UPDATE: On the 3/11/2016, the Director of BGL Corp contacted me regarding this article. Ron Lesh and I discussed in detail about the issue we [INSANE and the other IT provider] had identified. Ron went on to confirm for me that the latest update informs the individual performing the update if the default password is still in use, and prompts them to correct this.
It seems that for many firms, the issue here was that they may not be reading security alerts from vendors and area also NOT running regular updates and thus leaving their systems (and their clients) at risk of compromise.
Great to see a software vendor taking the right steps with security. If only we could get more businesses to do this!
Monday morning an accounting client rang up because their server would not start. It was sitting with a blank screen unable to detect the storage device.
We dispatched a technician to their business to try and understand what had happened. Whilst he was driving there our team started reviewing the servers log files (our auditing software keeps copies of them) to try and determine 'what' had failed. We found that a user account called 'ndbuser' was the last account to log onto the server around 4am that morning, and soon after the server had gone offline.
The 'ndbuser' account is a service account, used by 'BGL Simple Fund' and had no reason to be logging into the system itself. We continued to research the issue and stumbled upon this article from Nova IT.
The article suggests that the password created for the 'Nexus Database User' (ndbuser) has become known by hackers and is being used in attacks. In instances reported by Nova IT, servers have been accessed, passwords stolen, backup drives trashed and ransomware dropped on the unsuspecting businesses.
The article suggested that simply changing the password for the 'ndbuser' would resolve the issue, however the problem returns when even the latest BGL update is run - as the update resets the password back to the known, compromised password.
BGL have documented the problem (http://wiki.bglcorp.com.au/KB:Nexus_service_security_instructions), however you'll be hard pressed to find any notices about the issue or even find the article without really pushing. BGL have released a tool to help you fix the security of this account.
What's disappointing here is that it seems like BGL have not gone to great lengths to publish information on this issue, or even better, release an update which bakes in the 'fix' for the issue (a new, randomised password perhaps?).
This is a SERIOUS security problem as many businesses unknowingly open their server to the public internet for remote access and are probably running BGL under this service account, without removing it's access rights to log on locally.
The impact is that if your server is remotely accessible, someone could log into your server and do massive damage. In this particular clients case their entire server was deleted.
What should you do?
- Don't allow remote access to your servers without a VPN.
- Ensure you have an automated offsite backup strategy. Local backups are a target.
- Review account access privileges and make sure service accounts are unable to remotely log into your server.