10:49 AM

Hackers Hit Symantec, ImageShack, But Not PayPal

Despite threats, Anonymous did not take down Facebook or Zynga on Monday. But other hackers detailed their own exploits, releasing employee credentials and source code.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
November 5 came and went without Facebook or mobile game developer Zynga seeing their websites get taken down by promised online attacks executed by the Anonymous hacktivist collective.

In the run-up to the Guy Fawkes Night holiday -- celebrated annually in Britain and featured in the 2005 film "V for Vendetta," from which Anonymous borrows its trademark mask -- multiple Anonymous factions had promised to take down various websites, presumably via distributed denial of service (DDoS) attacks. They also threatened to release a broad swatch of Zynga's mobile games for free. None of that came to pass.

Monday was, however, a notable day for hacking attacks that didn't involve Anonymous. In particular, hacking group Hack The Planet Monday released a Pastebin post with data that the group claimed to have stolen from ImageShack, Symantec, and ZPanel. As part of the hacking "zine" the group released, it said there was also "a heap of personal information that is claimed to belong to some people that are close to the infosec and anonymous scene," which the group said it hadn't had time to fully review.

[ For more on Anonymous's threatened Guy Fawkes Day takedowns, see Anonymous Threatens Zynga, Facebook Takedowns. ]

The leaked Symantec data appears to have involved a breached database containing email addresses and apparent password hashes for 3,195 employees.

A Symantec spokesman, reached via email, said the company is investigating the alleged breach. "Symantec is aware of the claims being made online," he said. "We take each and every claim very seriously and have a process in place for investigating each incident. Our first priority is to make sure that any customer information remains protected. We are investigating these claims and have no further information to provide at this time."

Meanwhile, Hack The Planet claimed that its ImageShack hack was much more extensive than the Symantec breach: "ImageShack has been completely owned, from the ground up. We have had root and physical control of every server and router they own. For years." The group also listed, tongue in cheek, nine factors it found that illustrated "the hardened security on all of ImageShack's equipment." Among them: running "all MySQL instances as root," having outdated kernels from 2008 or earlier, hard-coding passwords into numerous files, and having "a firewall that allows outgoing backconnects." The hacking group also released a large amount of data supposedly stolen from ImageShack, including lists of file permissions and source code.

ImageShack didn't immediately respond to an emailed request for comment about whether the leaked data was genuine, or whether attackers had also deleted the site's blog, which now resolves to a page with a "not found" error.

According to Hack The Planet, its Pastebin post also includes zero-day exploit code for ZPanel, which is a free, open source Web hosting control panel for Windows, Unix, and Linux. "We have a Zero Bug attacking all the login and overlay files," Hack The Planet said, noting that the exploit code can be used to reset root passwords in the system remotely and without authentication. Interestingly, the code's author is listed as "joepie91," which is the handle of a hacker previously associated with LulzSec.

Tuesday, however, ZPanel's head developer and project leader, Bobby Allen, said in a ZPanel forum post that the exploited flaw was patched almost three months ago. "We was (sic) made aware of this bug several months back by our professional security firm 'WebSec' and we have already released a fix of which is implemented in version 10.0.1 of ZPanel," he said. "We can therefore only assume that 'Anonymous' was 'hacking' version 10.0.0 of ZPanel of which we have already released a fix for." (Again, Hack The Planet, not Anonymous, has claimed credit for the attack.) That fix was issued on August 14, 2012.

What about PayPal? Cyber War News had originally reported that the list of sites exploited by Hack The Planet included PayPal, but it later corrected that report to note that PayPal hadn't been targeted. Similarly, a PayPal spokeswoman said via email, "It appears that the exploit was not directed at PayPal after all, it was directed at a company called ZPanel." PayPal said it's found no evidence that it was hacked, or that any of its employees' data was obtained or released, as was originally reported.

That's contrary to this Monday statement issued via the Anonymous Press Twitter channel: "Paypal hacked by Anonymous as part of our November 5th protest." That post linked to a PrivatePaste file, which has since been removed, but according to news reports, Anonymous claimed to have breached 18,000 PayPal usernames and passwords. By Tuesday, however, the consensus was that the breached data belonged to another organization -- perhaps ImageShack. Was the Cyber War News report responsible for Anonymous channels getting their own news wrong?

Still, all wasn't quiet Monday on the bona fide Anonymous data breach front. Notably, the Anonymous Intelligence Agency (aka Par:AnoIA) released what it said was a preview of a "dump of internal files from the Organization for Security and Cooperation in Europe," which it said highlighted attempted election manipulation in last week's Ukrainian elections.

But the failure of so many threatened Anonymous attacks to materialize led Cult of the Dead Cow official "Oxblood Ruffin" to dub Guy Fawkes Day as "the Anonymous version of April Fools."

Attackers are increasingly using a simple method for finding flaws in websites and applications: They Google them. Using Google code search, hackers can identify crucial vulnerabilities in application code strings, providing the entry point they need to break through application security. In our report, Using Google To Find Vulnerabilities In Your IT Environment, we outline methods for using search engines such as Google and Bing to identify vulnerabilities in your applications, systems and services--and to fix them before they can be exploited. (Free registration required.)

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Apprentice
11/14/2012 | 11:27:12 PM
re: Hackers Hit Symantec, ImageShack, But Not PayPal
Paypal is lying. They have limited my account and are demanding to know why someone in Iran accessed my account. I have provided them with a photo ID, proof of address, confirmed my accounts and reset my password this week at their request. And they still haven't fixed it. I live in Wisconsin, my paypal account is 10 years old, I've had the same address for the last 7 years and my billing addresses all match that same address. Quite obviously, someone got a hold of my information. And it just happened to occur right after anonymous claimed to have stolen passwords. Coincidence? Ha. They are lying and just don't want people to know.
Register for Dark Reading Newsletters
White Papers
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.