11:47 AM

Syrian Electronic Army Returns, Smacks Down Tango

Pro-Assad hacktivists steal Tango chat app's user details and deletes related article from Daily Dot media site despite its knowledge of imminent attack.

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
The Syrian Electronic Army (SEA), a band of hackers loyal to Syrian president Bashar al-Assad, claims to have stolen a database filled with details for users of the Tango video and voice chat app.

According to a "Tango app website/databases hacked" notice posted to the SEA's site Friday, the group said it obtained "more than 1.5 TB of the daily-backups of the servers [sic] network," as well as four databases containing "millions of the app users phone numbers and contacts and their emails."

"Much of the information in the databases that were downloaded will be delivered to the Syrian government," the group promised.

[ Beware suspect emails. Read Phishing Attackers Diversify, Target Facebook Credentials. ]

Software developer Tango confirmed Saturday that its systems had been breached, although it didn't name SEA as the culprit. "Tango experienced a cyber intrusion that resulted in unauthorized access to some data. We are working on increasing our security systems," read a Saturday tweet from Tango's official Twitter account. "We sincerely apologize for any inconvenience this breach may have caused our members."

Tango's app, which offers free calls for users, is similar to Skype and WhatsApp, and works on Android, iOS and Windows Phone devices, as well as Windows and Mac OS X. Launched in 2009, the app now counts over 120 million users across 210 countries, and works in 39 languages.

In the wake of the breach, Tango reportedly took its website offline and redirected users to its Facebook page. As of Tuesday, its website was again working, but made no mention of the data breach.

The SEA appeared to have gained access to Tango's systems by exploiting a vulnerability in an outdated version of its WordPress content management system, reported E Hacking News, which both broke the story and then proceeded to give Tango related information security tips. Although the current version of WordPress is 3.5.2 -- and was released last month -- according to a screenshot published by the SEA, Tango was using version 3.2.1 of the software, which was released back in July 2011.

But the SEA didn't stop there. Following the attacks, news site The Daily Dot published a story about the Tango hack Monday, illustrating it with a caricature of Assad from political caricaturist "DonkeyHotey". The SEA took offense at the image and sounded a related warning to The Daily Dot. "Dear @dailydot, please remove the attached picture in this article ... or we will do something you will not like it," the group tweeted Monday.

When the publication declined to comply, the SEA apparently seized control of at least one staffer's Gmail account, then used those credentials to access the publication's online control panel and excise the offending article, including the image. "This time we deleted that article, the second time we will delete all your website," the hackers tweeted Tuesday.

The SEA also leaked a series of Gmail messages between the publications' staffers, asking what should be done about a threat that "came from a smaller Twitter account." In reply, a reporter reminded staffers "to not use your work username/password on a shady-looking site," saying they needed to safeguard their Gmail credentials. "Fortunately, we've been covering the SEA, and we know their usual tactics. It's really, really basic," said the reporter.

Basic or no, at least one staffer apparently fell for an SEA phishing attack. Tuesday, the SEA posted a picture of what it said was "the stupid @dailydot administration panel," but blamed the publication for forcing its hand. "We said 'please' it's your fault," tweeted the hackers.

The SEA has regularly attacked news outlets that it sees as espousing a negative view of the current Syrian regime, which is led by President Bashar al-Assad and the Ba'ath Party. The group's typical modus operandi involves seizing a target's Twitter feeds and using them to broadcast hoax posts. Targets have ranged from the Guardian and BBC to the AP and satire site The Onion.

To date, Syria's two-year civil war has claimed an estimated 93,000 lives.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest September 7, 2015
Some security flaws go beyond simple app vulnerabilities. Have you checked for these?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-02
Buffer overflow in Canary Labs Trend Web Server before 9.5.2 allows remote attackers to execute arbitrary code via a crafted TCP packet.

Published: 2015-10-02
Cisco NX-OS 6.0(2)U6(0.46) on N3K devices allows remote authenticated users to cause a denial of service (temporary SNMP outage) via an SNMP request for an OID that does not exist, aka Bug ID CSCuw36684.

Published: 2015-10-02
Cisco Email Security Appliance (ESA) 8.5.6-106 and 9.6.0-042 allows remote authenticated users to cause a denial of service (file-descriptor consumption and device reload) via crafted HTTP requests, aka Bug ID CSCuw32211.

Published: 2015-10-01
lxc-start in lxc before 1.0.8 and 1.1.x before 1.1.4 allows local container administrators to escape AppArmor confinement via a symlink attack on a (1) mount target or (2) bind mount source.

Published: 2015-10-01
kernel_crashdump in Apport before 2.19 allows local users to cause a denial of service (disk consumption) or possibly gain privileges via a (1) symlink or (2) hard link attack on /var/crash/vmcore.log.

Dark Reading Radio
Archived Dark Reading Radio
What can the information security industry do to solve the IoT security problem? Learn more and join the conversation on the next episode of Dark Reading Radio.