Staminus Breach: Just How Bad Is It?

Staminus logoIn terms of data security, 2016 is off to a pretty grim start, as we have already tracked 510 data breaches exposing over 175 million records.  Just last month, we posted about the potential devastating risks when a hosting provider is compromised. Until a few days ago, many people had never heard of a hosting provider called Staminus that claims to specialize in Distributed Denial of Service (DDoS) protection. Over the last few days, customers of Staminus have been very unhappy due to significant outage. Their customers are likely to be even more upset, as we have confirmation that personal data including credit cards has been compromised.

Staminus 1

With Staminus being a hosting company, but also providing DDoS services, the full impact of the compromise is still unclear at this point. However, as expected with any hosting provider breach, there can be an incredible amount of impacted companies and people. We have determined that there were approximately 2,300 previous and current clients included as part of the Staminus breach. These ranged from companies that also provided Internet hosting services to small instances run as a hobby web site for one individual.

So what exactly was leaked?

SQL files:

  • accountUpdate.sql 1.213kb
  • acctserver.sql 157kb
  • appliance_lan.sql 77kb
  • ip_limit.sql 444kb
  • ip_limit_history .sql 74kb
  • ip_limit_profile.sql 17kb
  • sp.sql 2,210kb
  • Full.sql 3.6GB
  • 3-9-staminus2.sql 14.5GB

full.sql

  • Billing table contains 141,403 tracks of account billing from purchases.
  • Account table contains 4,415 users’ details with full addresses, contact details, company details, emails, and encrypted passwords.
  • Credit_card table contains 2,042  with full card details.
  • Rest of the information seems to relate to Staminus sales, site configuration, billing tracking and other configuration values related to the systems.

3-9-staminus2.sql

  • Same data as Full.sql as well as data related to DDoS reporting, tickets, and other server-related actions.
  • Full ticket history with user details, ticket content, and Staminus responses
  • Staff details with encrypted passwords, email addresses, and Oauth credentials in the format of tokens and generated user keys.

main.tar.gz

  • This contains all above SQL files as well as a my.cnf (mysql server configuration), api.php (contains cleartext passwords and example connection to staminus api)
  • PDOFunctions.php-copy (contains a full database connection for staminus system as well as MySQL credentials.)

svn.tar.gz

  • 229 MB, 4,172 Files, 376 Folders
  • Full source code.

openvpn.tar.gz

  • 20.0 KB, 5 Files, 2 Folders
  • brandonh.crt
  • brandonh.key
  • ca.crt
  • and full configuration file for openvpn

chatbot.tar.gz

  • 104 KB, 85 Files, 62 Folders
  • lita-staminus-gem
  • litabot
  • r2d2bot
  • stamvpn

lighttpd.tar.gz

  • 304 KB, 81 Files, 5 Folders
  • lighttpd webserver configuration that contains alot of vhosts, not only for staminus.net.

Site Configurations

  • api.staminus.net
  • clients.staminus.net
  • gb.staminus.net
  • mrtg.staminus.net
  • portal.staminus.net
  • saml.staminus.net
  • manage.gobig.co
  • staff.gobig.co
  • img.stamin.us
  • sarasafari.com
  • sw.digitalrogues.com
  • vhost.staminus.net
  • viawest.staminus.net
  • www.staminus.net
  • www.techblogs.us
  • www.vrazo.com
  • www2.staminus.net

Certificates

  • gobig.co_wildcard_02-15-13
  • img.stamin.us_02_12_14_1yr
  • staminus_ev_03-12-13_2yr
  • staminus_wildcard_05-16-10_2yr
  • staminus_wildcard_12-09-10_2yr
  • staminus_wildcard_12-09-14_2yr

Some of the websites hosted by Staminus had some additional controversy. As previously disclosed, a website run by the Ku Klux Klan was included in the breach as well. What was not mentioned in previous reports is that there are quite a few similarly themed domains hosted (some old, defunct or very small) with them as well:

  • whiterightsparty.com
  • whiteprideparty.com
  • saveouramericanheritage.com
  • kkk.biz
  • nationalwhitepridealliance.com
  • kukluxklan.tv
  • americankkk.com
  • Harrisonarkansaswebsites.com
  • kkk.com
  • americanheritagecommittee.com

It appears after the initial breach, when it was determined that these sites were hosted by Staminus, the leakers took it upon themselves to access and obtain additional information. When further examining the data, not all of the domains appear to be active, and it is somewhat hard to determine exactly the impact of the data that has been leaked.

