CyberInsecure.com

Archive for the ‘Targeted Attacks’ Category

According to ZDNet, during the last couple of hours, visitors of popular and high trafficked web sites such as CNN, BBC, Washington Post, Gamespot, WorldOfWarcraft, Mashable, Chow.com, ITpro.co.uk, AndroidCommunity, Engadget and Chip.de, started reporting that parts of the web sites are unreachable due to malware warnings appearing through the EyeWonder interactive digital advertising provider.

According to Google’s SafeBrowsing advisory for EyeWonder, the exploits were hosted on currently active and participating in the Cold Fusion injection attack domains, namely elfah .net, 2ici .cn and javazhu.3322 .org - the following have also managed to compromise Pakistan’s Telecommunication Authority.

By using RealPlayer Import stack overflow exploit and another one attempting a QVOD Player URL overflow, the cybercriminals then attempt to push eight different malware samples. Detection rates for the droppers are improving.

Interestingly, one of the malware samples attemps to download the updated list of malware binaries by connecting a compromised Italian site part of the Cold Fusion injection attacks (betheboss.it) since it appears to have been exploited in such a way.

This malware incident demonstrates how a single exploitation of a trusted third-party content/ad serving vendor can not only undermine its credibility, but potentially the credibility of the sites using the network. And since the ads on the affected sites are dynamically served through different networks, it remains questionable whether it was in fact EyeWonder that served malicious content, or a compromised partner of the network itself.

Case in point - the partnership between Facilitate Digital and EyeWonder comes in a very insecure fashion with EyeWonder having a permanent iFrame tag loading a domain (adsfac.us) belonging to Facilitate Digital on its front page.

For the time being, EyeWonder.com remains down for maintenance.

Credit: ZDNet.com Security Blogs

The Iranian opposition coordinated a cyber attack yesterday that has successfully managed to disrupt access to major pro-Ahmadinejad Iranian web sites, including the President’s homepage which continues returning a “The maximum number of user reached, Server is too busy, please try again later…” message.

Through a combination of DIY (do it yourself) denial of service attack tools (DDoS), multiple iFrame loading scripts, public web page “refresher” tool, and a much more effective PHP script, the participants have already prompted some of the major Iranian outlets to switch to “lite” versions of their sites in an attempt to mitigate the attack.

The campaign appears to have been organized through Twitter, which despite public reports that the site has been banned in Iran, appears to be still accessible through a a persistent supply of proxy servers on behalf of the opposition.

Moreover, the ongoing distributed denial of service attacks, are using techniques which greatly resemble those used in last year’s Russia vs Georgia cyber attack, and the ones Chinese hacktivists used back in 2008 in order to temporarily shut down CNN, with a single exception - there’s no indication of a botnet involvement in the present attack.

Instead, the attack relies on the so called people’s information warfare concept, which is the self-mobilization of individuals, or their recruitment based on political/nationalistic sentiments by a third-party, for conducting various hacktivism activities such as web site defacements, or launching distributed denial of service attacks.

The following are some of the sites that are currently under attack, remain totally unresponsive, or return “server is too busy” error messages:

Ahmadinejad.ir - Mahmoud Ahmadinejad’s Official Blog - under attack
Leader.ir - Office of the Supreme Leader, Sayyid Ali Khamenei - under attack
President.ir - Presidency of The Islamic Republic - under attack
Farsnnews.com - Fars News Agency - under attack
Irib.ir - Islamic Republic of Iran Broadcasting - under attack
Kayhannews.ir - News Portal - “Service Unavailable”
Irna.ir - Islamic Republic News Agency - “service unavailable”
Mfa.gov.ir - Ministry of foreign affairs , Islamic Republic of Iran - under attack
Moi.ir - Ministry of Interior - under attack
Police.ir - National Police - under attack
Justice.ir - Ministry of Justice - under attack
Presstv.ir - Iranian Press TV - “server is too busy”

Among the first web-based denial of service attack used, is a tool called “Page Rebooter” which is basically allowing everyone to set an interval for refreshing a particular page, in this case it’s 1 second. Pre-defined links to the targeted sites were then distributed across Twitter and the Web, through messages link the following :

“Please spread word about a cyber effort to exert pressure on the paramilitary in Iran. They have launched denial of service attacks on US websites that are run by live bloggers feeding us up to the minute information about what is going on in Iran on the ground. To fight back, open these two URLs in as many tabs/windows as possible and simply leave your computer running overnight! We must show solidarity with them in their quest for freedom! The 2nd link targets PressTV, the mouthpiece of Ahmadinejad and Khamenei.”

