The Apache Software Foundation was recently the victim of a targeted attack, which they’ve detailed at great length. It’s a fascinating read, and somewhat depressing, and also awesome in a completely evil way, all at the same time.
For the tl;dr crowd, an executive summary: the attackers utilized a previously-unknown cross-site scripting bug in a third-party product, masked it by a URL shortener, and then leveraged that into enough access to trap passwords as they were changed, followed by a global “reset your passwords pls” message… and then they got lucky (or somebody in ASF got sloppy). You’ll have to read the whole thing to get the details of the end game, but all told only one box at ASF was rooted, largely due to a fairly stringent set of internal security policies.
The awesome-in-an-evil-way part: the sophistication of this attack as well as the level of detail in the post-mortem is astounding. The Apache Infrastructure team deserves some major props for their writeup, and somewhere there’s a team of black hats that should really think about trying to do something productive — this much smarts applied to something other than breaking and entering would probably do some great things…
The depressing part: the shortened URL that kicked the whole mess off came in from the outside world and was captured in a help desk system — that’s the third party product that had the previously unknown bug. That’s a pretty innocuous attack vector, all things considered — I probably click on dozens of those a day, without even thinking about it.
Imagine how your corporate or organizational security training would need to be updated to make people aware of the risks associated with URL shorteners, as well as what steps can be taken to mitigate those risks, in a way effective enough to have had a chance at preventing this attack. At this point, you’re probably either laughing or crying, so I’ll stop there, but DAMN. It gets more and more amazing to me, each and every day, that the Internet manages to function at all. That it continues to carry on is largely due to the work of people like the Apache Infrastructure team. (Remember this when Sysadmin Day rolls around…)