From Bugzilla with exploits, or Dire repercussions of a reused password

Threatpost published a fairly detective-like story earlier this month about an attacker who was able to compromise a Bugzilla, steal bug-related data, and turn it into an exploit.

Threatpost published a fairly detective-like story earlier this month about an attacker who was able to compromise a Bugzilla – Mozilla’s bug-tracking system – steal bug-related data which was eventually   transformed into an exploit. A criminal compromised a privileged user’s account by using a password taken from a data breach on a separate site. All in all, it’s the case of a common cybersecurity fail that  backfired with large-scale repercussions.

He knew whom he was hitting

And they are large-scale indeed: apparently the attacker was able to steal certain information about a Firefox vulnerability that Mozilla fixed last month, but only after an exploit for it was seen in the wild.

As Threatpost’s Dennis Fischer wrote, the attacker might have known who he was hitting: the target was a privileged user who had restricted access to sensitive information about security bugs in Mozilla products. Bugzilla is a system used by Mozilla for various projects, and while much of the information is public, data on security flaws is kept private. At least until a patch is available or the company decides not to fix it.

It looks like the attacker was rather persistent. He may have had access to the victim’s account since September 2013. The earliest confirmed access was in September 2014. Mozilla brought the attacked account down shortly after discovering it was compromised, but the company’s officials had to report (regretfully) that the criminal had gained access to 185 separate bugs, including 53 severe security vulnerabilities. The good news is that 43 of those 53 flaws had already been fixed by the time the attacker got to them.

But the remaining 10 still were available for exploit.

Doling out exploits

What is quite funny (and bitter) is how Mozilla found out about the flaw. A user was compromised with it by visiting a Russian news site that was serving ads with exploit code in them. It’s worth mentioning that the affected news site is actually run in English (it belongs to a Moscow-based English-language daily newspaper), which means that the threat isn’t limited to Russian-language Web audience.

The exploit looked for the sensitive files on the victim’s machine and then uploaded them to a server that Mozilla officials said appeared to be in the Ukraine.

The version of Firefox released on August 27 fixed all of the vulnerabilities that the attacker learned about, underlining the situation that might have been unfolding over the last two years.

Nobody loves passwords

As said above, it all began with a password that was used more than once, and was known to the attacker(s) due to the earlier data breach.

Using unique passwords for all accounts is one of the ABCs of cybersecurity, but at the same time, it is a huge burden for the end-users who have to memorize dozens of various combinations. Unsurprisingly, lots of people tend to save on efforts – according to a survey conducted by Kaspersky Lab and B2B International – just 26% of users create a separate password for each account while 6% of respondents use special password storage software.

Passwords themselves are still the main method of authentication on the Web, and as such they are also a primary point of interest for criminals. In 2014, according to Kaspersky Security Network figures, Kaspersky Lab products protected 3.5 million people from malicious attacks which were capable of stealing usernames and passwords to accounts of various types. 14% of respondents from 23 countries also reported that their accounts had been hacked during the year.

There are long-standing calls for replacing passwords with something more advanced and less prone to the mistakes (like using the same combinations for multiple resources), but it’s unlikely that passwords are going away any time soon.

However, there are ways to make them stronger. Two factor authentication at the service’s end makes it way harder for the attackers to use the stolen passwords. And on the client side, password management software helps a lot.

Kaspersky Lab’s own password manager is integrated into a number of our consumer and business products. For instance, we have described earlier password management in Kaspersky Small Office Security, a business solution tailored specifically for small businesses.

Kaspersky Password Manager allows you to “replace” all of the passwords with a single combination – a Master password, the only one that the user has to memorize. It then generates unique strong passwords for all of the web-sites users visit, and stores them in the encrypted form.

The file with stored passwords may be copied to a flash drive if needed.

Password manager is also available as a standalone tool for PC, Mac, iOS and Android. If necessary it can synchronize all passwords via multiple devices. More information is available here.