This might not be a fairy tale of an incident handling case where the cyber security experts @Defencely were able to crack open something in a minute and expose the flaw. But in such cases, to save India’s 2nd largest travel agency – a brief active incident handlers were required to slam out the existing flaw and hence save financial data at stake.
Thanks to our first oldest Exclusive Client which have passed our Excellence & have introduced us to major Airlines with whom we’re working now & continuously have been in state of expansion keeping our vision intact – to provide security as a process & not sell it as an end product!
Incident Handling – The Case
Defencely received an urgent mail that one of our client’s security had been compromised internally and the execution server which were compromised seemed to have a promotion coupon handler which takes care of the discounted values. Being an online second largest travel agency – the flaw in itself was newly integrated into the systems not long before and the module wasn’t tested for proactive security.
This was a huge mercenary hack for the travel agency which provided airlines, railways, and hotel booking services with discounted values at intervals and this open threat was brought to attention of Defencely at the right time span to close out each and every loophole and add value to the client.
Handling Client Side Validation
Fig.1: tampering SOAP Responses
Fig.2: Discounted with eCash
The technical flaw here was a methodological attempt to get discounted value for the offers which were active. For this an attacker should have a registered account with the agency and was required to tamper the values in the SOAP responses. The handler of the SOAP responses was an independent internal system which was fed with the task of validation. Here’s the working of the ‘hack’ with client side validation:
- An attacker registers himself an account with traveler agency providing booking services.
- The attacker next chooses an offer value from the agency and uses a discounted coupon.
- An attacker having chosen a PROMO CODE is liable to only deduction of a %tage of total.
- However, when an attacker is in the promotion code application form, he tampers the data.
- The attackers changes the value to an amount he prefers suitable and increases value of eCash.
- eCash is a virtual cash for the travel agency which can be used later to book relative services.
- For the first time, the attacker pays the right amount and having changed the eCash, he is given the amount.
- The next time, an attacker having the tampered value could be used without involvement of payment gateway.
And in this way ..
- The dependency of the payment gateway is bypassed.
- The threshold for eCash value can be as high as the attacker wanted it to be.
- The client side validation for the promo code is bypassed without needing validation from payment gateway.
Defencely web application security experts were able to detect the flaw in-time and were subsequently contact to keep an update on the table whilst we created a brief Incident handling report for the client to remediate it’s weakest chain in the security link to fix the client side vulnerability which were being reflected back to the server side storage of the same values that were tampered with.
Handling Server Side cleansing
Logs proved that there were still traces of attacks from internal servers where an attacker had an old access to a shell which was put into that particular server years before. Being able to access a remote shell could be sometimes a ghostly attempt or sometimes be very easily detectable. This however wasn’t the normal case where the shall access had any interactive features such as C99, or R57 webshells. It was a shell which could interact directly with the databases. For those of you wondering, adminer is such a single php database access example.
The internal logs previously made us clear about the situation that an attacker was randomly scanning the hosts without any targeted attempt and might had discovered a backdoor from the previously compromised attempts.
Fig.3: Internal server logs shows random file browsing and traces of automated break-in
At this point, Defencely’s network security team appeared to rescue proceeding with log file audits and prevention framework deployment for handling such cases. Because current security policies had a weakening hole all along, the team chose to go with long time commitment for deploying network security services to India’s second largest travel agency for a better security positioning among it’s competitors. The incident proved the following:
- Lack of Network Security can conclude application level threats.
- Closure of network security policies and server hardening can be a long-term benefit.
- Application security can be benefited from at the limited scope without network security.
- System administrators should be proactively security trained to handle incidents when they occur.
Such threats like the one above could be silently escalated to compromise an entire range of network to cause a disaster which can be of financial impact. Because every businesses would keep their data warehouse of financial assets internally segregated, the same doesn’t assure any security if being served externally with a part of systems exposed at Internet front-fore with web-services, etc .. and hence can cause an security incident.
Risk Assessments are a great way, but Risk Treatment is an essential ingredient to neutralize risks when they occur. To relatively perform security audits and perform monthly assessments in order to actively defend new threats, the internal development team @travel agencies we are currently positioned with has made efforts to close out threats in coordination with Defencely’s security experts.
I hope this eye-opener incident will make a difference and industrial experts will actively take efficient steps to make security as stronger as it needs to be and tightened to regulate smooth businesses run at a frequent run-levels with patches being applied and ‘security’ taken as an core fundamental element while development is in process – or otherwise the fate of any application or network appliances are left to unpatched vulnerabilities and at the discretion of insecure deployment in it’s first stages of product release commitment. Our security model for each one is concise and appropriate security solutions are enterprise ready. Feel free to connect back and reach us for any help required with security concerns for your web applications, network infrastructure or enterprise 360 degree security.