Emsisoft Fell Victim for a Data-Stealing Cyberattack

• Emsisoft has had a minor yet important security incident involving data access and exfiltration.
• The company has left a misconfigured database accessible by anyone online, containing info on how to break in.
• The actors were detected and thwarted quickly, and the number of compromised clients is very small.

It looks like the work of security firm Emsisoft has annoyed hackers enough to launch an attack against the company. Unfortunately, the attack was successful and resulted in sensitive data exfiltration and limited customer exposure.

According to the announcement that came out today, the attack took place yesterday at around 15:20 UTC and manifested on one of the firm’s test systems used to evaluate and benchmark log data storage and management solutions. The system was taken offline immediately, and an investigation was launched.

The researchers found out that the system contained no client data except for 14 customer email addresses corresponding to seven different organizations. While the exposure is admittedly minor, Emsisoft didn’t try to bury the incident. Also, the fact that hackers managed to break in is by itself a significant occurrence, and Emsisoft has already figured out how the infiltrators did it. As they explain, a configuration error on one of their databases made it accessible to unauthorized users between January 18, 2021, and February 3, 2021.

The database that was exposed online contained technical information about the network, like logs, pathways, port info, etc. This is the information that the hackers used as a stepping stone to go deeper, but they were discovered once they moved to the next layer. When we cover news about database exposure incidents, we often warn about how hackers can use technical data in these databases to enable them to move deeper and then laterally. This is a real-world case that proves the feasibility of that.

Emsisoft has launched a fully-fledged investigation now that will cover all their servers and production systems, even though there are no signs of access to anything else. This process will be finished in about a week, so if the forensic analysis yields any new findings, we will get to know about it by then.

As a precaution, in the future, all tests and benchmarks will be performed in an isolated environment that is not connected to the internet. Finally, the firm will invest more in real-time attack surface analysis and will place additional fallback security measures to serve as auxiliary systems in case their primary defenses are overridden.