In May, a hacker perusing vulnerable systems with the Shodan search engine found a Netgear router with a known vulnerability—and came away with the contents of a US Air Force captain’s computer. The purloined files from the captain—the officer in charge (OIC) of the 432d Aircraft Maintenance Squadron’s MQ-9 Reaper Aircraft Maintenance Unit (AMU)at Creech Air Force Base, Nevada—included export-controlled information regarding Reaper drone maintenance.
The hacker took the documents to a Dark Web marketplace, where he planned on selling them for a few hundred dollars. And it’s there that analysts from Recorded Future, an information security threat intelligence company, discovered them.
US Air Force/Recorded Future
The vulnerability, which makes it possible for an attacker to remotely execute commands and gain access to the root directory of the router via FTP, was disclosed by Netgear over a year ago. Discoverable by searching Shodan for devices with Internet Protocol port 21 open and response text including “214-ADMIN_LOGIN,” the vulnerability allowed attackers to compromise routers and then gain access to the local network. They could then either grab files passing over the network or gain access to devices on it.
Thousands of routers are still potentially vulnerable to this sort of attack, based on a search of Shodan conducted by Ars—including 1,368 in the United States alone. The main mitigation for the flaw is a basic bit of router configuration best practices—changing the administrative password reduces the likelihood of an attacker gaining remote command execution access.
However, the victim—who, based on documents shared by the hacker, completed a “Cyber Awareness Challenge” in February—or someone in his chain of command had not changed the router password. Slides for a Reaper maintenance training course, course books, and other maintenance documents were purloined along with the certificate.
Analysts from Recorded Future’s Insikt Group discovered the data for sale on the Dark Web on June 1. They engaged the individual selling the information and “confirmed the validity of the compromised documents,” Recorded Future’s Andrei Barysevich wrote in a report on the compromise. “Insikt Group identified the name and country of residence of an actor associated with a group we believe to be responsible. We continue to assist law enforcement in their investigation.”
The individual selling the documents also later offered additional documents from an unknown source, including US Army documents describing tactics for defeating improvised explosive device attacks, M1 ABRAMS tank operation, tank crew training and survival, and tank platoon tactics. While Insikt’s researchers speculated these might have been part of another breach, the documents themselves are not classified—and many of them are available through the Army’s own publications website or other sources.
However, the IED manual—ATP 3-90.37—is marked as “NOT RELEASABLE TO FOREIGNERS (NOFORN)” and is supposed to be available only to government agencies and contractors. The researchers were not able to determine the source of the documents during their engagement with the individual claiming to have stolen them.
During the course of interacting with Insikt Group analysts, the hacker claimed that he spent his down time watching live video footage from US Customs and Border Patrol drones as well as other aircraft and ground-based surveillance cameras. He posted screen shots that he purported to be of “footage from a MQ-1 Predator flying over Choctawhatchee Bay in the Gulf of Mexico,” Barysevich reported.
On the bright side, the contents of these documents may not be as sensitive as some of the other things for sale on the Dark Web. As McAfee’s Advanced Threat Team reported in a blog post today, Remote Desktop Protocol (RDP) logins for the building automation systems at a large international airport were found for sale on the Dark Web as well—for a mere $10.