Attacks/Breaches
4/12/2013
09:46 AM
50%
50%

Anonymous-Linked Hacker Claims North Korea Win

Botmaster "The Jester," whose DDoS attacks have targeted Westboro Baptist Church, PayPal and Mastercard, calls "tango down" on Pyongyang's new, third Internet connection.

Who Is Anonymous: 10 Key Facts
Who Is Anonymous: 10 Key Facts
(click image for larger view and for slideshow)
A botmaster who's launched distributed denial of service (DDoS) attacks against Westboro Baptist Church, as well as PayPal and MasterCard, this week announced new attacks against the Democratic People's Republic of Korea (DPRK), aka North Korea.

"'TANGO DOWN' -- Border Gateway Protocol CISCO IOS -- #DPRK," read a tweet from The Jester, aka "th3j35t3r." The hacktivist catchphrase tango down is army slang for "target down."

The Wednesday tweet linked to a "what it was" screenshot showing information for the disrupted 175.45.177.211 IP address, which is listed as being a Cisco IOS router registered to the DPRK that first came online March 30. The tweet also included a "why" link pointing to a Tuesday report on the North Korea Tech website about how North Korea recently added a third Internet connection to the country.

"The connection links just one of the DPRK's four blocks of Internet addresses," said journalist Martyn Williams, who maintains the North Korea Tech website. "The block in question isn't the one that hosts North Korea's handful of Web servers -- the ones that came under denial of service attack in the last few days. But it does host some computers, including an Internet gateway that serves as one of the ways traffic from inside North Korea gets to the rest of the Internet."

[ Congress has it wrong. Laws Can't Save Banks From DDoS Attacks. ]

The Jester's apparent takedown of North Korea's third Internet backbone followed DDoS attacks he'd launched against North Korea's official Air Koryo airline, as well as the government-run DPRK, Committee for Cultural Relations with Foreign Countries (Friend.com.kp) and Korea Computer Center (Naenara) websites.

The Jester is a self-described U.S. military veteran of Afghanistan now turned "hacktivist for good" who's dedicated to "obstructing the lines of communication for terrorists, sympathizers, fixers, facilitators, oppressive regimes and other general bad guys."

In December 2012, The Jester -- apparently in coordination with hacker "Cosmo The God" as well as the Anonymous hacktivist collective -- targeted Westboro Baptist Church, a controversial group which self-identifies as a church. After Westboro threatened to protest the funerals of people killed at the Sandy Hook Elementary School in Newtown, Conn., The Jester reported using DDoS attacks to disrupt approximately 10 of 19 different sites operated by the group.

Previously, The Jester had participated in the Operation Payback attacks against PayPal and MasterCard, and other sites perceived to be interrupting the flow of donations to WikiLeaks. While Anonymous had urged followers of Operation Payback to download a DDoS tool known as Low Orbit Ion Cannon (LOIC) and target offending sites, the sites were reportedly knocked offline only after The Jester brought his botnet to bear. Subsequently, investigators traced back and arrested numerous LOIC users.

Despite the occasional collaboration with Anonymous, The Jester appears to have an on-again, off-again relationship with the hacktivist collective. "To #Anonymous: You're all for 'free speech' right? But only when it's your opinion, you deny others 'free speech' w/ your attacks," read a tweet posted Thursday by The Jester.

Even so, both the Jester and Anonymous have recently been targeting North Korea -- The Jester using DDoS attacks, and Anonymous recently taking over and defacing Pyongyang's Twitter and Flickr accounts -- in collective protest against increasing provocations by the Pyongyang regime. Those provocations include conducting nuclear weapon tests, issuing an official declaration of war against South Korea, warning that foreigners should flee the country, as well as repositioning a medium-range missile launcher to put it within range of not only South Korea and Japan, but also Guam.

Thursday, South Korean government officials announced that a hacker's error allowed them to trace the March 20 wiper-malware attacks against multiple banks and broadcasters to an IP address (175.45.178.xx) tied to North Korea's capital, Pyongyang. Since June 2012, that IP address had been used 13 different times to access the systems ultimately targeted in the March 20 attacks.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joey Ortega
50%
50%
Joey Ortega,
User Rank: Apprentice
4/25/2013 | 6:41:41 PM
re: Anonymous-Linked Hacker Claims North Korea Win
Jester or a troll? You decide. Starts at 95:15 http://www.blogtalkradio.com/b...

Turned it into this lol :) https://itunes.apple.com/us/al...
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-9676
Published: 2015-02-27
The seg_write_packet function in libavformat/segment.c in ffmpeg 2.1.4 and earlier does not free the correct memory location, which allows remote attackers to cause a denial of service ("invalid memory handler") and possibly execute arbitrary code via a crafted video that triggers a use after free.

CVE-2014-9682
Published: 2015-02-27
The dns-sync module before 0.1.1 for node.js allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the first argument to the resolve API function.

CVE-2015-0655
Published: 2015-02-27
Cross-site scripting (XSS) vulnerability in Unified Web Interaction Manager in Cisco Unified Web and E-Mail Interaction Manager allows remote attackers to inject arbitrary web script or HTML via vectors related to a POST request, aka Bug ID CSCus74184.

CVE-2015-0884
Published: 2015-02-27
Unquoted Windows search path vulnerability in Toshiba Bluetooth Stack for Windows before 9.10.32(T) and Service Station before 2.2.14 allows local users to gain privileges via a Trojan horse application with a name composed of an initial substring of a path that contains a space character.

CVE-2015-0885
Published: 2015-02-27
checkpw 1.02 and earlier allows remote attackers to cause a denial of service (infinite loop) via a -- (dash dash) in a username.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.