Technology and communications specialist Verizon described the hack in its annual data breach post mortem released on Tuesday. According to the report, “Rather than spending days holding boats and their crew hostage while they rummaged through the cargo, these pirates began to attack shipping vessels in an extremely targeted and timely fashion. Specifically, they would board a shipping vessel, force the crew into one area and within a short amount of time they would depart. When crews eventually left their safe rooms hours later, it was to find that the pirates had headed straight for certain cargo containers.” The report says that it became apparent to the shipping company that the pirates had specific knowledge of the contents of each of the shipping crates being moved. They’d board a vessel, locate by bar code specific sought-after crates containing valuables, steal the contents of that crate, and that crate only, and then depart the vessel without further incident. Fast, clean and easy. With this background information in hand, Verizon began to enumerate where this type of information resided within the shipping company’s systems environment. What Verizon learned was that the company used a home-grown system to manage shipping inventories and specifically the various bills of lading associated with each of their shipping vessels. The investigators then discovered that a malicious web shell had been uploaded onto the server. The hackers used an insecure upload script to upload the web shell and then directly call it as this directory was web accessible and had execute permissions set on it, no Local File Inclusion (LFI) or Remote File Inclusion (RFI) required. Essentially, this allowed the hackers to interact with the webserver and perform actions such as uploading and downloading data as well as running various commands. It allowed them to pull down bills of lading for future shipments and identify sought-after crates and the vessels scheduled to carry them. Verizon says that the pirates were not good coders and made several mistakes which helped them to find the hack in the first place. The pirates failed to enable SSL on the web shell so all the commands were sent over the internet in plain text. This allowed Verizon to write code to extract these commands from the full packet capture (FPC) data. The hackers were not highly skilled, and Verizon found numerous mistyped commands. The hackers also showed a lack of concern for their own operational security by failing to use a proxy and connecting directly from their home system. The shipping company was notified of the hack and shut down the compromised servers, which, although important, weren’t immediately critical to business operations. After blocking the threat actors’ IP address, the company reset all the compromised passwords and rebuilt the affected servers. Moving forward, they started regular vulnerability scans of their web applications and implemented a more formal patch management process. Though the pirates were not that clever and their method was busted, but this may open a new chapter in crime by combining cyber crime with piracy.