The second stage of the campaign consisted in the distribution of a multiple iFrame loading script which was automatically refreshing farsnews.com, irna.ir and rajanews.com. The script has since changed its location and is advertised under a new domain.

The third stage included a combined attack, this time including DIY (do-it-yourself) denial of service tools (DDoS), which despite their primitive nature are indeed causing server overload for their targets. Each of the tools is distributed with a simple manual, including links to large images at the targeted web sites, one which the software using proxies will attempt to obtain automatically.

The tools themselves, BWRaeper.exe (detected as Worm.AutoIt.AA); PingFlooder.exe (flagged as banker malware); Server_Attack_By-_C-4.exe (Riskware.ServerAttack.F) and SupportIran.php, have already been picked up by antivirus vendors. The last tool is a basic PHP script targeting those running a server that supports PHP in order to use it.

SupportIran.php has also been released as an improved version to the multiple iFrame loader, and is currently used in the attack as well, having the following sites pre-defined to attack simultaneously - khamenei.ir; presstv.ir; irna.ir; president.ir; mfa.gov.ir; moi.ir; police.ir; justice.ir; live.irib.ir.

There have already been speculations that the magnitude of these local attacks — Iranian users targeting Iranian web sites – is contributing to the “strange changes in Iranian traffic transit” reported during the last couple of days. The attacks are still ongoing.

Credit: ZDNet.com Security Blogs

A large internet service provider said data for as many as 100,000 websites was destroyed by attackers who targeted a zero-day vulnerability in a widely-used virtualization application.

Technicians at UK-based Vaserv.com were still scrambling to recover data on Monday evening UK time, more than 24 hours after unknown hackers were able to gain root access to the company’s system. The attackers were able to penetrate his servers by exploiting a critical vulnerability in HyperVM, a virtualization application made by a company called LXLabs. Vaserv.com got hit by a zero-day exploit in version 2.0.7992 of the HyperVM application.

No one could receive a response to inquiries sent to LXLabs company, which according to its website is located in Bangalore.

Data for about half of the websites hosted on Vaserv was destroyed all at once sometime Sunday evening, shortly after administrators noticed “strangeness” on the system. The attackers had the ability to execute sensitive Unix commands on the system, including “rm -rf,” which forces a recursive delete of all files.

Some 50 percent of Vaserv’s customers signed up for unmanaged service, which doesn’t include data backup. It remains unclear of those website owners will ever be able to retrieve their lost data. As a result, at least half the websites that were hosted on the site remain offline.

“Since last night, I’ve had probably 40 phone calls from clients saying ‘Why is my website down,’” said Daniel Voyce, a web developer for Nu Order Webs who uses Vaserv to host customer sites. “It’s making me look bad.”

Voyce said the hackers, given the high level of server access they gained, were likely able to intercept a wealth of sensitive data stored on Vaserv’s servers. Voyce said his customers are safe because all sensitive information was encrypted.

Little is known about the people who attacked the site. So far, there are no known reports of individuals taking credit for the hack. The breach was likely the result of a SQL injection attack that penetrated Vaserv’s central management software and removed vital binaries and data for about half of all user data stored by the service.

Vaserv specializes in low-cost web hosting using VPS, or virtualized private servers. Virtualization features in LXLabs’ HyperVM helped Vaserv provide the service, which costs a fraction of the price of dedicated server hosting.

It remains unclear how other webhosts using the HyperVM have been affected.

Update: On Monday, the boss of LxLabs was found dead in a suspected suicide. Reports of the death of K T Ligesh, 32, come in the wake of the exploitation of a critical vulnerability in HyperVM. The effect of his death on the development of updated software by LxLabs is unknown at time of writing.

