Security Company Barracuda Networks Database Hacked by fdf (hmsec.org cr3w) via SQL Injection Attack

Security Company Barracuda Networks Database Hacked by fdf (hmsec.org cr3w) via SQL Injection Attack

Yet another security company was embarrassed over the weekend after a hacker broke into its marketing database. Barracuda Networks, which has an impressive security portfolio that includes the Barracuda Spam & Virus Firewall, Barracuda Web Firewall, as well as VPN and Web Application Firewall appliances, saw the names and email addresses of its employees and partners splashed online. Also posted were the MD5 hashes of passwords, as well as a list of databases on the server, leaving little doubt as to the authenticity of the digital break-in.

Responding to the news late on Monday, Executive Vice President and CMO Michael Perone confirmed the compromised information on Barracuda's company blog. Apologizing for the inconvenience to those whose email addresses were exposed, Perone wrote:

The good news is the information compromised was essentially just names and email addresses, and no financial information is even stored in those databases. Further, we have confirmed that some of the affected databases contained one-way cryptographic hashes of salted passwords. However, all active passwords for applications in use remain secure.

The bad news though, was what led to the compromise by the hacker. The Barracuda Web Application Firewall (WAF) in front of the Barracuda Networks Web site was unintentionally placed in passive monitoring mode and was offline through a maintenance window that started Friday night (April 8 ) after close of business Pacific time. Starting Saturday night at approximately 5pm Pacific time, an automated script began crawling the Web site in search of unvalidated parameters. After approximately two hours of nonstop attempts, the script discovered a SQL injection vulnerability in a simple PHP script that serves up customer reference case studies by vertical market. As with many ancillary scripts common to Web sites, this customer case study database shared the SQL database used for marketing programs which contained names and email addresses of leads, channel partners and some Barracuda Networks employees. The attack utilized one IP address initially to do reconnaissance and was joined by another IP address about three hours later. We have logs of all the attack activity, and we believe we now fully understand the scope of the attack.

Full Disclosure:Barracuda Networks Hacking via SQL Injection.

A disclosure by: fdf (hmsec.org cr3w)
Shout to: Sorcerer, Kill_Tech, Y0y0, Sherina84, Tr4nsltr, Upxilon, Ghimau, otak and all Malaysian Hackers

LIST OF DATABASES:
new_barracuda
information_schema
Marketing
barracuda
black_ips
buniversity
bware
co-op
collections
cuda_car
cuda_stats
dev_new_barracuda
igivetest
igivetest_bk1_aug10
igivetestsucks
kb_solutions
leads
mysql
new_barracuda
new_barracuda_archive
php_live_chat
phpmyadmin

DB NAME: NEW_BARRACUDA
TABLE NAME: DEAL_REG
DATA COUNT: Count(*) of new_barracuda.deal_reg is 17549
SAMPLE DATA:

DB NAME: NEW_BARRACUDA

TABLE NAME: CMS_LOGINS

DATA COUNT: Count(*) of new_barracuda.cms_logins is 251

DATA:

DB NAME: NEW_BARRACUDA

TABLE NAME: BUNIVERSITY_USERS

DATA COUNT: Count(*) of new_barracuda.buniversity_users is 35

DATA:

DB NAME: MYSQL

TABLE NAME: USER

DATA COUNT: Count(*) of mysql.user is 23

DATA: