customers of Bell’s internet service.
The attackers allegedly contacted Bell customer support two weeks before the disclosure. The problem? Bell’s support staff seemingly didn’t know how to report the security incident upstream.
The customer service representative clearly didn’t understand the gravity, nor did they escalate to someone who did.
You need to be sure that your staff knows how to report an alleged security incident to the appropriate staff so it can be investigated and handled properly.
From what we can tell the same thing happened when NullCrew hacked Comcast.
It appears that Comcast, the largest internet service provider in the United States, uses Zimbra as an internal communications platform.
NullCrew exploited an unpatched security vulnerability, CVE-2013-7091, to gain access to usernames, passwords and other sensitive details from Comcast’s environment.
They posted the purloined data on pastebin and taunted the company on Twitter.
Sometimes it appears there is nothing we can do to protect ourselves, but in this case I think there is a valuable lesson.
The vulnerability exploited by the attackers was disclosed and fixed in December 2013. While that isn’t forever ago, it is enough time that it could have been remedied.
None of us can assume that it will take time, especially 60 days, for criminals to determine they can take advantage of flaws in our programs.
We may have had the luxury of waiting 30 or even 120 days in the past, but today we must maintain an accurate and up to date inventory of all software that is deployed and patch it immediately.
For some practical advice on patching, why not listen to this Techknow podcast?
Note: A Sophos employee has provided additional information suggesting some Comcast customer email accounts may have been impacted as well. It would be prudent for all Comcast customers to change their passwords to better ensure the integrity of their email.
3 comments on “Comcast servers compromised by same attackers as Bell Canada”
Could you provide more details about this compromise? Does this affect all Comcast subscribers? Does this affect Comcast.net (email) accounts, Comcast.com (subscriber) accounts, or both?
It isn’t clear precisely what impacts the hacks might have inside Comcast, but external evidence suggests it is Comcast employee/internal email systems, not customer emails.
Additional evidence suggests Comcast customers may have been impacted. It would be a good idea to change your password if you haven’t already.