Slashdot Mirror

← Back to Stories (view on slashdot.org)

Company's Former IT Admin Accused of Accessing Backdoor Account 700+ Times (bleepingcomputer.com)

Posted by EditorDavid on from the network-no-no's dept.

An anonymous reader writes: "An Oregon sportswear company is suing its former IT administrator, alleging he left backdoor accounts on their network and used them more than 700 times to search for information for the benefit of its new employer," reports BleepingComputer. Court papers reveal the IT admin left to be the CTO at one of the sportswear company's IT suppliers after working for 14 years at his previous employer. For more than two years, he's [allegedly] been using an account he created before he left to access his former colleagues' emails and gather information about the IT services they might need in the future. The IT admin was fired from his CTO job after his new employer found out what he was doing.
One backdoor, which enabled both VPN and VDI connections to the company's network, granted access to a "jmanming" account for a non-existent employee named Jeff Manning...

6 of 63 comments (clear)

  1. Referer Scam? by Anonymous Coward · · Score: 0, Informative

    Fuck you slashdot. I've clicked on the link, but only with a referer-blocker, so no money for you...

    An Oregon sportswear company is suing its former IT administrator, alleging he left backdoor accounts on their network and used them more than 700 times to search for information for the benefit of its new employer.

    According to court documents, Michael Leeper worked for Columbia Sportswear between 2000 and 2014, going through several positions up to senior director of technology infrastructure.

    In March 2014, Leeper left Columbia Sportswear to become the CTO at Denali Advanced Integration, a company that sold IT products and provided various consulting services.

    During his tenure at Columbia, Leeper had interacted with Denali several times, as Denali was one of the many companies from where Columbia bought hardware and software for its business that spanned several states.
    Leeper left two backdoors on Columbia's network

    In court documents filed by Columbia on March 1, the company alleges that days before he left, Leeper installed two backdoors on their network.

    The backdoors included an account named "jmanning" for a non-existent employee named Jeff Manning, which granted Leeper access to Columbia's network via VPN (Virtual Private Network) and VDI (Virtual Desktop Interface) connections.

    The second backdoor was an account named "svcmon," which already existed on the company's network, and which Columbia's IT admins used to monitor network activity.

    Columbia said the account had been discontinued in 2007, as they've moved to another monitoring system that didn't need that account. Furthermore, they say that before he left, Leeper also assigned extra permissions to the svcmon account.
    Leeper used accounts to get insight in Columbia's business decisions

    Columbia claims Leeper used these two accounts (mainly the jmanning account) on more than 700 different occasions to access its network and then to access the email accounts of various Columbia employeesm from where he gained insight into the company's upcoming business decisions, especially those related to its IT infrastructure.

    This information allowed Leeper to gain a competitive advantage in his dealings as Denali CTO with his former employer. The legal complaint gives the following example:

    In at least one case, Leeper specifically targeted an email concerning a transaction in which Denali had a potential business interest. As of approximately 3:47 p.m. on July 27, 2016, Leeper had logged into the two IT employees’ email accounts and was accessing messages in one of the employees’ “Sent Items” folder.
    At 3:47:26, a message with the subject line “Pure Storage Partner Discussion” arrived in the other employee’s inbox. Within the same second—i.e., at 3:47:26—Leeper switched into the recipient’s email account and accessed the new message. He then returned to and continued accessing the “Sent Items” folder of the first employee. Pure Storage, Inc. is a well-known provider of computer equipment with whom Columbia was exploring a potential transaction. Though Denali resells equipment of the type that Pure Storage manufactures, Denali was not at that time an approved reseller for Pure Storage. As a result, Denali would not have been eligible to participate as a reseller in that transaction. However, during the summer or early fall of 2016, Columbia learned that Denali had become an “approved” Pure Storage reseller.
    Hack discovered in the summer of 2016

    Columbia said it discovered the intrusion in the summer of 2016, during an upgrade to its email system. The FBI was called in to investigate, and the sportswear maker also allocated financial resources to investigate and deal with the hack.

