AntiSec supporters, branding themselves the LulzKnights, targeted the Berrien County Sheriff’s Department on Sunday. The St. Joseph, MI, law enforcement agency lost their internal emails and documents due to the incident, and they were published online. However, this breach could lead to more damage due to the number of hosted accounts that shared space with AntiSec’s victim.
Little was said about the reasoning for the attack against the Berrien County Sheriff’s Department, other than the fact that it was related to one of AntiSec’s oldest traditions – Shooting Sheriff Saturday. This time however, Saturday was pushed forward a day, but the results were the same.
The law enforcement agency’s domain was compromised, but the exact method used by AntiSec is unknown. However, their announcement of the attack included proof that they had full control over the webserver. Other issues pointed out by AntiSec include weak authentication, such as using the password ‘s3cur1fy’ to access the administrator account on the CMS.
In addition to defacing the domain, the attackers claimed to have walked away with the database used to drive the website itself, as well as email spools from at least two accounts. Based on the leaked documents, it would appear that the website’s content was hosted in the compromised database.
Several of the leaked CSV files reviewed by SecurityWeek were examples of what is typically known as a database dump. These mass purges of data contained the same information found on cached copies of the sheriff’s domain, including the HTML needed in order to render a given page.
The leaked email messages themselves were mundane for the most part, consisting of mostly spam. However, there were a few personal messages within the batch shown to us, including pictures of fishermen playing with a baby deer, as well as a chain letter involving cute puppy images.
Other messages were business related, including a San Diego Intelligence Group memo (FOUO / LE Sensitive) on the use of the Xexun (TK102) GPS Tracker by drug traffickers; and a Grand Jury indictment for a meth dealer. Further, an email subscribers list with 321 email addresses was also among the leaked data, including names and zip codes.
The boot directory and shadow file were reported to have been deleted once the compromised data had been taken from the server. At the time this story was written, the sheriff department’s website was resolving, but all of the content was gone, leaving only a blank page in its place.
Examining the Breach
In previous attacks against law enforcement domains, AntiSec used SQL Injection (SQLi) vulnerabilities within the site’s code in order to gain access to its data. All things considered, it would appear that is exactly how this latest attack worked.
The Berrien County Sheriff’s Department used a website that was created by eInternet Design, and hosted on the Kalamazoo, MI, firm’s servers, operating under eidhosting.com.
The firm promises custom software to clients. In the case of law enforcement, a website’s CMS can include inmate search, sheriff tip forms, calendars, and more. However, eInternet also offers a web-based software suite that can offer Computer-Aided Dispatch (CAD), Records Management, and Jail Management.
“The software suite integrates municipal functions across an organization, including finance, human resources, community development, public safety, justice, and e-government solutions,” the firm explains in their marketing material.
When examining the URLs and code used on the sheriff’s domain (thanks to a few Google Cache searches) SQLi stands out as a likely avenue of attack based on the number of areas where user input is submitted, and little things like the constant use of a calendar application. Given that they’re known for using basic searches to find their victims, it is likely that AntiSec supporters started scanning the sheriff’s domain for SQLi vulnerabilities after noticing the URL structure. In fact, Google searches on the sheriff’s domain show the fugitive.view.php and functions.php scripts reporting SQL errors with full details.
As mentioned, this breach could turn into something much worse, as there were at least 100 other accounts exposed during AntiSec’s attack. Using Google and DNS Tools to research the breach further, SecurityWeek discovered that the domains exposed by AntiSec are still active on the compromised server conducting business as normal. One of the exposed accounts that remains active on the hijacked system is sjcity.com, the primary domain for the City of St. Joseph.
Further searching for eidhosting.com shows several “Index Of” listings exposing server details, as well as a development domain with a scrapped working copy of sjcity.com
SecurityWeek has reached out to eInternet for comment. We’ll update this story if we hear back from them.