Attacks/Breaches
12/14/2012
11:01 AM
50%
50%

Bank Attackers Used PHP Websites As Launch Pads

WordPress sites with outdated TimThumb plug-in were among PHP-based sites hackers used to launch this fall's massive DDoS attacks, reports Arbor Network.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
The group that began targeting U.S. bank websites in September launched their large-scale, distributed denial-of-service (DDoS) attacks via a number of PHP-based websites that they'd previously exploited.

That finding comes from Arbor Networks, which said that attackers had compromised numerous PHP Web applications, such as Joomla, as well as many WordPress sites, many of which were using an outdated version of the TimThumb plug-in. After compromising the sites, attackers then loaded toolkits onto the sites that turned them into DDoS attack launch pads.

"Unmaintained sites running out-of-date extensions are easy targets and the attackers took full advantage of this to upload various PHP webshells which were then used to further deploy attack tools," according to a blog post by Dan Holden and Curt Wilson, who are part of the security engineering and response team at Arbor Networks.

[ Build bullet-proof Web apps. Read 6 Ways To Strengthen Web App Security. ]

After compromising the PHP-based websites and loading their attack toolkits, the bank attackers then either connected directly to the sites to issue commands, or else used intermediate servers, proxies or scripts. The particular attack tool that was most used by attackers, according to Arbor, was the "itsoknoproblembro" toolkit, which is also known as Brobot. Two other tools, KamiKaze and AMOS, were also used, but less frequently.

Those tools enabled attackers to launch "a mix of application layer attacks on HTTP, HTTPS and DNS with volumetric attack traffic on a variety of TCP, UDP, ICMP and other IP protocols," said Holden and Wilson. "The other obvious and uncommon factor at play was the launch of simultaneous attacks, at high bandwidth, to multiple companies in the same vertical."

The scale of those DDoS attacks disrupted the websites of leading Wall Street firms, including Bank of America, BB&T, JPMorgan Chase, Capital One, HSBC, New York Stock Exchange, Regions Financial, SunTrust, U.S. Bank and Wells Fargo. That was despite the attackers previewing which sites would be attacked, as well as the date and time their attacks would commence.

In late October, after more than a month of bank website attacks, the hacktivist group that claimed credit for the so-called Operational Ababil campaign promised a pause in its efforts. But the group broke its silence earlier this week, when it reemerged and promised to begin attacks this week against Bank of America, JPMorgan Chase, PNC Financial Services Group, SunTrust Banks and U.S. Bancorp.

Those attacks appeared to recommence Tuesday. A spokesman for PNC confirmed Thursday via email that the bank's website had been seeing "an unusual volume of electronic traffic at our Internet connection." But he declined to comment on whether that traffic had been caused by DDoS attacks.

According to Arbor, the new attacks "looked similar in construction to Brobot v1, however there is a newly crafted DNS packet attack and a few other attack changes in Brobot v2," showing that attackers' techniques are continuing to evolve.

What lessons can businesses draw from the Arbor finding that the DDoS bank attackers are using vulnerable WordPress and PHP sites as staging grounds? For starters, businesses should keep an eye on their websites for signs of outdated or unsecured PHP applications -- and not just to help prevent DDoS attacks. Indeed, criminals often use exploited websites to launch attacks and store stolen information.

"WordPress enables these organizations to set up an infrastructure on the Internet that exacerbates the challenge of locating them," said Jim Butterworth, CSO of HBGary, speaking by phone. "They're using it as an opportunistic technique for lifting stolen information, more so than using WordPress as an attack vector."

The gang behind the Eurograbber attack campaign, for example, reportedly used Zitmo Trojan spyware to steal $47 million or more from over 30,000 corporate and private banking customers. Although the gang used command-and-control servers to manage PCs infected with its malware, it had also exploited PHP websites to create drop zones for storing stolen information, as well as for pushing additional attack code to infected PCs. Using drop zones -- as a kind of criminal Dropbox -- helps attackers better cover their tracks and evade security defenses.

Despite those criminal tactics, Butterworth said businesses shouldn't avoid using PHP-based applications such as WordPress. Instead, they should inventory which PHP applications are being used, log network traffic to reveal inbound PHP requests that expose would-be attackers probing for such applications, and ensure that the PHP applications remain hardened against the toolkits and vulnerabilities used to exploit them. "Locate, patch and watch. That's the advice," he said.

Storing and protecting data are critical components of any successful cloud solution. Join our webcast, Cloud Storage Drivers: Auto-provisioning, Virtualization, Encryption, to stay ahead of the curve on automated and self-service storage, enterprise class data protection and service level management. Watch now or bookmark for later.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SpamIsLame
50%
50%
SpamIsLame,
User Rank: Apprentice
4/29/2013 | 9:35:17 PM
re: Bank Attackers Used PHP Websites As Launch Pads
I was recently brought in to investigate why a specific Unix web server was suddenly running this DDOS code. None of this appears to be documented anywhere. The results of my investigations so far are disappointing and troubling. There are a lot of really vulnerable servers out there being used for free by the criminal community at large.

The criminals behind this operation are placing code on very vulnerable, unsecured unix servers running PHP. If that PHP server allows an "eval" command to be run that allows a script to perform high-level, near-root-level functions like shutting down logging and restarting the web server, they place a file on it that allows it to run ANY command it receives, using the "eval" function.

This is why there's a bunch of reports out there that talk about how the botnet "learning" or "gaining new powers". It's a really wide-open, non-secure server that will run *any* command. It's not "learning". It's at the mercy of any idiot who knows how to send it a large sequence of commands to run.

SiL
MarkSitkowski
50%
50%
MarkSitkowski,
User Rank: Moderator
4/5/2013 | 4:58:18 AM
re: Bank Attackers Used PHP Websites As Launch Pads
Instead of waiting for your kernel to get overwhelmed with DNS replies for which it never asked, do this in your firewall:

block in on e1000g0 proto udp all
pass in on e1000g0 proto udp from our.dns.server1/32
pass in on e1000g0 proto udp from our.dns.server2/32
pass in on e1000g0 proto udp from any.xdmcp.box/32

The Unix kernel never sees any of that garbage, and the machine doesn't fall over.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.