    "Columbia brings this lawsuit to recover damages associated with Defendants’ unlawful intrusions into its private computer network, to secure the return of whatever unlawfully accessed Columbia information th

  2. Re:Poor Governance by chmod+a+x+mojo · · Score: 5, Informative

    Yeah... because the guy setting up that system wouldn't be able to hide anything he wants outside of the system on those servers. You know, like hiding a backdoor, I mean it's not like he was the ADMINISTRATOR, and had full unlimited access to the servers for a long time or anything....

    You can make all the damn rules and regulations you want, but in the end you are bound to having to trust the people who have full access to the systems to implement those rules properly. There will always be someone somewhere in the setup chain that will not be bound to those rules yet, as the settings and rules won't exist on the servers yet.

    --
    To err is human; effective mayhem requires the root password!
  3. Re:Columbia needs auditing by v1 · · Score: 5, Informative

    One of the two accounts he was using was a "service account". You probably have a few of those on your system also, that were not created by any system linked into your HR. The manning account probably should have been automatically disabled however.

    Seeing as he had IT level access, no automated steps are going to be very effective. If he created the manning account manually and there never WAS a mannning user, any automated HR system that removes employees on departure will never trigger on it since it was never in HR to begin with. If your HR system does whitelist filtering instead of blacklist, it has to know which internal and service accounts to skip. (or chaos insues!) An intelligent IT person will simply flip the necessary switches to make the account not show up in the pool that's being whitelist-checked. There's probably an "Employee" checkbox in the account list, and he just unchecks that, and now the HR script ignores him.

    dscl . -list /Users | wc -l
    shows there are 103 accounts on my laptop, only four of which are actual interactive users, the rest are system users like sandbox, daemon, windowserver, etc. A marauding system admin can pretty easily sneak in another plausible looking system account into the list of users that don't show up in most userlists.

    tl;dr: it's not so easy to detect when someone in a privileged position like IT (or your IT admin) has installed a back door. Hiring someone to come in and do an audit (or hiring a competent replacement that does the same) is your best response to an IT departure, and is really a NECESSARY response to any departure of upper IT, even if the departure was on good terms.

    --
    I work for the Department of Redundancy Department.
  4. Re:Columbia needs auditing by sjames · · Score: 4, Informative

    Another popular trick is to give one of those service accounts a shell and password so they can double as logon accounts.

  5. Illuminati Online "Hardened" Network Services by pepsikid · · Score: 4, Informative

    I'll just leave this here:
    http://io.fondoo.net/

    "Fun fact: you could telnet to password.io.com from anywhere in the world, and log on as guest. Lynx, a text-only web browser, was configured as the shell, and you would then be presented with a sparse version of the web-based customer account tools found at http://password.io.com/. This was so customers could reset their own password, update their address, set their PLAN file, etc.

    IO forgot to disable browsing the filesystem (press g, period, enter). Also, IO never enforced uniform file and directory permissions or audited active accounts. As a result, through 2004, after IO was taken over by Prismnet (or later), you could roam around and directly view many customer's private files, email, and IO's sensitive system areas. You could also open the Lynx config to define a custom "editor" and thus actually edit files, or run executables. This was a direct back-door into everything! This continued a full two years after IOCOM "hardened" their network to sell network security services."

  6. Re:Poor Governance by Anon-Admin · · Score: 3, Informative

    That sounds easier than it really is.

    I once found a root cron job that ran a script that was about 100 lines long. That script called another script that was close to 1000 lines long. The admin hid a call in that script to call a third script. That third script would check the time and the accounts, if it was between 00:00 and 02:00 GMT and his account was not in the system it would add the account with root privileges. When 02:00 came around it would delete the account from the system.

    So basicly between 00:00 and 02:00 GMT he could access the system with admin privileges and do whatever he wanted. I only noticed it because I saw a login at 00:30 by an account that did not exist. I almost missed it because it was called deamon and when scanning the logs you can dismiss it as the daemon account. It took me days to find where the add and delete user account commands were hidden.