Investigation Report
Fujitsu Cyber Threat
Intelligence
Investigation | Fujitsu Security Operations Centre
Contents
1.
Glossary ................................................................................................................................ 3
2.
Executive Summary .............................................................................................................. 4
3.
2.1.1 Data exposure ..................................................................................................... 5
Summary............................................................................................................................... 7
© Copyright 2017 Fujitsu Cyber Threat Intelligence |
Page 2 of 8
Investigation | Fujitsu Security Operations Centre
1.
Glossary
Term
Meaning
MongoDB
NoSQL Database
CMS
Content Management System
Shodan
Internet Of things search engine
VM
Vulnerability Management
GDPR
General Data Protection Regulation
AWS
Amazon Web Services
SaaS
Software As A Service
© Copyright 2017 Fujitsu Cyber Threat Intelligence |
Page 3 of 8
Investigation | Fujitsu Security Operations Centre
2.
Executive Summary
Fujitsu Cyber Threat Intelligence routinely perform proactive analysis on risks associated with
unsecured data. In this case, MongoDB. Shodan offers the capability to identify these databases
that are exposed to the Internet and to those who seek to take the data from within the
databases. Supporting existing customer’s security postures by identifying these risks and in doing
so offering a view of the type of data that can be exposed with the incorrect configuration of the
MongoDB.
In December 2016, Fujitsu Cyber Threat Intelligence identified a large database, 112GB in size,
which stored data appearing to belong to a Hotel Content Management System (CMS). The data
included the following:





2.9m partial payment information records
3.4m Booking references (Check in, check out details)
4.8k Hotel reference usernames
3.0m Guest records (First name, surname, Addresses, email address, telephone number,
country residence, zip/post code)
1.9m Transaction records (Room rate, transaction processor)
A U.S based company offering a complete Cloud based solution for Hotels. Manage property,
Online Distribution and revenue via through the cloud. To date, almost 1,000,000 hotel guests
have had their stay managed with by this company according to the LinkedIn article — from the
initial online booking process through arrival, onsite operations and checkout.
The company is focused on converging processes traditionally performed by separate systems into
a single all-in-one productivity application. All modules are integrated within the application and
are accessible from any computer and most mobile devices. The company is a privately held
corporation based in San Francisco, California.
In January 2017 open source reporting again focused on the security of MongoDB as attackers
begun to remove the databases replacing them with a note demanding bitcoin payment in return
for the data, essentially performing extortion on databases without authentication. During the
analysis that CTI performed, we identified a significant database used by a Cloud hosting company
known as CloudFX which had a database exposed totalling 29GB in size. The information
contained in the database included the following:
© Copyright 2017 Fujitsu Cyber Threat Intelligence |
Page 4 of 8
Investigation | Fujitsu Security Operations Centre
2.1.1 Data exposure
Office 365
User accounts
Office 365
Licenses
Service
catalogue
Virtual
machine data
Load balancer
data
Office 365
subscription
data
Office SaaS
customers
Users
Cloud
Providers
Billing data
Service
requests
AWS
estimated
usage
Network
Interfaces
data
Passwords
Purchase
History
Order History
Company lists
Private
Network data
The data included in this report is a snapshot of the data available during the time before the database was
deleted by an actor being tracked by Fujitsu CTI. As of 05/01/17 the database was exposed and not subject to
extortion, as of 06/01/17 the database had been taken and replaced with the following extortion message
from the actor.
The company lists the following logos on their operations page, seemingly as a nod to those who have taken
their services.
© Copyright 2017 Fujitsu Cyber Threat Intelligence |
Page 5 of 8
Investigation | Fujitsu Security Operations Centre
The portfolio includes the following:
 Strategic Advisory Services
 Enterprise IT as a Service Operating Models
 E-Commerce Cloud and Digital Services Market Places
 Single and Multi-Tenant Cloud Service Portal and Catalogue Creation
 Anything as a Service Models and Advanced Cloud Service Orchestration design
 Cloud Service API / Adaptor Creation for Automation and provisioning integration
 Virtual and Cloud Services Workflow Architecture, Integration and Policy creation
 Multi-Cloud Vendor Management for metered and subscription Billing Services
 Physical to Virtual, Virtual to Cloud and Cloud to Cloud Migration Services
 Advanced Consumption modelling and Real-Time Multi-Vendor Cloud analytics
 Cloud native IT Service Management / Governance design and implementation
 Cloud DevOp's Services design and Test-Development Architecture services
 Physical, Virtual and Cloud Multi-Tier Architecture Blue Printing Design Services
 ISV On Boarding into Cloud Market Place and Single Tenant Service catalogues
 Multi-Level Cloud Service Catalogues | T2 tenants, Business Divisions, Partner tenants
The impact to the potential customers included in the database is immeasurable since us, as
defenders did not take any of the data, no have any interest in the data but took images to
confirm the legitimacy of the exposure and the table data proves the existence of some of the
potential customers. One potential customer being PWC, which also exist on the operations page.
© Copyright 2017 Fujitsu Cyber Threat Intelligence |
Page 6 of 8
Investigation | Fujitsu Security Operations Centre
3.
Summary
In today’s threat landscape, organisations can no longer afford to be complacent when it comes to
security. It needs to be top of the boardroom agenda. By implementing an effective security
education programme alongside a strong threat intelligence system and incident response plan,
and organisation can combat today’s cyber-criminal networks and protect their data assets.
Using effective vulnerability management such as Qualys and in particular the remote service
associated with unsecured MongoDB can ensure incidents such as this which has exposed the
personal information on millions of customers to the internet do not occur. Leveraging the
capabilities from a platform which can identify the risks inherent in database authentication such
as MongoDB can reduce the chances of an exposed database. GDPR will ensure that any breach
such as this will be met with the appropriate regulatory safeguards and consequences.
To learn more about Fujitsu’s Cyber Security offerings contact us.
© Copyright 2017 Fujitsu Cyber Threat Intelligence |
Page 7 of 8
Investigation | Fujitsu Security Operations Centre
Contact us on:
Tel: +44 (0) 870 242 7998
Email: [email protected]
Web: uk.fujitsu.com
Copyright © Fujitsu Services Ltd 2017. All rights reserved.
No part of this document may be reproduced, stored or transmitted
in any form without prior written permission of Fujitsu Services Ltd.
Fujitsu Services Ltd endeavours to ensure that the information in
this document is correct and fairly stated, but does not accept
liability for any errors or omissions.
© Copyright 2017 Fujitsu Cyber Threat Intelligence |
Page 8 of 8