Pierluigi Paganini August 22, 2023

US Government and defense contractor Belcan left its super admin credentials open to the public, Cybernews research team reveals.

Belcan is a government, defense, and aerospace contractor offering global design, software, manufacturing, supply chain, information technology, and digital engineering solutions. The company, with reported revenue of $950 million in 2022, is a trusted strategic partner to more than 40 US Federal agencies.

On May 15th, the Cybernews research team discovered an open Kibana instance containing sensitive information regarding Belcan, their employees, and internal infrastructure. Kibana is a visualization dashboard for the data search and analytics engine ElasticSearch. These systems help enterprises deal with large quantities of data.

While the leaked information highlights Belcan’s commitment to information security through the implementation of penetration tests and audits, attackers could exploit the lapse in leaving the tests’ results open, together with admin credentials hashed with bcrypt.

The leaked Belcan data in the open Kibana instance contained the following:

• Admin emails
• Admin passwords (hashed with bcrypt, cost setting 12)
• Admin usernames
• Admin roles (what organizations they’re assigned to)
• Internal network addresses
• Internal infrastructure hostnames and IP addresses
• Internal infrastructure vulnerabilities and actions taken to remedy/not remedy them.

Bcrypt is a safe hashing algorithm that adds a layer of security guarding against attackers. However, hashes can still be cracked, and other authentication data may be used in spear phishing attacks.

In this case, it could take attackers as long as 22 years to crack a very strong admin password. If the password is weaker and susceptible to vocabulary attacks, it could be cracked in just a few days.

Attackers could also check the company’s progress in fixing found vulnerabilities, and the data suggest that not all were resolved.

“This information can help attackers identify vulnerable systems that haven’t been patched, as well as provide them with credentials for accounts with privileged access, therefore making a potential attack against the organization significantly easier and faster,” the Cybernews research team writes.

The most significant risk is state-sponsored advanced persistent threats (APT) driven by political and military objectives such as espionage, influence, or proxy warfare.

Cybernews informed Belcan about the discovered vulnerabilities, and prior to this publication, the company had implemented safeguards to address the issue. Belcan did not send any additional comments on the findings before publishing this article.

Do you want to know why this leak poses a risk to the whole supply chain? Give a look at the original post on CyberNews

https://cybernews.com/security/belcan-leaks-admin-password-flaws/

About the author: Ernestas Naprys, Senior Journalist @CyberNew

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data leak)