A prolific hacker gang that has raped numerous companies by exploiting Adobe software has claimed another major blow in the form of automaker Citroën, the Guardian has learned.
Citroën had one of its German websites hacked to include a backdoor, which is a method of bypassing normal authentication systems, and which may have allowed attackers to escape with the data on the site server.
A spokesperson for Citroën Germany said law enforcement should be contacted about the offense because it was a criminal act. Some customer data has been stolen, the spokesperson said, but it is not known how many are affected. Customers have been contacted and will be asked to check their bank accounts for any suspicious transfers.
The attackers managed to enter the backdoor on shop.citroen.de, a fan site to buy Citroën gifts. After the disclosure by The Guardian and Alex Holden, chief information security officer at Hold Security, the backdoor has been removed, but investigations into the breach continue. The backdoor file had been online since at least August 2013.
According to Holden, it was certain that the same actors responsible for the breach of several sites – including Adobe, PR Newswire and the National White Collar Crime Center – were behind the breach of the Citroën site. Last year, security blogger Brian Krebs uncovered a wealth of information gathered during these attacks.
Hackers searched the Internet for weaknesses in an Adobe web application platform known as ColdFusion. “Exploitation has been targeted across the Internet in search of ColdFusion exploits,” Holden said.
If the hackers had decided to steal data from the site, they would have had access to all the information on the server. “To simply explain the backdoor, it provides full command line and SQL database access with the rights of the user running web services, which usually means everything on the web server,” added Holden.
Citroën was not responsible for the operation of the site. He hired the web design company anyMotion to manage his main German website and the affected fan site.
It is not clear whether the credit card information was directly compromised, although Citroën’s advice for customers to check their bank balances would indicate that some sort of financial information was taken. User grocery bags and delivery addresses were also stored on the compromised server.
The passwords used to access the website and administrator passwords to run it have been reset, while buyers were initially barred from making purchases as a precaution.
The breach highlighted the risks facing businesses through third parties. “You can have all the security in the world within the four walls of the company, all you need is a third party vendor who is connected to you, if they are compromised, that compromise has a direct link with your organization, ”said Rocco Grillo, Managing Director and global leader in incident response and forensic investigations at Protiviti, a consulting firm.
“If you outsource to a third party or rely on a third party, you don’t just shut the door and say it’s someone else’s problem. You can outsource the function, but you ultimately bear the risk. If that third party hasn’t put in place the same controls or the level of control that you need from a risk management perspective, there is obviously a problem. You run a serious risk if this company loses your data.
The attacks also demonstrated the need to update exploitable software. The vulnerabilities of ColdFusion have now been fixed.