Staminus sites offline - massively hacked

[wlanboy]

Their statement:

"Around 5am PST today, a rare event cascaded across multiple routers in a system wide event, making our backbone unavailable. Our technicians quickly began working to identify the problem.
We understand and share your frustration. We currently have all hands on deck working to restore service but have no ETA for full recovery."

Real thing:





For your entertainment.

 

[bauhaus]

Well, apparently also @ramnode data is compromised , not sure.


Leak *MUST HAVE* Staminus.net / Intreppid.com / Ku Klux Klan | Spigot | RamNode ++ FRESH

 

[wlanboy]

And the bin: http://hastebin.com/raw/oweyukamuj


Snip:

        Hello ******,


        Your server is complete.


        Here is your server information:


        Administrative IP: **.**.**.** (Private Use)
        Protected IP: **.**.**.** (Public Use)
        User: ****
        Password: ******
        Secondary Usable IP's: **.**.**.** - **.**.**.**


        Please remember to not give out your Administrative IP [**.**.**.**]. Only use your Protected IP [**.**.**.**] for public serving services.


        Your protected IP is protected for 30 Gbps or 12 Million Packet Per Second which ever it reaches first. If your attack goes above either one 
        of those your protected IP will be nullrouted for the duration of the attack. If you wish to upgrade at that time 
        please submit a sales ticket requesting a quote.


        Your can reach your cPanel at https://**.**.**.**:2087


        If you have any further questions please do not hesitate to ask us.


        Thank you



        ---
        Thank You
        Intreppid Support |

        FILES:     
            http://************/chatbot.tar.gz
            http://************/lighttpd.tar.gz
            http://************/main.tar.gz
            http://************/openvpn.tar.gz
            http://************/svn.tar.gz
                  
        SQL:       
            http://************/3-9-staminus2.sql
            http://************/accountUpdate.sql
            http://************/acctserver.sql
            http://************/appliance_lan.sql
            http://************/full.sql
            http://************/ip_limit_history.sql
            http://************/ip_limit_profile.sql
            http://************/ip_limit.sql
            http://************/sp.sql


All interal and protected ips leaked - easily mapped... making their protection useless.

 

[Licensecart]

Interesting there's WHMCS information in it, who uses a very small insecure password for important files? And LOL the same password for the Wordpress... Don't they know Wordpress has even worse security than WHMCS...

 

[OSTKCabal]

As of right now, allegations are going around that they're actively covering up complaints and questions about the breach. They appear to be deleting Facebook comments, and deleting and re-posting tweets that have potentially incriminating information.


Forbes has a small section about it: http://www.forbes.com/sites/thomasbrewster/2016/03/11/kkk-staminus-hacked/#7d247e2c6942


Krebs on Security post: https://krebsonsecurity.com/2016/03/hackers-target-anti-ddos-firm-staminus/


I think whoever's managing their PR should be fired immediately. They've allowed a narrative controlled by hearsay, angry customers, and tech/business blogs and magazines. In their position, I would have acknowledged the breach (because I promise you they know and knew), and clearly explained how a subsequent one would be prevented, BEFORE it got out of the PR team's hands.

 

[DomainBop]

Interesting there's WHMCS information in it, who uses a very small insecure password for important files? And LOL the same password for the Wordpress... Don't they know Wordpress has even worse security than WHMCS...

As of right now, allegations are going around that they're actively covering up complaints and questions about the breach. They appear to be deleting Facebook comments, and deleting and re-posting tweets that have potentially incriminating information.

If they were really storing credit card info, including card numbers, in plain text (which is a violation of card industry rules) they legally need to notify their customers of the breach (46 states have data breach notification laws) and they need to notify their card processor.  If the plain text rumors are true it puts them at risk of being sued (or fined) by their card processors and by customers who had their info leaked

BEFORE it got out of the PR team's hands.

The PR team now also has to deal with the fact that the first page of search results for Staminus on Twitter and Google now turn up KKK images and references, but I guess if their CEO is willing to accept any customer as long as he can make a buck from them then there's no need to feel sorry for him.  From Twitter.

The KKK's website was taken down by a breach of its host and security provider, Staminus

...and the headline from Forbes:

Hackers Claim Breach Of Ku Klux Klan's Security Company

 

[Licensecart]

If they were really storing credit card info, including card numbers, in plain text (which is a violation of card industry rules) they legally need to notify their customers of the breach (46 states have data breach notification laws) and they need to notify their card processor.  If the plain text rumors are true it puts them at risk of being sued (or fined) by their card processors and by customers who had their info leaked


The PR team now also has to deal with the fact that the first page of search results for Staminus on Twitter and Google now turn up KKK images and references, but I guess if their CEO is willing to accept any customer as long as he can make a buck from them then there's no need to feel sorry for him.  From Twitter.


...and the headline from Forbes:

In the thread linked to on a website (can't remember) there's a link to a paste.ee which has their clear text card details:

 

[drmike]

Catching up


This isn't the first time Staminus has been dinged.  Prior they had their DDoS protection platform / scrubbing / process code released to public.

