Password data, other personal information of account holders exposed
Unknown attackers used a spearphishing campaign to compromise sensitive systems operated by the Internet Corporation for Assigned Names and Numbers (ICANN), a coup that allowed them to take control of employee e-mail accounts and access personal information of people doing business with the group. Reported by Arstechnica.
ICANN, which oversees the Internet’s address system, said in a release published Tuesday that the breach also gave attackers administrative access to all files stored in its centralized zone data system, as well as the names, postal addresses, e-mail addresses, fax and phone numbers, user names, and cryptographically hashed passwords of account holders who used the system. Domain registries use the database to help manage the current allocation of hundreds of new generic top level domains (gTLDs) currently underway. Attackers also gained unauthorized access to the content management systems of several ICANN blogs.
“We believe a ‘spear phishing’ attack was initiated in late November 2014,” Tuesday’s press release stated. “It involved email messages that were crafted to appear to come from our own domain being sent to members of our staff. The attack resulted in the compromise of the email credentials of several ICANN staff members.”
Earlier this month, ICANN officials discovered the compromised credentials were used to gain unauthorized access to the zone data system. Other compromised systems included the ICANN GAC Wiki, where attackers were able to view a members-only index page and one individual user’s profile page; the ICANN Whois information portal; and the ICANN blog.
The most sensitive information exposed appears to be the personal information of account holders of the centralized zone system. ICANN recommended holders immediately change their accounts passwords, since it’s easy to crack weak
and even moderately strong passwords. Account holders should also watch out for similar spearphishing attacks, since the breach exposed personal information and potentially other details.
It’s not immediately clear exactly how sensitive the remaining data exposed in the breach was. Depending on the roles of the ICANN employees who were compromised, information may have involved non-public plans for new top-level domains or other confidential details concerning the Internet’s address system. The remaining systems that were breached seem to be relatively modest. ICANN’s site describes the breached zone data system as a “centralized access point for interested parties to request access to the Zone Files provided by participating Top Level Domains.” A list of frequently asked questions on ICANN’s website called it “ICANN’s solution for scaling zone data provision as hundreds of new gTLDs are added to the Internet.” HD Moore, chief research officer at Rapid7, told Ars the system stores mostly public information concerning technical details registries used to make sure the gTLDs they control are Internet accessible.
As the group controlling the Internet’s domain name system, ICANN is a prime target for all kinds of attacks from hackers eager to obtain data that can be used to breach other targets. Tuesday’s advisory warning that several employees were successfully breached should come as a wake up call to similar groups and serve as a reminder of just how hard it is to prevent social-engineering attacks.