Logica Infiltrated Multiple Times By Automated Tools
Logica, later CGI, was on the list of hacked companies in what’s been called Sweden’s largest hacking case. In their report on the IT security incident of 2012 they wrote that perpertrators managed to get system access in the end of February 2012, believing 2012-02-25 to be the start date but that series of attack attempts were launched earlier.
On 26th August the Swedish Defence Force (Försvarsmakten), FRA (Swedish National Defence Radio Establishment), Swedish Police and Swedish Civil Contingencies Agency held a talk describing modern cyber threats during a conference on information security held by the Swedish government. The talk mentioned the breaches of Logica’s systems but more importantly it was said that Logica had been hacked months before the incidents involving the mainframe had occurred. The PDF containing the slides from the talk can be downloaded here with page 18 showing a screenshot of a mirrored defacement page.
“When the main investigation started, there were a lot of uncertainties on what parts were compromised or which potentially other systems were involved in the incident. Thus there have been a number of different side tracks during the main investigation.” – Logica security incident report page 28
One of those sidetracks involved a computer named SCAP0023 in Logica’s incident report. At this point it is worth to clarify that the PDF file of the incident report available on the Internet has been scanned from its physical copy and then digitalized. Some characters are incorrect in the PDF due to the OCR, for example “E” may have been incorrectly recognized as “C”. Quoting Wikileaks on the matter: “The material is formally public, but the Swedish prosecution authority has refused to provide the documents in digital format. Photocopying this volume of paper costs around £350.”
Inspired by the way that the Danish Police is able to conduct forensics analysis and securing evidence without even seeing the computers in question I set out to do the same thing. With a little black Internet magic I waded through the Internet Archive Wayback Machine and discovered 108 mirrored URLs for ux.logica.se – the same Logica domain which was hacked before the mainframe intrusions occurred.
“SCAP0023 Server hosting multiple web servers for many legacy companies in the Logica group, e.g. WM-Data.” – Logica security incident report page 22
For the sake of creating a somewhat easily viewable timeline, the Wayback Machine mirrored URLs in the following order:
May 16 2011 http://ux.logica.se:80/.?page=case_study May 17 2011 http://ux.logica.se:80/index.php?page=case_study May 17 2011 http://ux.logica.se:80/index.php?page=start May 17 2011 http://ux.logica.se:80/index.php?page=we_are May 17 2011 http://ux.logica.se:80/index.php?page=we_do July 17 2011 http://ux.logica.se:80/index.php?page=contact
One month later, on August 23 2011, Zone-H created the mirror of the defacement page which was included in the talk at the yearly information security conference held by the Swedish government. The ux.logica.se domain had been defaced by ir4dex.
Suddenly the Wayback Machine picked up some interesting paths:
February 15 2012 http://ux.logica.se:80/tmp/cases/case7.php February 16 2012 http://ux.logica.se:80/tmp/cases/?act=ls&d=E%3A%5CInetpub%5Cwwwroot%5Cux.logica.se%5Ctmp&sort=0a February 17 2012 http://ux.logica.se:80/tmp/cases/ February 17 2012 http://ux.logica.se:80/tmp/cases/?act=about February 17 2012 http://ux.logica.se:80/tmp/cases/?act=chmod&f=c999sh_backconn.278.c&d=E%3A%5CInetpub%5Cwwwroot%5Cux.logica.se%5Ctmp%5Ccases February 17 2012 http://ux.logica.se:80/tmp/cases/?act=selfremove
Half a year after ir4dex defaced ux.logica.se the Wayback Machine was crawling malicious files on Logica’s server: the C99 and Fx29 PHP shells, two popular tools used as as part of automatic website penetration. Not only had Logica been defaced, the Wayback Machine was indexing backdoors six months later.
A cached version of the Fx29 shell reveals a server containing four drives: A:\, C:\, D:\ and E:\. E:\ contained the web root directory, more specifically E:\Inetpub\wwwroot\ux.logica.se\, with 5.31/15 GB disk usage. It was running Microsoft IIS 6.0 and PHP 5.2.9 on Windows NT SE-AP0023 5.2 build 3790 as user IUSR_SE-AP0023.
SE-AP0023 sounds like something that would have been incorrectly read as SCAP0023 during the digitalization of Logica’s security incident report. The server was investigated as a side track. Unfortunately Logica wrote very little about its investigation of this server:
“Appendix Y: SCAP0023/www.wmdata.* investigative side track
The SCAP0023 server is a server hosting web pages for Logica, not their customers. The web pages and the domains associated with that system is to host a legacy web for one of the previous company names and companies that make up the current Logica company. The old company was name “WMData”.
The incident involving SCAP0023 was related to defaced web pages, e.g. unauthorized and maliciously changed web pages.
The detailed info from this incident is based on performing analysis of the disk.
SCAP0023 is a Windows server system running IIS.
The defacement was added on multiple web sites hosted by the SCAP0023 server on August 2011, thus many months before the (current) incident involving the mainframe.
A forensic investigation was initiated on the disks that have been part of the system. The investigation showed that the defacements were performed with automated tools. And that the system were attacked and infiltrated multiple times.” – Logica security incident report page 534
The given description fits perfectly with the hacked SE-AP0023 found through the Wayback Machine. By reading the cached versions of the PHP shell we can extract some more interesting details, the files related to the hack:
February 13 2012 12:42:39 E:\Inetpub\wwwroot\ux.logica.se\tmp\cases\ February 13 2012 13:18:24 E:\Inetpub\wwwroot\ux.logica.se\tmp\cases\c999sh_backconn.278.c February 13 2012 13:19:01 E:\Inetpub\wwwroot\ux.logica.se\tmp\cases\c999sh_backconn.756.pl February 13 2012 13:38:17 E:\Inetpub\wwwroot\ux.logica.se\tmp\cases\case7.php February 13 2012 14:40:43 E:\Inetpub\wwwroot\ux.logica.se\tmp\cases\nc.exe February 25 2012 15:42:13 E:\Inetpub\wwwroot\ux.logica.se\tmp\cases\attack(1).asp February 26 2012 07:04:51 E:\Inetpub\wwwroot\ux.logica.se\tmp\cases\11.aspx March 19 2012 05:01:46 E:\Inetpub\wwwroot\ux.logica.se\tmp\cases\sa.php
Logica wrote in its report that it believes 25th February 2012 to be the first day of relevant attacks. You should notice that this was the first day that somebody uploaded a file with an ASP file extension: ”attack(1).asp”. However, even before this day, the server had been defaced and backdoored for even longer and the only action that Logica took was to remove the defacement page, leaving both vulnerabilities and backdoors in production.
It appears that all intrusions against this webserver occurred through the same vulnerability which enabled attackers to write to the .\tmp\cases\ directory, which in the Wayback Machine’s latest crawl of the PHP shell was listed as both readable and writable for the user serving the web content.