Kaspersky US domain hacked

Johannesburg, 13 Feb 2009

Following a report that Kaspersky Lab's US domain was hacked last weekend, the company has confirmed no data was compromised.

“At the end of January, a new version of the US support site was unveiled, containing a vulnerability. Several attackers with IP addresses from Romanian ISPs initiated an SQL injection attack on a subsection of the site,” says the company.

Kaspersky took immediate action when notified of the issue, and the vulnerability was fixed. The attack didn't affect any of the company's other sites or the e-commerce sections on these sites.

The company says the attackers subsequently claimed to have gained access to personal details and activation codes. “A thorough analysis conducted by Kaspersky Lab's Web security experts immediately following the attack revealed that although the attack had penetrated the support site, no sensitive data was compromised. No activation codes or personal data were leaked as a result of the attack.”

Second opinion

The company's specialists investigated the incident and hired an independent expert, Next Generation Security Software's David Litchfield, to corroborate the results of the internal investigation, and to confirm that no data was leaked. Litchfield's report confirmed no data had been compromised from the site.

According to Litchfield's report: “The usa.kaspersky.com Web site and database were successfully breached early on Saturday morning on 7 February. Kaspersky was deliberately targeted. The attacker, based in Romania, used Google to search for Web servers owned by Kaspersky running applications that may be vulnerable to SQL injection.

“The attacker claims to have been able to access private customer information, but has publicly stated that no data was compromised. The attacker's claim to be able to access customer data is correct and, as is apparent from the Web server log files, the attacker did attempt to gain access to customer data.

“However, the attempts failed, only because the attacker specified the wrong schema name, in other words the location of the tables holding the data.”

Data still safe

The report elaborated that had the attacker specified the right schema name, he/she would have had full access to the customer data. Though the attacker successfully gained access to the database's usernames and passwords, at no point was customer data accessed. On the Saturday, the attacker stated the usa.kaspersky.com Web site was vulnerable to SQL injection, causing a number of other attackers from various locations to probe the site further.

None of these follow-up attackers accessed any customer data either, and on hearing of the threat, Kaspersky immediately took down the vulnerable Web server, preventing further breaches.

“After the publication of the vulnerability on the Hackersblog.org site, additional attackers began to target the usa.kaspersky.com Web server. Most seemed simply curious, but one in particular made a concerted effort to gain access to activation codes,” said Litchfield.

Kaspersky is conducting a thorough security audit of all its official sites. It is also developing additional internal review procedures to ensure corporate resources are protected from similar attacks.