Hetzner web hosting service hacked, customer data copied
Web hosting service Hetzner has fallen victim to an attack during which hackers managed to harvest customer data. Among other things, the intruders had access to password hashes and customers' payment information. Apparently, a previously unknown server rootkit was used for the attack.
In an email sent to customers on Thursday afternoon, the company said that unknown intruders had compromised several Hetzner systems. Apparently, the incident was discovered at the end of last week. The hosting service said that it first found a backdoor on one of its Nagios monitoring servers. Subsequent investigations revealed that the Robot management interface for dedicated servers had also been compromised, and that the intruders had accessed the customer data that is stored there.
Company founder Martin Hetzner told The H's associates at heise Security that it "has not yet been technically possible to establish" how many customers are affected. The Robot database holds payment information such as the banking details of customers who pay by direct debit. The hosting service said that, although this data is encrypted asymmetrically, it can't be ruled out at this point that the private crypto keys that are required for decryption were copied as well. The attackers were also able to access customers' credit card data (the last three digits of credit card numbers, the expiry date and the card type) as well as salted SHA256 password hashes.
According to Hetzner, the attackers displayed an unusually high level of sophistication: apparently, they used a previously unknown rootkit that doesn't touch any hard disk files. "Instead, it patches processes that are already running on the system and injects its malicious code directly into the target process image", explained Martin Hetzner. The executive said that the rootkit seamlessly manipulated the OpenSSH daemon and Apache in RAM, apparently without the need to restart the services. According to Hetzner, the rootkit is probably also able to manipulate ProFTPD. The number of reported incidents during which attackers manipulated the daemons of important programs is currently increasing. What appears to be a new approach is that the manipulation was carried out exclusively in RAM.
Martin Hetzner said that current information suggests that the manipulated Apache instances were not used to deploy malware. It remains unclear who is behind the attack. How the hackers intruded into the server has yet to be established as well. The hosting company said that the German Federal Criminal Police Office (BKA) has been informed.