Attacks/Breaches
7/23/2013
11:47 AM
Connect Directly
RSS
E-Mail
50%
50%

Syrian Electronic Army Returns, Smacks Down Tango

Pro-Assad hacktivists steal Tango chat app's user details and deletes related article from Daily Dot media site despite its knowledge of imminent attack.

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
The Syrian Electronic Army (SEA), a band of hackers loyal to Syrian president Bashar al-Assad, claims to have stolen a database filled with details for users of the Tango video and voice chat app.

According to a "Tango app website/databases hacked" notice posted to the SEA's site Friday, the group said it obtained "more than 1.5 TB of the daily-backups of the servers [sic] network," as well as four databases containing "millions of the app users phone numbers and contacts and their emails."

"Much of the information in the databases that were downloaded will be delivered to the Syrian government," the group promised.

[ Beware suspect emails. Read Phishing Attackers Diversify, Target Facebook Credentials. ]

Software developer Tango confirmed Saturday that its systems had been breached, although it didn't name SEA as the culprit. "Tango experienced a cyber intrusion that resulted in unauthorized access to some data. We are working on increasing our security systems," read a Saturday tweet from Tango's official Twitter account. "We sincerely apologize for any inconvenience this breach may have caused our members."

Tango's app, which offers free calls for users, is similar to Skype and WhatsApp, and works on Android, iOS and Windows Phone devices, as well as Windows and Mac OS X. Launched in 2009, the app now counts over 120 million users across 210 countries, and works in 39 languages.

In the wake of the breach, Tango reportedly took its website offline and redirected users to its Facebook page. As of Tuesday, its website was again working, but made no mention of the data breach.

The SEA appeared to have gained access to Tango's systems by exploiting a vulnerability in an outdated version of its WordPress content management system, reported E Hacking News, which both broke the story and then proceeded to give Tango related information security tips. Although the current version of WordPress is 3.5.2 -- and was released last month -- according to a screenshot published by the SEA, Tango was using version 3.2.1 of the software, which was released back in July 2011.

But the SEA didn't stop there. Following the attacks, news site The Daily Dot published a story about the Tango hack Monday, illustrating it with a caricature of Assad from political caricaturist "DonkeyHotey". The SEA took offense at the image and sounded a related warning to The Daily Dot. "Dear @dailydot, please remove the attached picture in this article ... or we will do something you will not like it," the group tweeted Monday.

When the publication declined to comply, the SEA apparently seized control of at least one staffer's Gmail account, then used those credentials to access the publication's online control panel and excise the offending article, including the image. "This time we deleted that article, the second time we will delete all your website," the hackers tweeted Tuesday.

The SEA also leaked a series of Gmail messages between the publications' staffers, asking what should be done about a threat that "came from a smaller Twitter account." In reply, a reporter reminded staffers "to not use your work username/password on a shady-looking site," saying they needed to safeguard their Gmail credentials. "Fortunately, we've been covering the SEA, and we know their usual tactics. It's really, really basic," said the reporter.

Basic or no, at least one staffer apparently fell for an SEA phishing attack. Tuesday, the SEA posted a picture of what it said was "the stupid @dailydot administration panel," but blamed the publication for forcing its hand. "We said 'please' it's your fault," tweeted the hackers.

The SEA has regularly attacked news outlets that it sees as espousing a negative view of the current Syrian regime, which is led by President Bashar al-Assad and the Ba'ath Party. The group's typical modus operandi involves seizing a target's Twitter feeds and using them to broadcast hoax posts. Targets have ranged from the Guardian and BBC to the AP and satire site The Onion.

To date, Syria's two-year civil war has claimed an estimated 93,000 lives.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-3304
Published: 2014-10-30
Directory traversal vulnerability in Dell EqualLogic PS4000 with firmware 6.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the default URI.

CVE-2013-7409
Published: 2014-10-30
Buffer overflow in ALLPlayer 5.6.2 through 5.8.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in a .m3u (playlist) file.

CVE-2014-3446
Published: 2014-10-30
SQL injection vulnerability in wcm/system/pages/admin/getnode.aspx in BSS Continuity CMS 4.2.22640.0 allows remote attackers to execute arbitrary SQL commands via the nodeid parameter.

CVE-2014-3584
Published: 2014-10-30
The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.

CVE-2014-3623
Published: 2014-10-30
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vect...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.