Security Firm’s Domain Stolen by Hackers
A Dutch IT security firm had to face some unusual incident, when they came to know that cybercriminals have compromised their server and got access to some confidential information. This raises some serious question. If security firms aren’t safe, what chance does an ordinary firm or individual have?
The victim company Fox-IT on its blog revealed how the hackers laid their hands on the server bypassing its security infrastructure and obtaining customer’s credentials and other information.
As reported by Arstechnica, the hackers conducted a “man-in-the-middle attack, which took place for 10 hours and 24 minutes. The company explained that they were able to contain the attack within that time frame, thanks to the security procedure in place.
The company admitted, “As a result of the multi-layered security protection, detection and response mechanisms we had in place, the incident was both small and contained, but as a cybersecurity specialist it has made us look long and hard at ourselves.” The hackers used third-party domain registrar to gain initial access to its systems.
They then tampered with the domain name and IP address information for the company’s client portal, giving them almost full access to the Fox-it.com domain and its traffic.
“In the early morning of September 19, 2017, an attacker accessed the DNS records for the Fox-IT.com domain at our third-party domain registrar,” said the company.
“The attacker initially modified a DNS record for one particular server to point to a server in their possession and to intercept and forward the traffic to the original server that belongs to Fox-IT.
“The attack was specifically aimed at Client Portal, Fox-IT’s document exchange web application, which we use for secure exchange of files with customers, suppliers and other organizations.”
The hackers impersonate the domain and also decrypted the traffic, though the company managed to keep the situation under control, but the criminals were a step ahead and went on to access some of the files.
The company added, “We couldn’t prevent the attacker from intercepting a small number of files and information that they should not have had access to”. “An important first step in our response was to contact Law enforcement and share the necessary information with them to enable them to start a criminal investigation.”