Retiring worker tries hide theft of data with cyber attack, blames

>He excused himself one day from work and told fellow employees he was attending a security conference. In reality, the system administrator crossed the border into a neighboring country (a one-hour drive from his workplace), where he used a commercial vulnerability scanner to probe his company's network, just like it would happen in a real attack.
>"System administrator defaced his own website"

>When he came back to work the next day, he used his admin panel credentials to deface one of the company's websites with a message from a hacktivist group accusing the firm of globalization. He saved a copy of the defacement on the Zone-H mirroring site and erased all data from the web root folder, along with all the logs.

>He then reported the hack to his bosses claiming the company was attacked by known hackers and recommended that he wipe the server and reinstall everything to avoid a prolonged downtime.

>After he received approval and carried out a server clean-up, the sysadmin also contacted the company's web security provider, a Swiss-based company named High-Tech Bridge.

>When High-Tech's security team arrived to inspect the hacked server, they discovered a newly installed machine instead, with no clues about the attackers or the attack's origin.
>"Clues leave a trace back to the sysadmin"

>Unfortunately for the server admin, he didn't cover all his tracks. High-Tech Bridge investigators were quick to point out a series of discrepancies.

>For example, anyone who has ever met a hacktivist knows that they're all about media coverage and publicity stunts. There was no trace on social media about this hack.

>Investigators also pointed out that the target of the defacement was a well-protected subdomain on a less used server, which makes no sense since the company was managing several highly trafficked websites that ran older software, which were much easier to hack from an attacker's perspective.

...

>Unknown to all at that time was the fact that the system administrator chose to deface that website because the data he was told to steal was stored on that less trafficked server.
>"Hacktivists can't afford enterprise-grade vulnerability scanners"

>Additionally, the attack was carried out from an IP belonging to a public Wi-Fi network, something that also doesn't fit the hacktivist attack model because these groups use Tor in almost 99.99% of all cases to hide their location.

>Furthermore, the security scanner the system administrator used to search for vulnerabilities was a very expensive tool, which very few hacktivists could afford, and one for which the company held a few licenses.

>"[T]he defacement was definitely done via existing functionality of the admin panel, without altering file content directly via a system command," Ilia Kolochenko, High-Tech Bridge CSO, explains.

>Since access to the admin panel was only limited to a select IP range, assigned to computers inside the company, this meant the login took place from behind the company's firewall, in other words, this was the work of an insider.

>Add to this the fact that the system administrator insisted for a server reinstallation, against all security breach procedures, meant the sysadmin had something to gain by erasing that server. All of these clues placed the sysadmin at the top of the main suspects list.

>Confronted with all the details gathered by the High-Tech Bridge team, the system administrator admitted to his wrongdoing.

>>72143
Psssht, n00b