Ligesh was found hanged in his Bangalore house on Monday morning, after a late night drinking session. The Times of India reports that he was upset with the loss of a recent contract. Ligesh was also still coming to terms with the suicides by hanging of his sister and mother five years ago.

Security researchers at Milw0rm warn that the Kloxo (formerly Lxadmin) web hosting platform from LxLabs contains 24 security vulnerabilities and exploits. The flaws include SQL injection vulnerabilities and flaws that create a way for hackers to gain file access to files hosted on a vulnerable system.

The vulnerabilities are confirmed to affect Klaxo version 5.75, though other versions may also be affected. Milw0rm went public with an alert on the vulnerability last Thursday after failing to hear back from LxLabs in what it considered to be a timely manner.

LxLabs recently said that more than 30,000 virtualized private servers (vpses) were managed by HyperVM, and more than 8,000 servers running Kloxo. The largest single installation of hyperVM centrally manages more than 4000 VPSes.

Virtualization features of HyperVM allow hosting firms such as VAserv to provide low-cost web hosting at a fraction of the price of dedicated server hosting.

Credit: The Register

Hackers claim to have stolen all T-Mobile US’s corporate data, customer accounts and network infrastructure. It includes databases, confidential documents, scripts and programs from T-Mobile servers, financial documents up to 2009. T-Mobile has 148m subscribers worldwide and 33m in the US.

The mail, sent to The Reg, claims that the group tried to sell the data to T-Mobile’s competitors, but was turned down. It is now offering it for sale to the highest bidder. The message said the group tried contacting people by email. But given spam filters, and the weekend timing of the leak, it could be the messages never got through.

The mail contains some details of what has been stolen, and is available from the insecure.org.

A T-Mobile spokesman said 2 days ago: “The protection of our customers’ information, and the safety and security of our systems, is absolutely paramount at T-Mobile. Regarding the recent claim, we are fully investigating the matter. As is our standard practice, if there is any evidence that customer information has been compromised, we would inform those affected as soon as possible.”

Yesterday T-Mobile has confirmed that files posted on a full disclosure mailing list are genuine - but the company fails to explain whether or not cybercriminals really got full access to its systems, IDG reports.

T-Mobile, which is investigating the hack, has issued an updated statement that the data posted matches a document on its system, but this failed to prove that customer records or other sensitive files had also been compromised:

To reaffirm, the protection of our customers’ information and the security of our systems is paramount at T-Mobile.

Regarding the recent claim on a Web site, we’ve identified the document from which information was copied, and believe possession of this alone is not enough to cause harm to our customers.

We continue to investigate the matter, and have taken additional precautionary measures to further ensure our customers’ information and our systems are protected.

At this moment, we are unable to disclose additional information in order to protect the integrity of the investigation, but customers can be assured if there is any evidence that customer information has been compromised, we would inform those affected as quickly as possible.

Given that the hackers are attempting to attract bids for the purloined data, it’s odd that they didn’t publish a sample of customer records - or similarly juicy information - rather than network scans of little interest to anyone except security anoraks. A sample of data of greater interest would surely attract more interest in bidding for the information, if that was the intention.

Some security firms are beginning to conclude that the hackers are holding little beyond the network scan data already posted. Amichai Shulman, CTO of Imperva, commented: “Rumours of a major T-Mobile data breach are all over the internet as hackers are reportedly selling confidential data to the highest bidder. Hackers have posted a list of servers they allegedly accessed and it is very comprehensive with some sensitive info in it.

Reports of the breach against T-Mobile US, alongside a previous confirmed leak of consumer data from parent firm Deutsche Telekom last year, detract from the firm’s overall reputation in security, Shulman argued.

“Telecom operators, with the massive amounts of data they store and collect, remain prime targets. Less than three years ago, T-Mobile’s owner, Deutsche Telekom, experienced a breach losing 17 million records.

“The cumulative impact of these breaches will threaten not only T-Mobile’s brand image, but could also impact any telecommunications provider unless the issue of data security is vigorously addressed.”

Credit: The Register

A known computer hacking clan with anti-American leanings has successfully broken into at least two sensitive Web servers maintained by the U.S. Army, InformationWeek has learned exclusively.

