Hackers broke into at least 34 servers belonging to Comcast yesterday, dumping what appears to be a list of the company’s mail servers, passwords and a link to the root file that contains the vulnerability they used to penetrate the system.
The hacktivist collective NullCrew has claimed to have hacked a handful of corporations over the years, Sony, PayPal, Orange Telecom and Ford just to name a few, and took credit for the attack against Comcast Wednesday, on its official Twitter handle, @NullCrew_FTS.
“Fun Fact: 34 Comcast mail servers are victims to one exploit,” the group boasted yesterday afternoon before posting a Pastebin document full of leaked information as proof.
The compromised mail servers apparently run on Zimbra, a groupware email server client whose Lightweight Directory Access Protocol (LDAP) directory service was the target of the attack.
NullCrew was able to exploit a local file inclusion (LFI) vulnerability in LDAP to secure access to the credentials and passwords.
A LFI vulnerability can allow a hacker to add local files to web servers via script and execute PHP code. OWASP’s definition notes that hackers can take advantage of the vulnerability when sites allow user-supplied input without proper validation, something Comcast is apparently guilty of.
Through the vulnerability, NullCrew was able to access localconfig.xml, a file that contains Comcast LDAP administrative credentials, including LDAP passwords and credentials for MySQL and Nginx.
With the information they could be able to make an API call and then execute a privilege escalation, according to a chat log from a few weeks ago, posted today between two hackers familiar with the vulnerability, _MLT_, formerly of TeaMp0isoN and C0RPS3, also formerly of TeaMp0isoN but now with NullCrew.
The hack is the second that Nullcrew has taken credit for in the past week following telecom company Bell Canada’s announcement that it was breached on Sunday and that more than 22,000 usernames, passwords and some credit card numbers belonging to the phone company’s small business customers had been leaked.
While Bell acknowledged the breach over the weekend, blaming it on an Ottawa-based third-party supplier, NullCrew publicized the company’s insecurities in mid-January, even posting a warning it issued to a company support representative about the vulnerabilities. NullCrew delivered on Saturday, posting a link on Twitter to a Pastebin document, since deleted, full of Bell customer data.
While user information, including five valid credit card numbers, was breached in the Bell attack, Comcast customer information is not expected to be implicated in yesterday’s attack.
Requests for comment directed to Comcast, who have not made a public statement about the hack yet, were not immediately returned on Thursday.