How Spy Drones Breached a Financial Firm (Hint: Confluence)

George Vulov
George Vulov
May 10, 2023
October 25, 2022
Don't Be the Next Headline.
Download the free ebook and see proven strategies to prevent a data breach from real-world examples.
Graphic of the scanning app

When most people hear the phrase "Spy Drone" they think of the movies, James Bond, or the CIA.

But this story is not fiction.

It involved a spy drone, financial firm, and a security breach that could have been easily prevented with the right tools.

Spy drones are no longer too expensive for typical people and relegated to government use only.

The picture below is the typical type of spy drone footage we've come to imagine.

Movie Spy Drone

(Image from: Body of Lies. Directed by Ridley Scott, Scott Free Productions; De Line Pictures, 2008)

However, modern drones are much smaller consumer devices; most commonly, they are the four motor quadcopter type many have become accustomed to. They are controlled via a remote or an iPhone app and have a camera mounted to them. Often, they are used for making YouTube videos, by real estate agents selling a house, or even in movies to film a difficult scene.

WiFi Spy Drone Targeted Financial Firm

(Image by Chris Rowland via Ausdroid – GoPro Karma Drone)

And now they are apparently being used to hack into companies without being physically present!

A recent article posted on The Register details how a drone was used to hack into the Wi-Fi network for a financial firm.

The attackers were trying to leverage potential leaked secrets stored in Atlassian's Confluence to gain access to financial systems. 

Both this attack and the Uber breach happened because of a common mistake: hardcoding credentials in code and pages. The attackers found and exploited these credentials (which would have never occurred if the companies scanned their repositories with Soteri's Security for Bitbucket and Confluence).

While these types of hacks have been possible for many years, demonstrated by security researchers at events like BlackHat, this is one of the very few which has actually taken place in the wild.

So let's review what happened, and how you can protect yourself in this new reality of spy drones hacking into your network.

What happened in this Wi-Fi spy drone non-fiction story?

Spy drone with log of attacks on WiFi and Confluence

In the article "How Wi-Fi spy drones snooped on financial firm", The Register discusses many of the details. Credit for the available information has been given to Greg Linares, who posted the details we have on Twitter.

In the Twitter thread, Linares reported that the hacking incident was discovered when the financial firm spotted unusual activity on its internal Atlassian Confluence page originating from within the company's network.

The article goes on to describe how the security team noticed that the user accessing Confluence was logged in both from home and from the office (the same MAC address was used), locations which were many miles apart.

It was determined that the attacker had stolen the user credentials in an earlier attack that went unnoticed, and then used them to scan Confluence looking for additional credentials to perform privilege escalation to gain more access in the network.

Upon discovery of the attack, the team immediately started investigating the source of the office login. They traced the Wi-Fi signal to the roof of the building, where they found a DJI Phantom Drone with a specialized network intrusion kit (a Raspberry Pi, batteries, a modem, and other devices) and software designed to attack their Confluence site.

The attack was designed to scan for credentials on the company's Confluence instance to enable further access to the network.

How can you protect yourself?

Confluence Security Scan

It is important to realize that at some point, every organization will have an incident where an attacker successfully accesses its network. Thus, it is important to protect sensitive data effectively to prevent attackers from accessing that data, thereby ensuring that the incident doesn't turn into a breach.

Protecting your Confluence from this type of attack is where a tool like Soteri's Enhanced Secret Scanning can help.

Soteri offers scanning services which detect credentials and other sensitive data stored in Confluence and alerts you to them, so you can remove them before an attacker finds them.

Soteri can help protect your business from this type of inside-the-network attack vector by preventing more sensitive systems from being compromised by insecure practices.

This latest attack is yet another reminder that cybersecurity teams always need to be vigilant because the next new type of attack is right around the corner.

Protect yourself today and prevent the next attacker from stealing your company data.