Russian hacker HASH took control of a BBC server

The Russian hacker known as “HASH” and “Rev0lver” took control of a BBC server and attempted to sell access to it to other cybercriminals.

A hacker compromised a server at the BBC (British Broadcasting Corporation) and started a Christmas Day campaign to sell the access to the machine to other cyber criminals. The evidences of the attack were first found by Hold Security LLC, a security firm in Milwaukee, that monitoring Underground forums noted the offer of a notorious Russian hacker known by the pseudonyms “HASH” and “Rev0lver,”. The cyber criminal was attempting to sell access to the BBC server on December 25, according the revelation made Alex Holden, the Hold Security LLC’s founder and chief information security officer, to the Reuters.

The Russian hacker advertised his hack showing some files stored on the server, he offered to other high-profile hackers the access upon payment.

At the moment it is not clear if more than a cyber criminals acceded to the server, security department at BBC promptly worked and it seems that the flaw was already fixed despite a BBC spokesman declined any comment on the attack.

There aren’t news on data breach or related to any other damage consequence of the cyber attack, it is known that the compromised server hosts an “obscure password-protected website”. It seems that the server was allegedly compromised via the file-transfer site ftp.bbc.co.uk.

“We do not comment on security issues,”  are the spokesman’s lapidary words.

It is likely that an unpatched vulnerability in the server was exploited to compromise the FTP [file transfer protocol] facilities.

“This could mean, for example, that files containing sensitive information could be downloaded.” “However, the bigger worry is that FTP servers are connected to the remainder of the network and often have easy access to other servers to facilitate internal file transfers, which is how a hacker can then use this as a jumping off point to explore other servers on the network.” said Prof Alan Woodward from the University of Surrey’s Department of Computing.

As I described in many posts on the underground market it is easy to find any kind of stolen data, including credentials to access to compromised servers, skilled hackers use to acquire them to conduct further cyber attacks and reducing the windows of exposure for their illegal activities.

Access to thousands of machines composing huge botnets  are easily rentable on the black market, exploiting them hackers could rapidly arrange hacking campaigns.

The exploits of BBC sever could be just the tip of the iceberg, more sophisticated attacks could be ongoing to gain the control over many other machines within the BBC network.

“Justin Clarke, a principal consultant for the cybersecurity firm Cylance Inc, said that while “HASH” was only offering access to an obscure FTP server, some buyers might see it as a stepping stone to more prized assets within the BBC. “Accessing that server establishes a foothold within the BBC’s network which may allow an attacker to pivot and gain further access to internal BBC resources,” he said.” reported the Reuters.

It must be also considered that Media companies are considered targets for hackers and state-sponsored attackers , China-based hackers and group of hacktivists like the Syrian Electronic Army have hit many times principal Western agencies.

In these cases it is crucial an efficient incident response procedure, just after an incident it is fundamental to discover the flaw exploited by hackers, the info stolen, and adopt proper countermeasures to reduce future exposure of the overall architecture.

Pierluigi Paganini

(Security Affairs –  BBC, cybercrime)