Last week, Kommersant that "the client bases of Street Beat and Sony Center were in the public domain", but in fact everything is much worse than it is written in the article.
I have already done a detailed technical analysis of this leak at home. , so here we will go over only the main points.
Дисклеймер: вся информация ниже публикуется исключительно в образовательных целях. Автор не получал доступа к персональным данным третьих лиц и компаний. Информация взята либо из открытых источников, либо была предоставлена автору анонимными доброжелателями.The next Elasticsearch server with indexes was freely available:
- graylog2_0
- readme
- unauth_text
- http:
- graylog2_1
В graylog2_0 contained logs from 16.11.2018/2019/XNUMX to March XNUMX, and graylog2_1 – logs from March 2019 to 04.06.2019/XNUMX/XNUMX. Until the access to Elasticsearch is closed, the number of records in graylog2_1 grew.
According to the Shodan search engine, this Elasticsearch has been freely available since 12.11.2018/16.11.2018/XNUMX (at the same time, as written above, the first entries in the logs are dated XNUMX/XNUMX/XNUMX).
In the logs, in the field gl2_remote_ip IP addresses 185.156.178.58 and 185.156.178.62 were specified, with DNS names srv2.inventive.ru и srv3.inventive.ru:
I have notified Inventive Retail Group (www.inventive.ru) about the problem on 04.06.2019/18/25 at 22:30 (Moscow time) and by XNUMX:XNUMX the server “quietly” disappeared from free access.
The logs contained (all data is estimated, duplicates were not removed from the calculations, so the amount of real leaked information is most likely less):
- over 3 million customer email addresses for re:Store, Samsung, Street Beat and Lego
- over 7 million phones from re:Store, Sony, Nike, Street Beat and Lego
- more than 21 thousand login/password pairs from the personal accounts of buyers of Sony and Street Beat stores.
- most phone and email records also contained full names (often in Latin) and loyalty card numbers.
An example from a log relating to a Nike store customer (all sensitive data has been replaced with "X" symbols):
"message": "{"MESSAGE":"[URI] /personal/profile/[МЕТОД ЗАПРОСА] contact[ДАННЫЕ POST] Arrayn(n [contact[phone]] => +7985026XXXXn [contact[email]] => [email protected] [contact[channel]] => n [contact[subscription]] => 0n)n[ДАННЫЕ GET] Arrayn(n [digital_id] => 27008290n [brand] => NIKEn)n[ОТВЕТ СЕРВЕРА] Код ответа - 200[ОТВЕТ СЕРВЕРА] stdClass Objectn(n [result] => successn [contact] => stdClass Objectn (n [phone] => +7985026XXXXn [email] => [email protected] [channel] => 0n [subscription] => 0n )nn)n","DATE":"31.03.2019 12:52:51"}",And here is an example of how logins and passwords from personal accounts of buyers on websites were stored in the logs sc-store.com и street-beat.com:
"message":"{"MESSAGE":"[URI]/action.php?a=login&sessid=93164e2632d9bd47baa4e51d23ac0260&login=XXX%40gmail.com&password=XXX&remember=Y[МЕТОД ЗАПРОСА] personal[ДАННЫЕ GET] Arrayn(n [digital_id] => 26725117n [brand]=> SONYn)n[ОТВЕТ СЕРВЕРА] Код ответа - [ОТВЕТ СЕРВЕРА] ","DATE":"22.04.2019 21:29:09"}"The official IRG statement on this incident can be read , excerpt from it:
We could not ignore this moment and changed the passwords to the personal accounts of clients to temporary ones in order to avoid the possible use of data from personal accounts for fraudulent purposes. The company does not confirm the leakage of personal data of street-beat.ru customers. All Inventive Retail Group projects were additionally checked promptly. No threats to personal data of customers were detected.
It's bad that IRG can't figure out what's leaked and what's not. Here is an example from the log related to the client of the Street Beat store:
"message": "{"MESSAGE":"'DATA' => ['URI' => /local/components/multisite/order/ajax.php,'МЕТОД ЗАПРОСА' = contact,'ДАННЫЕ POST' = Arrayn(n [contact[phone]] => 7915545XXXXn)n,'ДАННЫЕ GET' =nttArrayn(n [digital_id] => 27016686n [brand] => STREETBEATn)n,'ОТВЕТ СЕРВЕРА' = 'Код ответа - '200,'RESPONCE' = stdClass Objectn(n [result] => successn [contact] => stdClass Objectn (n [phone] => +7915545XXXXn [email] => [email protected]","Дата":"01.04.2019 08:33:48"}",However, let's move on to the really bad news and explain why this is precisely the leak of personal data of IRG customers.
If you look closely at the indexes of this freely available Elasticsearch, you can see two names in them: readme и unauth_text. This is a characteristic feature of one of the many ransomware scripts. It hit over 4 Elasticsearch servers around the world. Content readme looks like that:
"ALL YOUR INDEX AND ELASTICSEARCH DATA HAVE BEEN BACKED UP AT OUR SERVERS, TO RESTORE SEND 0.1 BTC TO THIS BITCOIN ADDRESS 14ARsVT9vbK4uJzi78cSWh1NKyiA2fFJf3 THEN SEND AN EMAIL WITH YOUR SERVER IP, DO NOT WORRY, WE CAN NEGOCIATE IF CAN NOT PAY"During the time that the server with the IRG logs was freely available, the ransomware script definitely got access to the clients' information and, according to the message it left, the data was downloaded.
In addition, I have no doubts that this database was found before me and has already been downloaded. I would even say that I am sure of it. There is no secret that such open bases are purposefully searched for and pumped out.
News about information leaks and insiders can always be found on my Telegram channel "": .
Source: habr.com