CPA Canada hacked, The 8 Brains recovers data from Russian hackers

Several hundred thousand Canadians, including 47,000 Quebeckers, are affected by CPA Canada’s piracy. The 8 Brains found the hackers, the loophole and the data.

A vigil could have prevented the worst! The Canadian Press echoed, on June 4, 2020, an alert issued by CPA Canada, the Chartered Professional Accountants. A sensitive company, managing a professional population handling huge amounts of money and personal data.

CPA reported in the national press a data leak via a « potential breach » of its data security. A problem detected around April 20, 2020. A cyber attack that would have resulted in the leakage of information of at least 329,000 people, including 47,000 Quebecers and 217,000 accountants.

The company explains that the internal investigation has not yet made it possible to identify those responsible and the motives for the attack. However, it is learned that the hackers were able to access the systems between November 30, 2019 and May 1, 2020.

Exploit offered by a hacker

The 8 Brains retrieved the data from a Russian website. But let’s start with the history of this rift.

On January 15, 2020, a Russian hacker (we’ll call him Vestee) proposes in a space dedicated to computer flaw exchanges, to access an SQL injection (SQLi) concerning the cpacanada.ca website. An SQL injection allows, by modifying the official url of a website and by injecting commands, to access the internal database, either via a dedicated software; or directly from a web browser.

Vestee receives a few thanks from a dozen hackers. He will spread other exploits to penetrate about fifteen websites. In this first message, he explains that he collected his targets via a Google dork. A Dork is a series of commands sent to Google for highly targeted searches.

Why spread this type of information? To gain reputation on the forum; to gain contacts; to sell 0day accesses to other sites; to access exchanges; impossibility to exploit the flaw 100%.

In mid-March 2020, a second hacker (we named him Mr. Mytho), in another Russian space, shares a second SQLi concerning cpacanada.ca. He is much more prolific about the malicious information he offers to forum members. It is understandable that he exploited the loophole, and decided to get rid of it.

This Russian discussion forum talks about underground economies, about loopholes found on sites dedicated to cryptomoney, finance, investments. Sites of companies based in India, China, USA, Canada are spread out in this way.

The date is March 23, 2020. That’s three months after the first malicious diffusion. The 8 Brains believes that Vestee and Mr. Mytho are the same evil. Mr. Mytho registered on this second site on January 16, 2020. In this forum, he broadcasts how to exploit the flaw and provides access to the nine databases.

Here also, the diffusion of vulnerabilities allows to gain reputation on the forum; to gain contacts; to sell 0day accesses; to recover other vulnerabilities …

Who’s the hacker and why this broadcast?

So far, we know that at least one hacker has released two SQLi that provide access to the CPA Canada database. Malicious digital exploits offered on two Russian forums where « professional » hackers are rubbing shoulders with « professional » hackers looking for any malicious opportunities that can be commercialized.

In the Montreal newspaper, CPA reports that members’ credit cards and passwords have not been impacted. Data that hackers appreciate, but not only.

On April 16, 2020, four months after the first issue of « Vestee » was published; one month after « Mr. Mytho » posted it on the second Russian forum, a third hacker appeared. He claims to have tapped tens of thousands of data belonging to the CPA Canada site.

A hacker that we will call « MisterC ». He is very well known in the Russian-speaking black hat community. He explains, in the message he shares with other members of the forum, that he was able to extract the information thanks to « Mr. Vestee ».

I was only interested in the users, » says MisterC. I found a lot of tables [include organized pieces of the database: addresses, messages, users, …], but the connection to the database is very crappy. This hacker had trouble connecting to the database (too big, slow connection, …) to get all the information. « MisterC » was satisfied with the users.

To perfect his speech, he is going to broadcast an extract of the database on a legal file downloading site, hosted in the USA. The 8 Brains was able to find 134,080 e-mail addresses and 134,080 passwords. The latter are hashed. They cannot be used as is.

A password hash that still seemed to be resistant to hackers, late April 2020.

This is also most certainly why « Vestee » and « Mr. Mytho » offered the two loopholes. The password hash did not allow the login credentials on the CPA Canada site to be exploited.

What risks?

Since November 2019, several hackers have been able to exploit the main fault and the malicious accesses caused by it. Accesses first spread under the cloak, between insiders (0Day), then between forum members once 0Day has been exploited.

Hackers who, unlike « MisterC », were able to extract much more than just email addresses. An SQL injection allows to recover all the information saved in a database, including email addresses.

E-mails which, on their own, can be used to launch highly targeted phishing attacks, but also, and above all, to write to the people present in the file. Addresses that can be used to put a name to an e-mail and a company.

E-mails that can be used to sort out professionals. To analyze their « public » addresses such as Gmail, Hotmail.

In short, « simple » email addresses that may have allowed hackers to usurp CPA Canada. Mission of the malevolent, to incite accountants to download a booby-trapped document. An invoice, for example.

Baiting them with cyber-spyware (Trojan horses) or ransomware.

It is important to take a monitoring service to identify as soon as possible weak signals becoming strong. If CPA Canada had used this type of service, they would have detected the spread of the rift. They would have been able to correct and prevent the spread.

A cyber defence strategy, which The 8 Brains can offer you (red team, cyber intelligence, …), could then have been implemented quickly and directly linked to the detected and monitored signals. The worst could have been avoided and hundreds of thousands of certified Canadians less exposed.

About The 8 Brains:

The 8 Brains is a Quebec company based in Montreal and headed by Arnaud Flotté-Dubarry. It has more than twenty experienced, highly qualified and passionate cyber security experts: pentesters, techno and security architects, developers (IA, SecDevOps…), as well as a cyber intelligence pole. Our experts have more than 300 years of experience and more than a hundred certifications.

The mission of The 8 Brains: Inform, Innovate and Secure while changing the security paradigm for the benefit of our customers, by providing them with multidisciplinary and cross-disciplinary teams.

The solutions developed and implemented by The 8 Brains are innovative and never seen before. We can act both remotely and on your premises.
The 8 Brains also offers training courses related to cyber security for all your non-technical teams.