FinFisher, a provider of backdoors to government agencies, was compromised last week. 40GB of internal product documents and customer lists were leaked to the Internet. Recently, a Pastebin paste, allegedly by the attacker, revealed valuable information about how the attack happened. Like many other victims of hacktivist-style attacks, FinFisher had incomplete security controls and common security vulnerabilities.
The attacker exploited SQL Injection, file inclusion, insecure password storage, poor content filtering and insecure permission settings to steal FinFisher’s confidential information. These common vulnerabilities are well known and easily fixed, but they still appear in most data breach investigations. Sophisticated APT attacks may grab headlines, but if an organization hasn’t mastered security basics they’re vulnerable to any common attacker of moderate skill and free tools.
Although breaches are inevitable and attackers will attempt to bypass security controls, the good news is that by hardening their environment and investing in security monitoring, organizations can slow attackers, respond faster, and minimize damage. There’s no reason to make attackers’ jobs easier by neglecting security best practices.