While it is good to have some answers as to how this might have occurred, what is worrying is the similarity between the RiskIQ’s announcement and the earlier Ticketmaster breach.
A clear lesson here for system owners and administrators is not to neglect the more mundane aspects of cybersecurity in the face of newer and more sophisticated attacks.
In the light of these findings, can you answer some basic questions about your server environment?
- What measures are in place to prevent an unauthorized person from gaining access to the operating system or application code and configuration?
- Do I have a notification process to tell me when something has changed to verify that the change is authorized and to reverse it if it is not?
- What controls are in place to prevent my software or servers initiating unauthorized calls to external destinations?
- Do I have a notification process to tell me of unusual communications activity from my servers, and to initiate an investigation to determine if further action is required?
You may be wondering why this might be an antique smoking gun. Malicious code injection is one of the oldest exploit types there is, but just because it is old school does not mean we should not be guarding against it.