Staminus, a California-based internet hosting provider that specializes in helping sites stay online when distributed denial of service (DDoS) attackers try to elbow them off, was itself the target of a cyber broadside last week.
At any rate, it started last week, with reports of the company’s site being down as of Thursday. But as of Monday, it was again, or maybe still, sucking wind.
Staminus on Friday put out a statement confirming that its network security had been popped and invaded, systems had been “temporarily” taken offline, and customer data had been published online.
The company posted a series of updates on Twitter and Facebook while its website was down, explaining that this was a “rare event.”
Around 5am PST today, a rare event cascaded across multiple routers in a system wide event, making our backbone unavailable.
— DDoS Protection (@StaminusComm) March 10, 2016
But even while Staminus techs were scrambling to drag the company’s site back online, whoever mugged it was dumping its private data online in what security journalist Brian Krebs called a “classic ‘hacker e-zine’ format” called “F**k ’em all.”
Krebs reports that the page included links to download databases reportedly stolen from Staminus and from Intreppid, another Staminus project that targets customers looking for protection against large DDoS attacks.
The huge data dump included customer names and email addresses, database table structures, routing tables, support tickets, credit card numbers (according to Krebs, at any rate; Ars Technica’s Sean Gallagher didn’t see any when he viewed the dump), and other sensitive data.
A Staminus customer who requested anonymity confirmed to Ars that his data was part of the dump.
Those behind the dump claimed to have gained control of Staminus’s routers and to have reset them to factory settings.
The hacker “e-zine” that contained all the sensitive data began with a note from the attacker titled “TIPS WHEN RUNNING A SECURITY COMPANY.”
Then, it went on to list tips for what were supposedly the security holes found during the breach:
- Use one root password for all the boxes
- Expose PDU’s [power distribution units in server racks] to WAN with telnet auth
- Never patch, upgrade or audit the stack
- Disregard PDO [PHP Data Objects] as inconvenient
- Hedge entire business on security theatre
- Store full credit card info in plaintext
- Write all code with wreckless [sic] abandon
On Thursday, Staminus reported that some services were back online or in the process of being brought back and that “We expect full service restoration soon.”
Then, another message posted on Friday pointed to the statement from the company’s CEO.
That was the last message. What followed was radio silence, unbroken as of Monday evening.
Krebs pointed out that the attack isn’t surprising: anti-DDoS providers are a common target for attackers.
Image of DDoS attacker courtesy of Shutterstock.com
3 comments on “Attacker leaves “SECURITY TIPS” after invading anti-DDoS firm Staminus”
The attack isn’t surprising. It’s success is though (or at least should be). If all of those security “tips” left by the attackers turn out to have been true, then that is very disturbing.
They deserved it if all that is true. Seriously? They’re a security company that could have gotten hit by a typical drive by… Oh well. Restore away Staminus, you probably wont have any customers when you return.
Anybody else just feeling a Mr.Robot scenario?