Home Blog Running BGL Simple Fund? Your server could be at risk

Running BGL Simple Fund? Your server could be at risk

Published on September 21, 2016 in Blog

If you are running BGL Simple Fund your server could be at risk of compromise

BGL Simple Fund users beware

The password for the default user that gets created when the software is installed is out in the wild and being used to attack servers. BGL Simple Fund users are feeling the pain.

There is a suggested fix which will only help those that have implemented it, however the latest update reverts this back to the original compromised password.
It should be a recommended practice to follow the suggested fix after each update to ensure your system remains secure.


Is it safe?Here is a little more detail

When the software is installed, it creates a local user on the server called ndbuser, on a member server this will be part of the local administrators group, and if the software is installed on a domain controller it will be in the domain admins group. The ndbuser, uses a standard password and this password is in the wild.

This is not best practice as you need to trust and rely on the security practices of the software provider.  However, as IT support providers we need to take what we are given and do the best we can to protect the systems under our purview.

 

How is this vulnerability being used

IT support providers are seeing their clients get taken down. In one case they spent a few hours reviewing logs to see what actually happened and this is what they found.

The hacker logged onto the terminal server as the ndbuser, as the account existed on this server as BGL was installed on it locally. Then they downloaded a password sniffer and got a domain admin account being used by the Line of Business application supports guys in the last couple of days, this gave them access to the back end servers (the Hyper-V host and Domain Controller).  From there the hacker deleted all the backups connected to the servers.
And finally installed the DMA Locker encrypting virus on all the clients servers.  As they are no doubt the recipient of the ransom if paid.

 


The Fix

BGL published a security article explaining how to guard against this vulnerability to their client Wiki (BGLWiki) – “KB: Nexus service security instructions” – however, this is only accessible by those with a client account.  BGL also recommend that the ndbuser password be changed frequently.
When the security of the IT systems under your purview is concerned you should to assume that the notification has not gone out and make someone aware of it.

If you are an end user, notify your IT provider. I highly recommend you get them to implement the changes outlined in the support document.

If you are an IT provider then notify your clients that run BGL Simple Fund.

 

Still Concerning

It turns out the latest update for BGL actually resets the password for the ndbuser back to the original compromised password, even if you have changed it.
It is our recommended practice that you follow the suggested fix after each update to ensure your system remains secure.

Print Friendly

 
 Share on Facebook Share on Twitter Share on Reddit Share on LinkedIn