Default router password leads to spilled military secrets

Undercover analysts recently came across an average-skill hacker peddling highly sensitive military data about tanks, drones, techniques to mitigate improvised explosive devices (IEDs) and more… who for the life of him couldn’t find a buyer.

He was a hacker sadsack, the researchers said: the hacker didn’t know how much to charge for what he was pushing, didn’t know where to sell it, and didn’t know who might want to buy it.

Business Insider quoted Andrei Barysevich, a researcher at Recorded Future, which on Tuesday posted a report about the discovery made by its threat intelligence team, known as the Insikt Group:

He had no knowledge of how much this data may cost and where and whom to sell it to.

Recorded Future says that its Insikt Group first spotted the attempted sale of what it believes are US Air Force and Army documents on 1 June, while monitoring criminal activities on the deep and dark web. As of Tuesday, as far as the Insikt Group can tell, the hacker still hadn’t drummed up any business, in spite of slashing his dark-web asking price to $150.

Business Insider reports that the hacker is believed to live in “a poverty-stricken country in South America.” He blamed lack of bandwidth for a slow internet connection that kept him from downloading as much information as he had hoped to get before he found a willing buyer. Eager for a quick sale, he was open to freely handing out samples to analysts.

In spite of his wonky connection, the English-speaking hacker claimed to have access to manuals for the MQ-9 Reaper – a “hunter-killer” drone that’s considered to be one of the most advanced and lethal military technologies commissioned in the past two decades – the M1 Abrams battle tank, a tank platoon training course, a crew survival course, and documents pertaining to IED mitigation tactics.

In the weeks that followed the discovery of the hacker’s attempted sale, undercover Insikt Group analysts kept the conversation going. The team verified that the hacker’s wares were legitimate, managed to identify the name and country of residence of somebody associated with a larger group that it believes the hacker’s subgroup is part of, and learned that the documents had been leaked via a previously disclosed FTP vulnerability in Netgear routers that dates back to 2016.

That remote-access hole would be Netgear’s CVE-2016-582384, which we wrote up in December 2016.

As Netgear reported at the time, and which Recorded Future pointed out, all it would have taken to protect a device from this well-known, easily exploited attack is a simple, 6-step process to change the default user name on a Netgear router from admin (ouch!) and the password from password (ay, yi, yi…).

The hacker used the Shodan search engine to look for misconfigured routers that use a standard port 21. Once attackers hit on a high-profile target found via Shodan, they can then compromise a system and steal its files.

That’s how the hacker first got into the computer of a captain at 432d Aircraft Maintenance Squadron Reaper AMU OIC, stationed at the Creech Air Force base in Nevada. He stole a cache of sensitive documents, including Reaper maintenance course books and the list of airmen assigned to Reaper AMU. Such books aren’t classified on their own, but adversaries can use them as a tool to assess any weaknesses that military equipment such as unmanned aerial vehicles (UAVs) might have.

The captain had just completed the Cyber Awareness Challenge and should have hardened his computer’s defenses to ward off unauthorized access, Recorded Future pointed out:

In this case, setting the FTP password.

The hacker caught the eye of Recorded Future analysts when he registered as a new member of a hacking forum and tried to sell the MQ-9 Reaper drone documents.

After he put the Reaper documents up for sale, the hacker listed another set of military documents, but this time, he didn’t disclose the source of his find. Recorded Future figures that, given the content, they were apparently stolen from the Pentagon or from an Army official.

This second set contained more than a dozen training manuals on the subjects of IED defeat tactics, an M1 Abrams tank operation manual, a crewman training and survival manual, and tank platoon tactics. Again, the documents weren’t classified, but most weren’t supposed to be shared with anybody but government agencies and contractors.

When he wasn’t Shodan-scooping unsecured military systems or looking for new, vulnerable computers to pounce on, he was whiling away the time by watching sensitive, live footage from border surveillance cameras and airplanes, the hacker told an Insikt Group analyst. He also bragged about accessing footage from an MQ-1 Predator flying over Choctawhatchee Bay in the Gulf of Mexico: he posted a screenshot captured from the aircraft’s video footage.

Recorded Future alerted US officials to the breaches, after which the vulnerable computers were taken offline, ultimately cutting off the hacker’s access. The firm is now working with the Department of Homeland Security (DHS) on its investigation.

Barysevich told Business Insider that the hacker’s “above amateur” abilities gave researchers the impression that he might have been part of a group within a larger group. In other words, the attacker(s) seem to have had about enough wherewithal to exploit a simple vulnerability:

I wouldn’t say that they possess skills of highly advanced threat-actors. They have enough knowledge to realize the potential of a very simple vulnerability and use it consistently.

Insikt Group notes that military secrets aren’t the standard wares up for sale on the dark web. In fact, it’s “incredibly rare” to find such listings, the group said. Rather, most sales concern sensitive data such as personally identifiable information (PII), login credentials, financial information, and medical records.

Given the type of sensitive documents a mediocre hacker can exfiltrate from vulnerable military systems that are easily sourced with a tool such as Shodan, we can only imagine what “a more determined and organized group with superior technical and financial resources” could achieve, the group warned.

Unfortunately, the government – the keeper of some of the most sensitive data out there – is lagging when it comes to defending it, Insikt Group said:

The government is consistently lagging behind when it comes to the security training of its employees and protection of state secrets. Sadly, very few understand the importance of properly securing wireless access points (WAP), and even fewer use strong passwords and understand how to spot phishing emails.

Did somebody say “How to spot phishing emails?” We can help: check out the list of telltale signs we gave when we covered the Netflix phishing campaign.

Strong passwords? Here’s how to make them:

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)