The Asia-Pacific Network Information Centre (APNIC) is a non-profit organization that provides Internet addressing services in the Asia-Pacific region. The APNIC made the headlines because it was informed about a Whois-related security incident that led to the exposure of authentication data.
According to the APNIC Deputy Director General Sanjaya, Whois data exposed online included authentication details for Maintainer and IRT objects. The incident was discovered on October when a member of the eBay Red Team reported that a third-party website had been republishing downloadable Whois data.
The incident affected Maintainer and Incident Response Team (IRT) objects in the APNIC Whois database.
Both Maintainer and IRT objects include an “auth” attribute that specifies a hashing format and stores an access password in the specified format. The “auth” hashes were accidentally included in downloadable data.
“A Maintainer (mntner) is an object in the APNIC Whois Database. Every object in the APNIC Whois Database is protected by a Maintainer via the ‘mnt-by’ attribute. This ensures that only authorized people that have access to this Maintainer can make changes to other objects that are protected by this Maintainer.” reported the APNIC in a blog post.
“An Incident Response Team (IRT) object is an object in the APNIC Whois Database that contains contact information for an organization’s administrators responsible for receiving reports of network abuse activities.
The ‘auth’ attribute in a Maintainer or IRT object specifies the hashing format used and stores the password in its hashed format.
The error that occurred saw the ‘auth’ hashes included in the downloadable whois data feed (not published on APNIC’s whois itself).”
The problem was promptly fixed, the exposed data included hashed passwords that could be cracked by threat actors to modify Whois data.
The good news is that according to the APNIC there is any evidence of abuse.
The organization warned of the potential risks related to any unauthorized changes of the data.
“Although password details are hashed, there is a possibility that passwords could have been derived from the hash if a malicious actor had the right tools.
If that occurred, whois data could potentially be corrupted or falsified for misuse. Our investigations to date have found no evidence of this occurring.” continues the security organization.
“It is important to note, however, that any public misrepresentation of registry contents on whois would not result in a permanent transfer of IP resources, as the authoritative registry data is held internally by APNIC.”
The non-profit organization has been working with affected users urging them to change passwords, the process was completed on Monday.
“All Maintainer and IRT passwords have now been reset, so there is no need to change them again if you are an APNIC resource holder,” Sanjaya added. “However, if you wish to change the new passwords to something more memorable, you should not choose the previous password (and if the old password was being used elsewhere on other systems, you should change those passwords).”
APNIC is currently working to determine the root cause of the incident.