A cached version of the installation of the ILIAS e-learning system might have allowed hackers access to sensitive information and allowed them to impersonate staff members and perform actions on their behalf.
First Published 9th March 2018
From little things, big things wachsen.
4 min read | Reflare Research Team
In last week’s briefing, we discussed the recently publicized hack of a German governmental communications network and varying media coverage in different countries.
In this week’s briefing, we will review additional information on the hack and take a look at how minor vulnerabilities can quickly escalate into major breaches.
What’s new?
According to research performed by German IT news outlet Golem.de, it is likely that the network was initially compromised through a vulnerable version of the ILIAS E-Learning platform.
ILIAS is an open-source e-learning offering developed by a German club organization. It is quite popular with German universities and governmental institutions. While the Ilias software itself is regularly updated and vulnerabilities are quickly fixed, post-mortem analysis performed on cached versions of the installation used by the Federal University of Applied Administrative Sciences indicates that it might have been out of date and vulnerable to several low-level vulnerabilities.
How attacks escalate
The vulnerabilities that are likely to have been exploitable in the targeted university’s e-learning offering are comparatively minor. Most notably, the page appears to have been vulnerable to Cross-Site Scripting (XSS) attacks. By themselves, these hardly appear to be the kind of critical vulnerabilities fit to compromise high-security governmental networks.
However, attackers can quickly escalate seemingly harmless issues. For example, an attacker may have used an XSS vulnerability to stage a very convincing phishing attack and in turn steal a user’s password. If the user re-uses the password, the attacker may now be able to login to the user’s email or other accounts. If the user is an administrator, the administrative privileges can be abused immediately. If not, the email account can be abused to stage further social engineering attacks against administrators. (This is a fictional example and should in no form imply that this is what happened in the actual hack.)
Summary
While we still do not know how the governmental network was breached, it is becoming increasingly likely that a trivial vulnerability in a low-criticality system (e-learning) in a low-criticality part of the network (internal training of a university) was escalated by attackers to ultimately gain access to critical information.
This once again demonstrates that there is no such thing as a safe-to-ignore vulnerability.
To protect yourself, we strongly advise any organization to take information security seriously when it concerns low-criticality infrastructure and make sure that all staff across the organization is adequately trained to spot and respond to security issues. A minor issue you intend to fix at some later time in the year can quickly turn into a security nightmare when abused by skilled attackers.