Department of Defense and other investigators are currently probing the breaches, which have not been publicly disclosed. Department investigators subpoena records from Google, Microsoft, and Yahoo in connection with ongoing probe.

The hackers, who are based in Turkey, penetrated servers at the Army’s McAlester Ammunition Plant in McAlester, Okla., and at the U.S. Army Corps of Engineers’ Transatlantic Center in Winchester, Va.

The breach at the McAlester munitions plant occurred on Jan. 26, according to records of the investigation obtained by InformationWeek. On that date, Web users attempting to access the plant’s site were redirected to a Web page that featured a protest against climate change.

On Sept. 19, 2007, the same hackers electronically broke into Army Corps of Engineers’ servers. That hack sent Web users to another page, which at the time, contained anti-American and anti-Israeli rhetoric and images. It currently appears to be an Internet landing spot that features airline reservation links.

Beyond the redirects, it’s not clear whether the group was able to obtain sensitive information from the Army’s servers.

The hacks are the subject of an ongoing criminal investigation by Defense Department officials and members of the U.S. Army’s Judge Advocate General’s Office and Computer Emergency Response Team. Investigators have executed records search warrants against Microsoft, Yahoo, Google, and other Internet service and e-mail providers as part of their efforts to unmask the hackers’ true identities.

Investigators believe the hackers used SQL injection to exploit a security vulnerability in Microsoft’s SQL Server database to gain entry to the Web servers. The group is known to have carried out similar attacks on a number of other Web sites in the past — including against a site maintained by Internet security company Kaspersky Lab.

The hacks are troubling in that they appear to have rendered useless supposedly sophisticated Defense Department tools and procedures designed to prevent such breaches. The department and its branches spend millions of dollars each year on pricey security and antivirus software and employ legions of experts to deploy and manage the tools.

Equally troubling is the fact that the hacks appear to have originated outside the United States. Turkey is known to harbor significant elements of the al-Qaida network. It was not clear if the hackers have links to the terrorist group.

Credit: Paul McDougall, InformationWeek

Hackers have wasted no time targeting a gaping hole in Microsoft’s Internet Information Services webserver, according to administrators at Ball State University, who say servers that used the program were breached on Monday.

As of Wednesday morning California time, iWeb accounts at the Muncie, Indiana-based university remained inaccessible and service wasn’t expected to be restored until Thursday or Friday, Patty Lucas, a senior help desk support admin for Ball State’s Computing Services said. University administrators were working with Microsoft employees to investigate and fix the break in.

Microsoft representatives were investigating the breach Wednesday morning and not immediately available to comment on it.

On Monday, Microsoft confirmed what it called an “elevation of privilege vulnerability” in versions 5 and 6 of IIS when it runs an extension known as WebDAV. Microsoft said at the time it was unaware of any in-the-wild exploits of the vulnerability. The assessment was at odds with this warning in which the US Computer Emergency Response Team said it was aware of “publicly available exploit code and active exploitation of this vulnerability.”

The flaw is significant because it allows anyone with a web browser to list, access, and possibly upload files in a password-protected WebDAV folder on a vulnerable machine, according to Nikolaos Rangos, a security researcher who published his findings on Friday. The bug resides in the part of IIS that processes commands based on the WebDAV protocol.

By adding several unicode characters - specifically “%c0%af” - to a web address, attackers can trick the widely used webserver into accessing parts of the system that are supposed to be off limits to outsiders.

Microsoft’s advisory correctly points out that several conditions make the vulnerability hard to exploit in some cases. For one, WebDAV is not enabled by default in IIS6, and for another, intruders would not be able to exceed the privileges of an anonymous user. By default, such accounts are not permitted to upload files to a server.

But based on Lucas’s description, the Ball State hackers may have been able to do just that. Shortly after the attack, students checking their iWeb pages were greeted with a message that said they had been hacked. There are no indications any data was stolen or malicious files uploaded, she said.

Credit: The Register

Update (May 22): Network administrators at Ball State University have retracted their claims that a campus website was brought down by a zero-day vulnerability in Microsoft’s Internet Information Services webserver.

