Search News Posts

Validating credentials, please wait...
Updated Summary of the Astoria Company 2021 Cyber-Attack

Updated on: March 29, 2021

Astoria Company operates a lead exchange, connecting consumers with the products and services they seek in near-real-time across multiple industries. Astoria does not package or resell consumer data, and the company’s commitment to data security goes beyond industry standard practice. In early 2021, Astoria became aware of a cyber-attack on one of its secondary hosting environments. Proximity to Astoria’s lead exchange prompted quick action by the company to mitigate the threat, and an internal investigation was immediately started to follow up on the potential intrusion. The following report summarizes the results of Astoria’s internal investigation thus far.

Known Actors

Two potential rogue actors were involved in the intrusion: User A, who Visited the site from Eastern-US IP Address and was subsequently traced to VPN servers located in Europe, and who we believe to be a cyber-criminal or hacker; and User B, who visited the site and browsed the database from a collection of three Central-US IP Addresses.

Genesis of the Attack

Internet scans by User A uncovered a defunct WordPress site on one of Astoria’s secondary server instances. A recent attempt to revive and update the codebase by one of Astoria’s development staff left the common database management application Adminer present in the filesystem. Adminer alone would require authentication and not allow access to any local database to which the user does not possess access credentials. Because this software is outside the common library of tools used by the company, it was previously thought that the credentials to the WordPress database may have been saved in the application and used to access the WordPress database prior to the intrusion. However, recent research and testing has shown that the version of Adminer present on the server during the attack saved “permanent login” credentials to a session identified by a 30-day cookie stored on the USER’s machine, not the server itself. Therefore, despite reports currently circulating the web, the database was not left accessible to the world and use of an exploit involving connection to a remote database to execute a command placing a rogue file on the target filesystem was required to gain access to view the Astoria database in question. Astoria removed all instances of Adminer as soon as the company became aware of their presence


The Potential Intrusion

Through the series of above-mentioned exploits, User A was able to gain access to browse the Astoria database. User A then copied some structure and row counts, which allowed them to build a believable profile of the data contained within. User A also appeared to copy out some short segments of rows from some select tables, which were later used as proof that larger sets, or “dumps” of Astoria’s entire database exist. Attempts to download any significant portion of data from Astoria’s database were thwarted by configuration, failsafe systems, and inherent limitations of the database server instance. Astoria has evidence that User A and User B were working in concert, with a handoff from User A to User B shortly after access to the database was gained.

Data for Sale on the Dark Web

Upon further investigation into the reports of Astoria’s data being offered for sale on the dark web, or the Tor network, Astoria found a sale ad posted on a popular dark web marketplace alongside an ad for a very large amount of data attributed to a Facebook hack. The volume of data listed in the ad was immediately found to be highly inflated. Within a week, the advertisement of Astoria data, and the user who posted it (ShinyHunters), was banned and removed from the forums. Later, a user named seller13, who previously claimed to work with ShinyHunters and now appears to be operating independently, posted an ad claiming a highly inflated volume of Astoria data for sale on the Clearnet. This ad was posted with a small sample of data, none of which has been successfully connected to any actual Astoria records.

What is Out There

Astoria is aware of screenshots showing its database structure and tables, which have frequently been used as “proof” that large volumes of exfiltrated data exist. To date, no volume of Astoria data has surfaced, despite repeated requests for proof that database tables were dumped. Astoria conducted an internal forensic examination of the server instance snapshots around the time the attempted intrusions were taking place, and has identified where multiple attempts exist, but were cut short by failsafes built into our system. Additionally, due to inherent system limitations, full dumps of the live Astoria database would not succeed. Further investigation and verification attempts have failed to connect any of the back-filled data that has surfaced on the web to Astoria’s actual records.

Next Steps

Astoria is taking steps to ensure the integrity of its systems and security of consumer data. Even though attempts at copying large amounts of data were unsuccessful, these users should have never been in a position to browse Astoria’s database and make those attempts. Astoria is working diligently with law enforcement, internal teams and Information Security researchers and professionals to harden its systems and ascertain the identities of the individuals who illegally accessed Astoria systems

appendix

Drop us a note