12:58 PM

LulzSec Hackers Hit Nintendo, FBI Affiliate Websites

Sony's developer network source code was also released by the group, which allegedly attempted to extort a security researcher for botnet information.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
It's been a busy couple of weeks for the hacking group known as LulzSec, aka the Lulz Boat.

On Friday, LulzSec said in a statement that its members had exploited the website of the Atlanta chapter of InfraGard, a private, non-profit organization that exists to serve as a public/private partnership with the FBI. LulzSec also posted 180 member usernames and passwords gleaned from the attack, and said it deleted all information stored on the website. As of press time, the website resolved to a page listing it as being "under construction."

LulzSec is the same outfit that recently defaced the PBS website, posting fake news. More recently, the group hacked into a Sony Pictures Entertainment website, exposing one million passwords.

Meanwhile, on Sunday, the group said on its Twitter feed that it had exploited the Nintendo website, but chose to only steal a configuration file. It also said that Nintendo had already fixed the vulnerability it exploited to gain access to the website.

That same day, Nintendo released a statement saying that the breached website contained no customer data, and that no customer data had been stolen. Nintendo was not available for immediate comment about its response to the attacks.

On Monday, adding to its list of exploits, LulzSec released a compressed, 58-MB file, which it says contains the source code for the Sony Computer Entertainment Developer Network. It also promised to throw "more Sony booty overboard soon!" That apparently referred, at least for starters, to the "internal network maps of Sony BMG," which the group released shortly thereafter.

The group also released numerous work and private emails for a security entrepreneur. It obtained access to his email accounts via its hack of the Atlanta InfraGard chapter's website, in which it stole passwords that it then found were reused across multiple sites. As a result, the group said it was able to access both the business and personal Gmail accounts for Atlanta InfraGard member Karim Hijazi, a security consultant who's CEO and president of botnet monitoring startup firm Unveillance, and formerly the principal of security firm Demiurge Consulting.

Based on Hijazi's emails, LulzSec alleged that "we have uncovered an operation orchestrated by Unveillance and others to control and assess Libyan cyberspace through malicious means: the U.S. government is funding the CSFI to attack Libya's cyber infrastructure."

LulzSec appears to be referring to a report to which Unveillance contributed information, called "Project Cyber Dawn Libya." The report was co-written by 21 people and released by the Cybersecurity Forum Initiative (CSFI), which appears to be an ad hoc group of cyber warfare devotees.

According to CSFI, the report examines Libya's current "cyber warfare capabilities and defenses," and is intended to "help the international community to understand not only Libya's potential to influence the balance in cyberspace, but also the physical repercussions of cyber-attacks originating from, and directed towards Libya."

Via BitTorrent, LulzSec also released a large quantity of Hijazi's emails. (If Hijazi failed to vary his password for different websites, in those emails he did at least appear to make regular use of PGP to encrypt his business communications--and LulzSec doesn't seem to have cracked those messages.) The group also released an IRC chat transcript that it said occurred between various members of its group and Hijazi. In that chat, said LulzSec, Hijazi "offered to pay us to eliminate his competitors through illegal hacking means in return for our silence."

But was one side just playing the other?

Hijazi, on Friday, fired back at the group in a statement, alleging that over a two-week period, LulzSec members tried to extort information and money from him in exchange for not releasing his emails. According to an IRC chat transcript referenced by Hijazi, a member of LulzSec tells him, "Don't think of it as extortion ... consider it a partership (sic)."

"In spite of these threats, I refused to pay off LulzSec or to supply them with access to this sensitive botnet information. Had we agreed to provide this data to them, LulzSec would have been able to grow the size and scope of their DDoS attack and fraud capabilities," said Hijazi.

"Because of this, they followed through in their threats--and attacked me, my business, and my personal reputation. I believe this incident shows the true nature of LulzSec," he said.

In response to Hijazi's statement, meanwhile, LulzSec said that its extortion attempt was a ruse. "To clarify: it was not our goal to extort anything from ... we were merely testing if he would fold or not," it said in a Twitter post on Saturday. According to another statement released by the group, "naturally we were just stringing him along to further expose the corruption of whitehats."

But in its chat transcripts with Hijazi, LulzSec does seem to be seeking data related to botnets, and in particular Mariposa. Asked by Hijazi what their intentions are for the data, one LulzSec member with the handle "Espeon" replied, "We like botnets, we like data ... we like crushing things; we like inside information."

In this new Tech Center report, we profile five database breaches--and extract the lessons to be learned from each. Plus: A rundown of six technologies to reduce your risk. Download it here (registration required).

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Diversity: It's About Inclusion
Kelly Jackson Higgins, Executive Editor at Dark Reading,  4/25/2018
Firms More Likely to Tempt Security Pros With Big Salaries than Invest in Training
Sara Peters, Senior Editor at Dark Reading,  4/19/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.