 

[drmike]

and mind you, I started a thread 20~ hours before this

 

[HN-Matt]

The PR team now also has to deal with the fact that the first page of search results for Staminus on Twitter and Google now turn up KKK images and references, but I guess if their CEO is willing to accept any customer as long as he can make a buck from them then there's no need to feel sorry for him.

I guess Trump didn't disavow hard enough last week, which begs the question, who will pay for Staminus' sins if they don't?

 

[DomainBop]

It looks like we have a winner in the piece of shit whose company I wouldn't touch with a 10 foot pole category.  A single homed hosting company in Buffalo is taking this opportunity (a database dump with email addresses of a competitor's customers) to spam Staminus customers.


copy of email (from this LET post)

To whom this may concern,


My name is Andrew Horton, Account Manager at ServerMania.com. I’m contracting you today as I’ve heard that you were affected by the Staminus outage and hack that occurred earlier today. We’re a premier Dedicated Server company with services based in New York. We leverage RioRey DDOS Protection appliances on the core of our network with over 200 Gbps of mitigation available covering all 7 layers.


I would like to sit down with you and learn a bit more about your business and how we can service you.


Our company can service your needs in the following ways:
*Intel-Xeon based dedicated servers
*Private VLAN, Switches and Racks
*Standard dedicated 1 Gbps Network for each server
*North American based with true 24/7 Support via E-Mail, Ticket or Telephone
*Industry-Leading SLA
*Dedicated Account Manager
*Thousands of satisfied clients
*Protecting some of the largest DDoS services on the market today!


Let's move quick to avoid unnecessary downtime for your business!


I look forward to speaking with you.


-- 
Andrew Horton, Account Manager, Server Mania
+1.888.237.6637 | +1.716.745.4678 Ext. 608
Skype ID: andrew.servermania
[email protected] | www.servermania.com

The slime at ServerMania must be taking their cue from the company that was accused of spamming Staminus customers in 2012 after yet another Staminus leak of customer emails. (old WHT thread  http://www.webhostingtalk.com/showthread.php?t=1193478  TLDR: BlackLotus said they were innocent and  a competitor was trying to smear them.

 

[wlanboy]

Whenever I think that this drama ends another detail of total-crap on personal or technical side happens.

 

[DomainBop]

The CEO posted an announcement on their home page:
 

Statement
To follow up on our communication from yesterday evening regarding the system outage, we can now confirm the issue was a result of an unauthorized intrusion into our network. As a result of this intrusion, our systems were temporarily taken offline and customer information was exposed. Upon discovering this attack, Staminus took immediate action including launching an investigation into the attack, notifying law enforcement and restoring our systems. 


Based on the initial investigation, we believe that usernames, hashed passwords, customer record information, including name and contact information, and payment card data were exposed. It is important to note that we do not collect Social Security numbers or tax IDs. 


While the investigation continues, we have and will continue to put additional measures into place to harden our security to help prevent a future attack. While the exposed passwords were protected with a cryptographic hash, we also strongly recommend that customers change their Staminus password. 


I fully recognize that our customers put their trust in Staminus and, while we believe that the issue has been contained, we are continuing to take the appropriate steps needed to safeguard our clients’ information and enhance our data security policies.


We will provide updates, as appropriate, as the investigation continues.


Regards, 
Matt Mahvi
CEO, Staminus 
FAQ


1. Have you been able to restore service to customers?
Yes, global services, as well as most auxiliary services, are back online for our customers. Our engineering team is closely monitoring our network to help ensure service delivery. 


2. Was the recent service outage due to an unauthorized intrusion into Staminus’ systems? 
Based on the investigation into the outage, we can now conclude that it was the result of an unauthorized intrusion into our systems. Once we learned of the origin of the outage, we notified law enforcement, started work to harden our systems and launched a continued investigation into the attack. 


The website will be updated, as appropriate, with additional information as the investigation continues. 


3. Was customer information also exposed as a result of this attack?  
Based on the initial investigation, we believe that customer usernames, hashed passwords, customer record information, including name and contact information, and payment card data were exposed. It is important to note that we do not collect Social Security numbers or tax IDs. 


4. Are there steps customers need to take to protect their Staminus passwords? 
Yes. While the exposed passwords were protected with a cryptographic hash, we also strongly recommend that customers change their Staminus password, as is best practice anytime your password may have been exposed. 


5. What are some of the steps that customers can take who are concerned about their credit card possibly being exposed? 
Immediately upon learning of a potential intrusion, we notified our payment processor and all card brands so that they could proactively monitor fraudulent activity. Customers should regularly check their credit and debit card statements to see whether there is any fraudulent or suspicious activity. If there is any unauthorized activity, you should call your bank or financial institution in order to report the issue.


6. Are there other steps customers should be taking to protect themselves? 
You should also always be on the lookout for phishing schemes. Any email correspondence we may send regarding this matter will not contain a link, so if you receive an email appearing to be from us that contains a link, it is not from us, and you should not click on the link. Also, never provide sensitive information to unsolicited requests claiming to come from us, your bank or other organizations. We would never ask you for sensitive information via email.