“Microsoft and Ball State now have identified the cause of the breach [as] a Ball State iWeb user [who] either misused or allowed the misuse of their account, and that was determined just this afternoon,” Ball State University spokesman Tony Proudfoot said on Thursday.

Cross-site scripting flaw on the web sites of the Motion Picture Association of America (MPAA) has been abused to inject listings from controversial torrent links site The Pirate Bay.

Vektor, a member of the Team Elite group of hackers, smuggled links culled from the The Pirate Bay into content served up when surfers visited the MPAA’s recommended list of sites. The MPAA’s legal action against The Pirate makes the supposed endorsement ironic and embarrassing, if not completely unexpected.

Cross-site scripting (XSS) security flaws on websites are all too commonplace and the MPAA is a high-profile target, especially after the four defendants in The Pirate Bay trial were found guilty in a recent high-profile trial. So it was only really a question of time until hackers managed to find a chink in its armor to exploit.

Earlier denial of service attacks against entertainment industry websites scored limited successes in the aftermath of The Pirate Bay verdict on 17 April.

According to Vektor, the Recording Industry Association of America (RIAA) website is vulnerable to similar flaws as those he exploited to embarrass the MPAA earlier this week, Softpedia reports. Vektor used this flaw to inject a listings from Mininova, another well known torrent tracker, into pop-up windows displayed when users visited portions of the RIAA website.

Although the MPAA has reportedly addressed the flaws on its main website following the attack, other MPAA-controlled websites involved in movie ratings remain vulnerable to much the same type of exploit.

The vulnerabilities create a means for rogue iFrames from third-party servers to be presented to surfers as if they came from the site they are visiting, when in reality they come from locations determined by hackers.

XSS flaws on both the MPAA and RIAA websites have cropped up from time to time in the past, a quick search of security website XSSed reveals. Security suppliers, such as application security firm Fortify, said that Vector’s attacks against the RIAA and MPAA were each effectively accidents waiting to happen.

“That such sites are open to XSS-driven incursions and alterations comes as no surprise, given the fact that so many sites are poorly programmed and therefore open to such attacks,” said Richard Kirk, a director at Fortify. “The MPAA is lucky that Vektor’s attack was a proof-of-concept one, and intended as something of a joke. The next time they - and other organizations whose sites are vulnerable to XSS-driven attacks, may not be so lucky,” he added.

Credit: The Register
Credit: Softpedia

Yesterday, a French hacker claimed to have gained access to Twitter’s administration panel, and based on the screen shots that he included featuring internal data for accounts belonging to U.S President Barack Obama, Britney Spears, Ashton Kutcher, and Lily Allen, as well as a detailed overview of different sections behind the scenes of Twitter.

The hacker going under the handle of Hacker Croll featured 13 screenshots of Twitter’s admin panel, and commented that “The images were taken from the Admin area that was secured with .htaccess.” It’s still unclear whether any data belonging to account holders was modified, but one has to assume that given the access obtained, there’s a high chance that he was able to download anything he wanted to.

The screenshots were obtained through the account of a Twitter employee who reported that his Yahoo! Mail account got compromised on the 27th. The attack comes two weeks after multiple variants of Mickeyy’s XSS worm hit the continuously growing micro-blogging service.

Interestingly, Hacker Croll goes into more details regarding the compromise on a different forum - “one of the admins has a yahoo account, i’ve reset the password by answering to the secret question. Then, in the mailbox, i have found her twitter password.” and that he “used social engineering only, no exploit, no xss vulnerability, no backdoor, no sql injection“.

The Twitter admin hack appears to be the result of a successful social engineering attack against one of Twitter’s employees — similar attack took place in January this year. Similar password reset attack contributed to the successful hacking of Sarah Palin’s personal email account in September last year.

Update (May 01): According to Twitter official announcement:

This week, unauthorized access to Twitter was gained by an outside party. Our initial security reviews and investigations indicate that no account information was altered or removed in any way. However, we discovered that 10 individual accounts were viewed during this unauthorized access.

Personal information that may have been viewed on these 10 individual accounts includes email address, mobile phone number (if one was associated with the account), and the list of accounts blocked by that user. We have personally contacted Twitter users whose accounts were compromised via this unauthorized access.

