It turns out that the group was likely able to get a big bang for its buck by tapping into one large hosting company in Israel, then rifling through several of that hoster’s clients in order to compromise a wellspring of them. Hack once, compromise many.
Security firm Imperva looked into the hacked domain list, and noticed that most of the domains in the disclosed list are hosted on the same server at the same hosting company. It also saw that the server itself runs PHP v5, which contains known vulnerabilities.
“Although this is merely educated speculation, it seems that the hackers were able to exploit a configuration mistake in the server rather than individual vulnerabilities in the hosted applications or taking over the entire server through a vulnerability in a single application,” said Imperva researcher Barry Shteiman, in a blog. “In a shared hosting environment, one rotten apple spoils the barrel – so a single vulnerability may result in owning the entire server and the database that holds data for all applications.”
In other words, when an application is hosted on a shared hosting server, even if one application owned by company A is secured, if a second application owned by company B is not so secure and is being hacked, the end result may be a breach to both. This is also true to a secured application on an insecure platform.
Shteiman offered some tips to hosters for preventing this type of cross-pollination. For one, proper server administration should enable creating silos in terms of database servers, virtual directories and permissions per customer. Shteiman was careful to point out that this reduces the risk, but does not remove it.
He added that hosters should offer compartmentalization services to digital and hosted customers by adding web application controls. It’s a tactic that physical customers in places like data centers have enjoyed for years – web hosters should simply deploy a virtualized version of that.
Also, the security approach should take special care to ensure that the management platform is secure, since plenty of hoster hacks are breached via an insecure management console that allows file changes and DNS changes.
And, finally, “offer web vulnerability scans to your customers, because most companies do not have the experience that hosters have dealing with web applications and the security required around them,” he concluded. “It makes sense that customers that outsource hosting their applications will appreciate outsourcing the security around them. However, to complete the cycle scanning is not enough! Once vulnerabilities are found it is critical to use controls such as web application firewalls to remediate the findings.”