US Government and defense contractor Belcan left its super admin credentials open to the public. A lapse that could have resulted in a serious supply chain attack, the Cybernews research team reveals.
Belcan is a government, defense, and aerospace contractor offering global design, software, manufacturing, supply chain, information technology, and digital engineering solutions. The company, with reported revenue of $950 million in 2022, is a trusted strategic partner to more than 40 US Federal agencies.
On May 15th, the Cybernews research team discovered an open Kibana instance containing sensitive information regarding Belcan, their employees, and internal infrastructure. Kibana is a visualization dashboard for the data search and analytics engine ElasticSearch. These systems help enterprises deal with large quantities of data.
While the leaked information highlights Belcan’s commitment to information security through the implementation of penetration tests and audits, attackers could exploit the lapse in leaving the tests’ results open, together with admin credentials hashed with bcrypt.
The leaked Belcan data in the open Kibana instance contained the following:
- Admin emails
- Admin passwords (hashed with bcrypt, cost setting 12)
- Admin usernames
- Admin roles (what organizations they’re assigned to)
- Internal network addresses
- Internal infrastructure hostnames and IP addresses
- Internal infrastructure vulnerabilities and actions taken to remedy/not remedy them.
Bcrypt is a safe hashing algorithm that adds a layer of security guarding against attackers. However, hashes can still be cracked, and other authentication data may be used in spear phishing attacks.
In this case, it could take attackers as long as 22 years to crack a very strong admin password. If the password is weaker and susceptible to vocabulary attacks, it could be cracked in just a few days.
Attackers could also check the company's progress in fixing found vulnerabilities, and the data suggest that not all were resolved.
“This information can help attackers identify vulnerable systems that haven’t been patched, as well as provide them with credentials for accounts with privileged access, therefore making a potential attack against the organization significantly easier and faster,” the Cybernews research team writes.
The most significant risk is state-sponsored advanced persistent threats (APT) driven by political and military objectives such as espionage, influence, or proxy warfare.
Cybernews informed Belcan about the discovered vulnerabilities, and prior to this publication, the company had implemented safeguards to address the issue. Belcan did not send any additional comments on the findings before publishing this article.
Whole supply chain at risk
Belcan’s leak posed a significant risk to a broader circle of organizations.
Access to open credentials and other information would have greatly facilitated breaching the organization as attackers could bypass authentication mechanisms.
Threat actors could then access sensitive client information, including aerospace, defense companies, and government institutions.
“Such attacks are often performed by APT groups in intelligence-gathering operations, for stealing proprietary information, that would allow them to copy designs and procedures for advanced products, as well as for financial gain,” Cybernews researchers write.
Such information is especially valuable for attackers as it could be used for technology espionage, obtaining secret military information, or even allowing disruption of government agencies.
The most sensitive Belcan customers reside in the US, therefore, a successful attack would be particularly concerning to American citizens.
The leak seems to be originating from a security tool used by Belcan. This signifies the importance of keeping these tools secure, as they usually have privileged access to sensitive information that threat actors can exploit. This includes the company’s infrastructure, data stored within it, internal network subnets, endpoints.
“The data suggests that the source for the leak was likely a security tool employed by Belcan to scan and track their infrastructure for vulnerabilities. Access to such tools should be protected at all costs,” Cybernews researchers warn.
They also noticed entries in the leaked data suggesting that some vulnerabilities were detected but not patched by the company.
A prominent example of a successful supply chain attack is the SolarWinds attack that occurred in 2020. During this incident, Russian government-backed attackers infiltrated the software development environment of the company and implanted malicious code into software updates. These compromised updates were subsequently sent out to thousands of customers, among them government agencies and major corporations.
More from Cybernews:
Subscribe to our newsletter