A sysadmin at a number one mechanical device vendor denote a firewall configuration file, as well as passwords, into a public Cisco support forum in 2011, gap the corporate up to attainable attack.
The config files expose a wealth of knowledge helpful to Associate in Nursing wrongdoer, as well as the name, hostname, and ASA version range. whereas there's no proof that the mechanical device vendor was compromised, this accidental discharge of knowledge is "juicy intelligence," Dan Tentler, founder and corporate executive of satellite cluster, Associate in Nursing attack simulation security company, tells.
"If you have got a crack team of housebreaker varieties and they are all attending to burgled a building, this firewall configuration file is that the equivalent of finding the ground set up of the building they're reaching to burgled," Tentler says.
Compromising the computer code offer chain of a mechanical device vendor would be a years-long endeavor, requiring careful designing and long-run persistence within the company's network. It remains unclear if this "floor plan" was ever employed by Associate in Nursing wrongdoer because the mechanical device vendor has not answered that question with rhetorical certainty.
One of the ASA devices seems to be a firewall on the company's development and testing network. Associate in Nursing wrongdoer World Health Organization used this intelligence to compromise the mechanical device vendor's network may have used works backdoors ("remote access software") to hack vote machines. they might have deep-seated refined microcode backdoors or engaged in spear phishing attacks against native election officers.
A nation-state wrongdoer may even have derived the mechanical device ASCII text file and used it to seem for security flaws. "The mechanical device vendors...are actually on the microwave radar of powerful attackers, as well as nation-state adversaries," Alex Halderman, a prof of computing at the University of Michigan, Associate in Nursing a knowledgeable of mechanical device security, tells. "The networks they're mistreatment for developing, testing, and debugging election system computer code area unit probably to be probed by attackers World Health Organization would wish to weaken the protection of our elections."
"If you'll get into one in every of these vendors," he adds, "take the ASCII text file to the vote machines, that is of huge advantage to somebody UN agency needs to attack them."
In the forum postings, that area unit still public at the time of this writing, the mechanical device merchandiser worker asked for facilitate configuring a Cisco ASA 5505 — a firewall appliance — and includes sensitive details regarding the company's internal network layout, likewise as passwords (likely the default passwords), writing, "Here is my running config."
In one forum post, the worker asks for help:
I am making an attempt to line up a DMZ with an interior VLAN to transfer SFTP (SSH) firmly. I am unable to get the within the computer to attach to the SFTP (SSH) server. I actually have bought and activated the safety upgrade My DMZ server. My computer making an attempt to travel from the within to the DMZ.
The employee continues to provoke facilitate, writing in another forum post, "I would really like to trammel the safety on my Firewall. am I able to take away my ‘any any’ statements in my access lists? Here's my config."
It's doable, of course, that the sysadmin modified the passwords before posting to the Cisco support forum, though the language used ("Here is my running config") suggests otherwise. it is also doable the passwords were modified afterward.
Even if the passwords were ne'er valid, this firewall config offers associate aggressor valuable intelligence. "This info is incredibly helpful for associate aggressor that’s targeting this organization with a political goal in mind," Tentler says. "If Russia found this and was deciding to focus on this organization, this can be gold."
We found what we have a tendency to believe to be the employee’s LinkedIn profile, that shows the worker now not works for the corporate. Neither the mechanical device merchandiser nor the previous worker competent our press inquiries.
"I hope that vendor has enforced immensely higher security coaching since 2011 so as to avoid additional security leaks of this nature," Halderman says, "but nothing that I actually have seen would lead Maine to believe their security has improved to the extent necessary to stave off nation-state adversaries."