Additionally, we highly recommend customers who utilize similar credentials across different platforms reset any passwords on accounts that may use the same or a similar password to their Staminus login. 


7. Will consumers be liable for fraudulent charges? 
Card issuers publish their own policies regarding fraudulent charges. Generally, issuers do not hold customers responsible for fraudulent charges if they are reported in a timely manner. Please contact your card brand or issuing bank for more information about the policy that applies to you. 


8. Have you notified federal law enforcement about your investigation and are you working with them?
Yes, once we determined that that information was exposed, we notified the necessary authorities, including the FBI. We are ready to work with them as appropriate as the investigation continues.

 

 

[drmike]

I guess Trump didn't disavow hard enough last week, which begs the question, who will pay for Staminus' sins if they don't?

Should be expected that anything controversial is going to be behind filtering.  It's just how the hate (pun intended) goes.   Plenty of legit businesses who have been attempted victims of DDOS extortion behind filtering also.   So not everyone behind filtering is on the wrong side of social norms nor bad people.  


In an ideal world, no one would have to take shelter.  I can't see utopia existing any time soon though.  Pass me the pipe.


@Licensecart PM that site info please.

 

[drmike]

Tracked down a bit of the data from the Staminus hack...  Working on the rest to see how ugly this really is.


As far as Staminus customers who used a credit card, your data is fully there in a file and details are in PLAINTEXT.  Totally a PCI violation and wrong way to handle bankcard data by Staminus and appears to be all customers from when they started this accounting system until current. This is the start of the file: 


mysql> select * from credit_card;
+------+-----------------------------------------------+-----------------------------------------------------------+---------------------------------------------+-------------------+----------+---------+-----------+------+------------+
| ID | accountID | firstName | lastName | number | expMonth | expYear | validated | main | cvv |
+------+-----------------------------------------------+-----------------------------------------------------------+---------------------------------------------+-------------------+----------+---------+-----------+------+------------+
| 1 | T--rd | Thomas | W--- | 4--------------3 | 2 | 2009 | 1 | 1 | NULL |


I've  dashed out the details to protect the innocent.


IF YOU USED A BANK CARD / CREDIT CARD / DEBIT CARD TO PAY STAMINUS --- CONTACT YOUR BANK AND LOCK THINGS DOWN / GET A NEW CARD ISSUED NOW!!!

 

[willie]

Wonder if they support 2 factor authentication.  A site like that certainly should.  Not that it helps that much any more: there's Android malware out there that steals 2fa credentials.

 

[HN-Matt]

Whenever I think that this drama ends another detail of total-crap on personal or technical side happens.

Hrm, yes, true.

*posts perennial drama thread, catalysing next sideshow in the Data Surfacing Security Theatre cycle*
*complains of there being no end to the drama*

Just overclock that logic and formalize it into an endless for loop, chances are the narrative will eventually melt down into a law of diminishing returns.

 

[DomainBop]

mysql> select * from credit_card;


cvv

CVV numbers should never be stored in any form whether it's encrypted, plain text, or on scraps of used toilet paper.  ( see Basic PCI Data Storage Guidelines for Merchants )

 

[drmike]

The schema they have there for storing card details - ALONE - should spell legal implications.

copy of email (from this LET post)


The slime at ServerMania must be taking their cue from the company that was accused of spamming Staminus customers in 2012 after yet another Staminus leak of customer emails. (old WHT thread  http://www.webhostingtalk.com/showthread.php?t=1193478  TLDR: BlackLotus said they were innocent and  a competitor was trying to smear them.

The scumfucks at ServerMania need stopped.


They are nothing more than co-conspirators with the ColoCrossing guys.   For a company to dip this low to snag the details and hit customers directly with SPAM means they give no regard and will do anything to lure customers.  Hopefully, the type of customers that subscribe to Staminus find ZERO comfort in garbage like Servermania and Colocrossing are doing.


Both of these companies wonder why I've given them so much shit over the years?  Boys you just upped my XL serving of unfriendliness that is overdue.


May I remind Colocrossing and Servermania that prior, both of them had puppet facemasked subsidiaries hacked with details public dumped?

 

[drmike]

Staminus needs to go fuck off in a confession booth too.

Based on the initial investigation, we believe that usernames, hashed passwords, customer record information, including name and contact information, and payment card data were exposed. It is important to note that we do not collect Social Security numbers or tax IDs.


While the investigation continues, we have and will continue to put additional measures into place to harden our security to help prevent a future attack. While the exposed passwords were protected with a cryptographic hash, we also strongly recommend that customers change their Staminus password

Like not collecting SSNs and Tax IDs + crypto hash on password somehow exempts you from legal action?


I won't say I am making a love package for various attorney generals, but I won't deny it either.  I am grabbing the data and seeing beyond PCI compliance busting and entirely retarded plaintext full card details, just what is in there head to toe.


Stupidity like this needs to end with moronic companies.  People need to be held accountable.