Attacks/Breaches
7/23/2013
11:47 AM
Connect Directly
RSS
E-Mail
50%
50%

Syrian Electronic Army Returns, Smacks Down Tango

Pro-Assad hacktivists steal Tango chat app's user details and deletes related article from Daily Dot media site despite its knowledge of imminent attack.

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
The Syrian Electronic Army (SEA), a band of hackers loyal to Syrian president Bashar al-Assad, claims to have stolen a database filled with details for users of the Tango video and voice chat app.

According to a "Tango app website/databases hacked" notice posted to the SEA's site Friday, the group said it obtained "more than 1.5 TB of the daily-backups of the servers [sic] network," as well as four databases containing "millions of the app users phone numbers and contacts and their emails."

"Much of the information in the databases that were downloaded will be delivered to the Syrian government," the group promised.

[ Beware suspect emails. Read Phishing Attackers Diversify, Target Facebook Credentials. ]

Software developer Tango confirmed Saturday that its systems had been breached, although it didn't name SEA as the culprit. "Tango experienced a cyber intrusion that resulted in unauthorized access to some data. We are working on increasing our security systems," read a Saturday tweet from Tango's official Twitter account. "We sincerely apologize for any inconvenience this breach may have caused our members."

Tango's app, which offers free calls for users, is similar to Skype and WhatsApp, and works on Android, iOS and Windows Phone devices, as well as Windows and Mac OS X. Launched in 2009, the app now counts over 120 million users across 210 countries, and works in 39 languages.

In the wake of the breach, Tango reportedly took its website offline and redirected users to its Facebook page. As of Tuesday, its website was again working, but made no mention of the data breach.

The SEA appeared to have gained access to Tango's systems by exploiting a vulnerability in an outdated version of its WordPress content management system, reported E Hacking News, which both broke the story and then proceeded to give Tango related information security tips. Although the current version of WordPress is 3.5.2 -- and was released last month -- according to a screenshot published by the SEA, Tango was using version 3.2.1 of the software, which was released back in July 2011.

But the SEA didn't stop there. Following the attacks, news site The Daily Dot published a story about the Tango hack Monday, illustrating it with a caricature of Assad from political caricaturist "DonkeyHotey". The SEA took offense at the image and sounded a related warning to The Daily Dot. "Dear @dailydot, please remove the attached picture in this article ... or we will do something you will not like it," the group tweeted Monday.

When the publication declined to comply, the SEA apparently seized control of at least one staffer's Gmail account, then used those credentials to access the publication's online control panel and excise the offending article, including the image. "This time we deleted that article, the second time we will delete all your website," the hackers tweeted Tuesday.

The SEA also leaked a series of Gmail messages between the publications' staffers, asking what should be done about a threat that "came from a smaller Twitter account." In reply, a reporter reminded staffers "to not use your work username/password on a shady-looking site," saying they needed to safeguard their Gmail credentials. "Fortunately, we've been covering the SEA, and we know their usual tactics. It's really, really basic," said the reporter.

Basic or no, at least one staffer apparently fell for an SEA phishing attack. Tuesday, the SEA posted a picture of what it said was "the stupid @dailydot administration panel," but blamed the publication for forcing its hand. "We said 'please' it's your fault," tweeted the hackers.

The SEA has regularly attacked news outlets that it sees as espousing a negative view of the current Syrian regime, which is led by President Bashar al-Assad and the Ba'ath Party. The group's typical modus operandi involves seizing a target's Twitter feeds and using them to broadcast hoax posts. Targets have ranged from the Guardian and BBC to the AP and satire site The Onion.

To date, Syria's two-year civil war has claimed an estimated 93,000 lives.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7392
Published: 2014-07-22
Gitlist allows remote attackers to execute arbitrary commands via shell metacharacters in a file name to Source/.

CVE-2014-2385
Published: 2014-07-22
Multiple cross-site scripting (XSS) vulnerabilities in the web UI in Sophos Anti-Virus for Linux before 9.6.1 allow local users to inject arbitrary web script or HTML via the (1) newListList:ExcludeFileOnExpression, (2) newListList:ExcludeFilesystems, or (3) newListList:ExcludeMountPaths parameter t...

CVE-2014-3518
Published: 2014-07-22
jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to exec...

CVE-2014-3530
Published: 2014-07-22
The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via...

CVE-2014-4326
Published: 2014-07-22
Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.