Attacks/Breaches
4/29/2013
08:58 AM
50%
50%

Syrian Hacktivists Hit Guardian Twitter Feeds

Pro-Assad hacktivist group takes over 11 Twitter feeds belonging to British news group, decries "lies and slander about Syria."

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
The Syrian Electronic Army (SEA) announced Sunday that it took over 11 Twitter feeds belonging to Britain's Guardian newspaper, including its book, film, photography and travel feeds, as well as multiple journalists' accounts. It also posted passwords -- composed of 15 randomized characters -- it claimed were for four of the compromised accounts.

By Monday, many of the accounts were suspended by Twitter, although SEA appeared to still be compromising additional accounts, including the Guardian's business feed. "Follow the Syrian Electronic Army ... Follow the truth!" read a message posted to some compromised Twitter accounts.

"We are aware that a number of Guardian Twitter accounts have been compromised and we are working actively to resolve this," said a Guardian News & Media spokeswoman via email. She declined to comment on how the accounts had been compromised.

[ Worried about your Twitter account getting hacked? Read Twitter Trouble: 9 Social Media Security Tips. ]

The SEA said the disruptions were made to protest the newspaper's "lies and slander about Syria," according to a statement posted to the group's website. Some accounts also had their profiles changed to display a graphic of an eagle bearing the flag of the Syrian Arab Republic, which is used by parties loyal to the current Syrian regime, which is led by President Bashar al-Assad and the Ba'ath Party.

A two-year civil war in Syria has claimed an estimated 70,000 lives to date. The White House in recent days said that U.S. intelligence reports have suggested that the nerve agent sarin may have been used on a "small scale" by Assad supporters against their opponents, reported the Guardian.

The SEA has previously attacked news organizations -- including the BBC and Qatari-backed al-Jazeera TV -- over coverage that the group deemed to be unfavorable to the current Assad regime. Tuesday, notably, the SEA posted a hoax tweet via an Associated Press Twitter feed saying that President Obama had been injured in explosions at the White House. The tweet has been blamed for triggering a temporary downturn in the stock market.

The AP has yet to confirm how its Twitter accounts were compromised, although some news reports said that an SEA-conducted phishing campaign was responsible. Security experts, however, have said that the group has employed a variety of account-takeover tactics. "In many cases, the SEA carries out their attacks in a manner that is difficult to detect," said Ted Ross, the executive technologist at HP Security's Office of Advanced Technology, in a recent blog post rounding up what's known about the Syrian Electronic Army.

The group's tactics also continue to evolve. "The SEA has kind of shifted from actively defacing websites they perceive hostile to the Syrian regime to mostly compromising Twitter accounts of media organizations," Helmi Noman, a senior researcher at Toronto University's Citizen Lab, told NBC News.

The AP account compromise lead to reports that Twitter is now testing a two-factor authentication system internally, which it plans to roll out at an unspecified date. But security experts have warned that such a system still wouldn't protect Twitter users from having their accounts compromised via malware or phishing attacks.

The SEA has recently been engaging in a cat-and-mouse game with Twitter, which has been suspending the group's own accounts -- recently named "@Official_SEA" followed by a number -- almost as quickly as they've been used to boast of compromised targets.

That level of account churn has left the Syrian Electronic Army vulnerable to its opponents. "The Syrian Electronic Army use to be Pro-Assad, since he used chemical weapons against our brothers and sisters, no more, Assad is a Ass!" read a Saturday tweet from the @Official_SEA7 account Saturday. "OK so you need to unfollow @SEA_Official8 and @SEA_Official7, the correct one is @Official_SEA7."

But a message posted Monday to @Official_SEA12 -- an account registered late Sunday and cross-referenced from the SEA's own website -- said that @Official_SEA7 was "a fake account."

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.