Attacks/Breaches
5/7/2013
11:59 AM
Connect Directly
RSS
E-Mail
50%
50%

Anonymous OpUSA Hackathon: Mostly Bluster

DHS predicts Tuesday's hackathon will involve little more than nuisance exploits. Meanwhile, Syrian Electronic Army hacks Twitter feeds of satire site The Onion.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
Will the Anonymous-lead Operation USA (#OpUSA) scheduled for Tuesday disrupt leading U.S. government and banking websites?

An "#OpUSA target list" posted to Pastebin two weeks ago named nine government websites -- the White House and Department of Defense's public-facing websites among them -- and 133 banks and credit unions as primary targets. "We will now wipe you off the cyber map," read the Pastebin post, signed by N4M3LE55 CR3W. "Do not take this as a warning. You can not stop the internet hate machine from doxes, DNS attacks, defaces, redirects, ddos attacks, database leaks, and admin take overs."

In a show of solidarity, the distributed-denial-of-service bank-attack outfit known as al-Qassam Cyber Fighters, which as part of Operation Ababil has been successfully disrupting financial websites for months, Monday promised to take the week off. "Due to the simultaneity of OpUSA with Operation Ababil, and to abstain from ambiguity in the intentions of our operation, this week we will not run any attack," read a statement posted to the group's Pastebin.

By Tuesday afternoon, however, despite a plethora of hacked-site reports, the OpUSA attacks appeared to be targeting low-level -- and possibly random -- sites in the United States and abroad, arguably causing little damage.

[ Could fake passwords help keep your database secure? Read Sweet Password Security Strategy: Honeywords. ]

The Tunisian Hackers Team, for example, claimed to have dumped a SQL database for the Blood Bank of America that appeared to contain about 3,000 usernames and hashed passwords. Among other attacks, AnonGhost members BilalSbXtra & Dr.SaMiM_008 posted what they said were 10,000 credit card numbers, including expiration dates and security codes, as well as account holders' names and addresses -- that were apparently stolen from an online store. Some of the published information also included social security numbers, bank account routing numbers and answers to secret questions. The group also claimed to have hacked 29 Israeli websites.

Meanwhile, Mauritania Attacker Tuesday claimed to be preparing to release "all governments emails of USA." It published a teaser showing some doxed addresses -- which included both microsoft.com and cia.gov addresses, as well as numerous accounts with service providers -- but with obscured passwords.

Hacking groups or collectives claiming to participate in OpUSA include Anonymous and affiliates AntiSec and LulzSec Reborn. Other groups that have pledged their assistance include Ajax Team, Mauritania Attacker, Muslim Liberation Army, Redhat, Team Poison Reborn and ZHC.

Not all OpUSA-related attacks began Tuesday. Hacking group X-Blackerz Inc claimed Monday to have released 23 emails and passwords for Honolulu Police Department staff. Meanwhile, AnonGhost Team got an early start Saturday, claiming via Pastebin that it had defaced about 900 pages, which included multiple Web pages in the domain of Hack-DB, which tracks hacktivism and cybercrime. A message posted to defaced sites read "we are everywhere" and left a scrolling list of the group's official members.

Many of the groups that pledged to take part in the one-day hackathon had previously joined forces for the ongoing Operation Israel (#OpIsrael) campaign, which last month promised to "erase" Israel from the Internet. "We promised to take Israel off the cyber map. We succeeded," read a recent OpUSA target list post. OpIsrael attackers last month claimed to have disrupted 100,000 Israeli websites and caused $3 billion in damage. But Israeli officials disputed hacktivists' claims, saying while there had been a lot of bluster there was little "real damage," and that the country's critical infrastructure remained unaffected.

Likewise, in the lead-up to OpUSA, the U.S. Department of Homeland Security appeared to expect similar low-level attacks aimed to publicize attackers' anti-U.S. grievances but that would cause little lasting damage. In a confidential DHS memo issued last week and obtained by security reporter Brian Krebs, DHS said the attacks "likely will result in limited disruptions and mostly consist of nuisance-level attacks against publicly accessible webpages and possibly data exploitation."

Not all hacktivist activity this week has been conducted under the OpUSA banner. The Syrian Electronic Army resurfaced Monday when it seized control of the Twitter feed for the satirical news outlet The Onion. The group posted fake news headlines relating to Israel's recent missile strikes against military targets in Syria. Another tweet suggested that the Israeli government was allied with Al Qaeda.

In the wake of the Twitter account takeover, The Onion responded in typical fashion: "Following today's incident in which the Syrian Electronic Army hacked into The Onion's Twitter account, sources ... confirmed that its Twitter password has been changed to OnionMan77 in order to prevent any future cyber-attacks." The story quoted "Onion IT specialist Nick Abersold" as saying that the new password would be "virtually impenetrable."

Satire aside, in the wake of the numerous news organizations' Twitter account takeovers by the Syrian Electronic Army, Twitter last week issued a memo last week warning media outlets to take appropriate security precautions, as it expected the account takeovers to continue.

Antivirus systems alone can't fight a growing category of malware whose strength lies in the fact that we have never seen it before. The How To Detect Zero-Day Malware And Limit Its Impact report examines the ways in which zero-day malware is being developed and spread, and the strategies and products enterprises can leverage to battle it. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Apprentice
5/8/2013 | 3:16:11 PM
re: Anonymous OpUSA Hackathon: Mostly Bluster
OpUSA seems like much ado about nothing. Though hundreds of smaller sites were hacked. There were claims that some banks lost credit card info, but the reports have turned out to be false.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

CVE-2012-5487
Published: 2014-09-30
The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing.

CVE-2012-5488
Published: 2014-09-30
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.

CVE-2012-5489
Published: 2014-09-30
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.