Attacks/Breaches

11/21/2012
08:50 AM
50%
50%

Anonymous Steps Into Gaza Crisis

Website defacing and Anonymous DDoS campaign pale next to ongoing cyberattacks apparently launched from Iran and Palestine, security experts say.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
As the Gaza crisis has escalated, so has the response from hackers.

After Israel began air strikes in the Gaza strip last Wednesday, Anonymous launched of Operation Israel (OpIsrael), which involves distributed denial-of-service (DDoS) attacks against Israeli government and business websites. By Tuesday, Israeli officials said they'd seen 44 million hacking attempts launched at government websites.

Beyond the DDoS attacks, multiple hacking groups have been practicing the digital equivalent of spray painting graffiti messages on walls, by defacing numerous Israeli websites, including the Facebook page of Israeli prime minister Silvan Shalom, which they recently customized with a "free Palestine" slogan. A group called the Z Company Hacking Crew claimed credit for the Facebook defacement, as well as taking over Shalom's Twitter, YouTube, and Blogspot accounts. "This hack is a team work. There were many members involved who were simultaneously handling different social media," read a Wednesday post to the group's Twitter feed.

The Z Company Hacking Crew disputed news reports that any element of Anonymous had participated in its attacks, saying via Twitter: "Please dont (sic) associate us with any one else. We are not hamas we are not anonymous." The group Wednesday promised to publish information it had stolen from Shalom, including "his contacts, docs, and some other interesting stuff."

Meanwhile, a hacker claiming to be "Zombie_KsA," the founder of the Pakistani PAKbugs black hat community, took credit for defacing the Israeli websites of BBC, Coca-Cola and Intel, as well as several websites managed by Microsoft. A Microsoft spokesman told Softpedia that it didn't appear that any customer data had been compromised as a result of the attacks.

But after the attacks, someone claiming to be the real Zombie_KsA said he wasn't behind the defacements, which he blamed on script kiddies who used his name. To try and clear his name, Zombie_KsA published an analysis of the attacks, on the PAKbugs website, noting it took him only five minutes to retrace the vulnerabilities the attackers had used to gain access to the website of an Israeli domain name registrar, Galcomm, which Microsoft and the other companies apparently used to register their domain names.

According to Zombie_KsA, attackers most likely didn't directly deface the targeted websites, but rather used a SQL injection attack -- via Havij or another automated attack tool--against the Galcomm site, then accessed the targeted companies' Galcomm accounts, altered the domain name settings for each site, then uploaded their website defacements.

"For security reasons we are not disclosing exact injectable links, and we have informed [the] right authorities about vulnerability," said Zombie_KsA, who also criticized the state of Galcomm's website, saying it had been "poorly coded in .NET."

Despite the uptick in DDoS attacks and website attacks being launched at Israeli government websites and businesses over the past week, security experts said the damage still pales in comparison to the malware-driven online espionage campaign that's been targeting Israel for the past year. Earlier this month, researchers at security firm Norman reported that for more than a year, a group of attackers has been using the xTreme remote access Trojan (RAT) to attack first targets in Palestine, and then Israel, using phishing emails referring to current news events.

"The attacker is unknown at this point, but the purpose is assumed to be espionage/surveillance," said Snorre Fagerland, principal security researcher at Norman, in a related report. "These attacks have been ongoing for at least a year."

The related attacks and resulting malware infections recently led Israeli authorities to take Israeli police computers offline, as well as to ban the use of removable media, through which the malicious backdoor software used by the attackers was apparently able to spread.

As with most types of cyber espionage, clearly identifying who launched or sponsored the attacks remains difficult. "It is interesting that the operation apparently shifted over time from Palestinian target to Israeli target," said Fagerland in a blog post. "This can be due to changes in the political situation, or maybe the first half of the operation uncovered something that caused the target shift." While some analysts have suggested that Iran was behind the attacks, Fagerland refused to speculate.

But Aviv Raff, the chief technology officer of Seculert, said that the location of the command-and-control servers involved, as well as the content of the emails, showed that the attacks came from Palestine, reported The New York Times.

Download the new issue of Must Reads, a compendium of our best recent coverage on IT-as-a-service. It includes articles on cloud computing myths, how to build an IT service catalog, security problems, and more. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Jamil1
50%
50%
Jamil1,
User Rank: Apprentice
11/22/2012 | 2:29:52 AM
re: Anonymous Steps Into Gaza Crisis
There is no such country as Palestine. Please tell me where it is located, what the currency is, and what countries have ambassadors there.
IngaTuMa
50%
50%
IngaTuMa,
User Rank: Apprentice
11/22/2012 | 2:52:03 AM
re: Anonymous Steps Into Gaza Crisis
The Host, The Country of Palestine is almost dead, because of the Parasite is taking over it since 1947, a parasite called Israel!
More Than Half of Users Reuse Passwords
Curtis Franklin Jr., Senior Editor at Dark Reading,  5/24/2018
Is Threat Intelligence Garbage?
Chris McDaniels, Chief Information Security Officer of Mosaic451,  5/23/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11505
PUBLISHED: 2018-05-26
The Werewolf Online application 0.8.8 for Android allows attackers to discover the Firebase token by reading logcat output.
CVE-2018-6409
PUBLISHED: 2018-05-26
An issue was discovered in Appnitro MachForm before 4.2.3. The module in charge of serving stored files gets the path from the database. Modifying the name of the file to serve on the corresponding ap_form table leads to a path traversal vulnerability via the download.php q parameter.
CVE-2018-6410
PUBLISHED: 2018-05-26
An issue was discovered in Appnitro MachForm before 4.2.3. There is a download.php SQL injection via the q parameter.
CVE-2018-6411
PUBLISHED: 2018-05-26
An issue was discovered in Appnitro MachForm before 4.2.3. When the form is set to filter a blacklist, it automatically adds dangerous extensions to the filters. If the filter is set to a whitelist, the dangerous extensions can be bypassed through ap_form_elements SQL Injection.
CVE-2018-11500
PUBLISHED: 2018-05-26
An issue was discovered in PublicCMS V4.0.20180210. There is a CSRF vulnerability in "admin/sysUser/save.do?callbackType=closeCurrent&navTabId=sysUser/list" that can add an admin account.