Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Ex-IT Administrator Pleads Guilty to Destroying Virtual Servers from a McDonald’s

Credit Card Purchase at McDonald’s Helped FBI Connect Culprit to Cyber Attack Origin

A disgruntled ex-IT administrator pleaded guilty this week to taking down most of his former employer’s computer infrastructure earlier this year.

Credit Card Purchase at McDonald’s Helped FBI Connect Culprit to Cyber Attack Origin

A disgruntled ex-IT administrator pleaded guilty this week to taking down most of his former employer’s computer infrastructure earlier this year.

Thinking he would conceal his attack by logging from a wireless network at a local McDonald’s, Jason Cornish, a former employee of Shionogi, Inc., a U.S. subsidiary of a Japanese pharmaceutical company with operations in New Jersey and Georgia, made a not-so-bright move, and purchased something at the McDonald’s using his personal credit card just minutes before he conducted the attack. The FBI was able to trace his moves and connect the attack to his fast food purchase.

Cyber Attacker Pleads GuiltyCornish, 37, of Smyrna, Georgia, pleaded guilty, admitting he executed the attack that took down 88 virtual servers and housed most of Shionogi’s American computer infrastructure, including the company’s e-mail and Blackberry servers, its order tracking system, and its financial management software.

To conduct the attack, Cornish accessed the Internet via Wi-Fi at a local McDonalds and logged into a vSphere management console that he had secretly set-up before leaving the company. He then deleted 88 company servers one by one, effectively freezing Shionogi’s operations for days, leaving the company unable to ship products, cut checks, or access e-mail. The company reportedly sustained roughly $800,000 in losses in connection to the attack, conducting damage assessments, and restoring the company’s IT operations.

Cornish also gained unauthorized access to Shionogi’s network from his home Internet connection using administrative passwords to which he had access as an employee.

“Insider threats are on the rise, whether from malicious or disgruntled employees, data leaks (including wikileaks, etc.) or mistakes and other unintentional issues,” said Eric Chiu, founder and president of HyTrust. “The breach at Shionogi is a great example of how vulnerable virtualization infrastructure and the cloud can be. Critical systems like e-mail, order tracking, financial and other services were impacted, having been virtualized without the proper controls in place. This because a disgruntled admin was able to delete the corporate servers with a simple click of a button. Further, he was able to do this remotely while sitting at a booth in McDonalds. The $800K in damages and multiple days of downtime at Shionogi could have been easily and very cost-effectively prevented with the right automated controls in place.”

Why was Cornish so disgruntled as to conduct an attack like this? According to documents filed in the case and statements made in court, Cornish was an employee at Shionogi, and in late September 2010, shortly after Cornish had resigned from Shionogi, the company announced layoffs that would affect Cornish’s close friend and former supervisor.

Advertisement. Scroll to continue reading.

“HyTrust has seen first-hand and has been discussing these sorts of risks all along. Most significant is that a compromise at the virtualization infrastructure layer is a potential compromise of everything else above it in the stack,” Chiu added. Chiu also notes that organizations like NIST and PCI now recognize this and as a result have placed more emphasis on associated security measures.

Scheduled to be sentenced on November 10, 2011, Cornish faces a maximum potential penalty of 10 years in prison and a $250,000 fine.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.