For better or worse, there seems to be more instances of misconfigurations. This may be on servers, AWS, or other targets. The issues range from minor to rather significant (i.e. forgetting about apply security and allowing anyone with an AWS account to login for your instance). At this point, significant misconfigurations really should not be occurring. There are many opportunities and sources to learn from. One such oversight occurred in Brazil. This provided for a massive oversight. Brazil is known for its celebrations. Unfortunately, this country is also becoming known for cybersecurity issues.
The issue with this particular breach is a misconfigured Apache server with CPF (Cadastro de Pessaoas Fisicas) numbers for nearly 120M Brazilians being exposed. The CPF is their identification number provided by the Brazilian Federal Reserve to Brazilian citizens and taxpaying residents. This is much like the US social security numbers. This number is not optional and is required for the monetary tasks of daily life (e.g. opening a bank account, opening a business, paying taxes, getting a loan, and other functions). The length of time these were exposed is unknown. As no one is sure how long the server was misconfigured, this period could have been a lengthy period. It is notable and odd that this period of time is not able to be estimated. Seemingly there should be a record memorializing when the server was configured. The data exposed includes the person’s name, birth date, email, phone number, address, employment details, bank account details, loans and repayment history, debit and credit history, voting history, voting registration number, and more. This is a wonderful collection for phishing and to take over someone’s identity for fraudulent uses. To top off the issue, all of this data is able to be sold quite easily on the dark web.
The issue was discovered in March 2018. The web server was misconfigured to allow public access. Within its database, the file “index.html”, a default file, was renamed to “index.html_bkp”. For someone viewing the files, this would provide for a point of attention. This caused the web server to complete a directory listing of the files located within the file. The files ranged in size from 27MB to 82GB. While the researchers at InfoArmor were working to understand who the owner of the server was, so they could be notified, the researchers noted an 82GB file was replaced with a raw 25GB sql file. The file name stayed the same. What may have happened is the directory file was used to store a database backup, and the person creating and configuring this did not understand the files were publicly available.
The researchers were able to find the email addresses associated with the server, and naturally emailed one of these. The email bounced back with the “User Unknown” response. Two further attempts were done. Finally, the researchers received a reply stating the hosts had contacted their clients about the legal issues with leaving the data exposed. The data however remained exposed and wide open for several weeks after this. Later that month, the server was secured.
Once the point of contact for the server was notified, it is curious why this took so long to correct the issue. This required the researchers attempting contact three times and still took several weeks to correct. One question is why the data was on a third-party server. This should not have been the case. This is clearly rather significant confidential and sensitive data. It is also difficult to know who accessed the data and for how long.
Abrams, L. (2018, December 12). Taxpayer ID numbers for 120 million Brazilians exposed online. Retrieved from https://www.bleepingcomputer.com/news/security/taxpayer-id-numbers-for-230-million-brazilians-exposed-online/
Cyware. (2018, December 13). Misconfigured cloud server exposed taxpayer ID numbers of 120 million Brazilians. Retrieved from https://cyware.com/news/misconfigured-cloud-server-exposed-taxpayer-id-numbers-of-120-million-brazilians-91298892
InfoArmor. (n.d.). InfoArmor reports identification numbers of 120 million Brazilians exposed online. Retrieved from https://cdn2.hubspot.net/nubfs/3836852/PCOs/InfoArmor_Brazilian%20Exposure%20Report.pdf
Muncaster, P. (2018, December 13). Apache misconfig leaks data on 120 million Brazilians. Retrieved from https://www.infosecuritymagazine.com/news/apache-misconfig-leaks-data
S., Gurubaran. (2018). 120 million unique taxpayer ID numbers exposed online from misconfigured servers. Retrieved from https://gbhackers.com/120-million-unique-taxpayer/amp
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!