The original leak was published and for undisclosed reasons seemingly removed within 24 hours. As we have covered previously, @CthulhuSec has jumped in to properly host a leak when there have been issues, and this leak was no different.

Staminus - Cthulhu 1

Now what follows next is a bit unique and worth mentioning, as @CthulhuSec shares that he is being DDoS’d again, and even points a finger in the direction of Staminus.

Staminus - Cthulhu 2

The CEO of Staminus (allegedly based on a recommendation from the grugq) reached out to @CthulhuSec regarding the data that was collected, and they ended up of having a conversation.

Here are some key snippets:

(5:15:59 PM) [email protected]/Matt-Air: We’re *not* incentivized to DDoS you, nor anyone else. It’s illegal and useless. Data is out and has been for days. Did you want protection? 😉

(5:17:42 PM) CthulhuSec: Bit you are the only party who would have any real interest in doing it. Data has been out for days, and exactly 0 people managed to get a hold of it because of the way the person tried to distribute it.

(5:21:40 PM) CthulhuSec: And legal or not, I’ve seen companies do more illegal stuff than those who are pretty open about breaking the law. Being a company is no disqualifier for flagrant disregard. Although, I haven’t actually accused anyone yet. I don’t keep logs quite intentionally, so I would never have that information anyway.

(5:23:49 PM) [email protected]/Matt-Air: You radically give no fucks, and that radically makes you a target of quite a few people, especially in other countries, especially Turkey. Let me be very clear. Staminus has no intention of DDoSing you, nor has Staminus DDoS’d you.

(5:25:03 PM) [email protected]/Matt-Air: And we haven’t contract anyone to do so either.

(5:26:09 PM) CthulhuSec: You seem awfully bothered about that, even though I made no charge it was you.

(5:27:49 PM) CthulhuSec: You filed a copyright complaint against the link. That is interesting. You do realise at this point, that is perhaps the worst approach to take given this has happened plenty of times and never succeeded?

(5:29:57 PM) [email protected]/Matt-Air: Are you sure it’s us?

(5:30:37 PM) CthulhuSec: == Copyright owner: Staminus Communication, Inc.
== Name: Kate Lucente
== Company: DLA Piper LLP (US)
== Job title: Attorney
== Email address: [email protected]

(5:30:57 PM) CthulhuSec: Must be authorised to act on behalf of you, or they have just committed a crime themselves.

(5:32:22 PM) CthulhuSec: Is your intention to allow them to continue to uphold the complaint, or is it to be withdrawn?

(5:39:58 PM) [email protected]/Matt-Air: Our lawyers are being lawyers.

As of this posting, it appears that the DDoS on @CthulhuSec has not been successful.

Finally, Matt Mahvi, the CEO of Staminus has posted a statement to their main website.

March 11th, 2016

Statement

To follow up on our communication from yesterday evening regarding the system outage, we can now confirm the issue was a result of an unauthorized intrusion into our network. As a result of this intrusion, our systems were temporarily taken offline and customer information was exposed. Upon discovering this attack, Staminus took immediate action including launching an investigation into the attack, notifying law enforcement and restoring our systems.

Based on the initial investigation, we believe that usernames, hashed passwords, customer record information, including name and contact information, and payment card data were exposed. It is important to note that we do not collect Social Security numbers or tax IDs.

While the investigation continues, we have and will continue to put additional measures into place to harden our security to help prevent a future attack. While the exposed passwords were protected with a cryptographic hash, we also strongly recommend that customers change their Staminus password.

I fully recognize that our customers put their trust in Staminus and, while we believe that the issue has been contained, we are continuing to take the appropriate steps needed to safeguard our clients’ information and enhance our data security policies.

We will provide updates, as appropriate, as the investigation continues.

Regards,

Matt Mahvi

CEO, Staminus

With so much data left to analyze and questions remaining it is clear there is more to this story before we truly understand the impact (and how bad it is)!