Password information was not revealed or altered, nor were personal messages (direct messages) viewed. Twitter takes security very seriously so we will be conducting a thorough, independent security audit of all internal systems and implementing additional anti-intrusion measures to further safeguard user data.

Credit: ZDNet.com Security Blogs

Today, a web site defacement group known as “The Peace Crew” has successfully hijacked the DNS records for high profile New Zealand web sites, through what Zone-H claims to be a SQL injection at New Zealand’s based registrar Domainz.net, in order to redirect the visitors to a defaced page featuring the infamous Bill Gates pieing photo, as well as anti-war messages.

The mass defacement affected major Microsoft sites in New Zealand including WindowsLive.co.nz, MSN.co.nz, Microsoft.co.nz, Hotmail.co.nz, Live.co.nz next to HSBC.co.nz, Sony.co.nz, Coca-Cola.co.nz, Xerox.co.nz, Fanta.co.nz, F-Secure.co.nz and BitDefender.co.nz.

Here’s Microsoft’s comment, according to NZHerald:

MSN have responded by issuing a short statement from MSN business manager Liz Fraser this afternoon. “The cause of this discrepancy has been identified and we are currently working with our Microsoft technology and security teams in the US to resolve the matter as quickly as possible today. “We apologise for any inconvenience this may have caused,” the statement said.

Once control to the domain registrar’s web panel was obtained, members of the Peace Crew used fatih1.turkguvenligi.info and fatih2.turkguvenligi.info as primary DNS servers delivering the defaced pages, and making it look like the sites themselves have been compromised.

The group is not new on the defacement scene, in fact one of its members has been keeping himself pretty busy during this month by having already defaced thirteen web servers belonging to NASA, using the same template.

Credit: ZDNet.com Security Blogs

Hacktivists have launched denial of service attacks against music industry association IFPI.org and lawyers involved in the prosecution of the four Pirate Bay defendants in the wake of a guilty verdict against the quartet last Friday. The four Pirate Bay Defendants - Peter Sunde, Fredrik Neij, Gottfrid Svartholm and Carl Lundström - were found guilty, sentenced to one year in prison, heavy fines but intend to appeal.

The assault has rendered IFPI.org - the main website of the International Federation of the Phonographic Industry - intermittently unavailable or sluggish for a time on Monday morning. Discussions involving 250 hackers on irc.anonnet.org talk about retaliation on the IFPI and lawyers involved in the case and a desire to take the website off the internet throughout Monday, at a minimum. Discussion on the attack can be found at irc channels at anonnet.org.

“They want to get the message across that the IFPI can not mess with the internet and that the internet is serious business,” coldblood, an admin at anonnet.org told El Reg. “This is very much like the Scientology thing started more than a year ago now,” he added.

Operation Baylout, as the attack is called, also involved the reported defacement of the Swedish website of the IFPI.

Meanwhile limited distributed denial of service attacks against some Torrent tracker sites continued in the wake of guilty verdict against the four defendants in the high-profile Pirate Bay trial last Friday.

The main victim of attacks by as yet unidentified vigilantes (or possibly simple griefers) was free-torrents.org, reports security tools firm Arbor Networks. The assault against free-torrents.org has been going on for around a month, and so is hardly a new development. Arbor’s findings (below) contradict rumours that large-scale denial of service attacks against multiple Torrent trackers were underway.

All in all, except for free-torrents.org getting attacked by a Black Energy botnet run out of China (using the C&C at hack-off.ru), we can’t corroborate this spate of attacks. Free-torrents.org has been getting pounded by this botnet since mid March, 2009, in fact. But none of the other major sites appear to be receiving such packet love.

Jose Nazario, manager of security research at Arbor Networks, notes that the trial involved the people who ran Pirate Bay, not the site itself, which remains operational. Even if The Pirate Bay was taken down something else would surely replace it. Nonetheless The Pirate Bay is a major interchange (most of the Pirate Bay swarms also include other trackers), so disrupting TPB may have an impact on BitTorrent traffic as a whole, at least for a short period.

Credit: The Register