01:01 PM

What's Next For Anonymous After Sabu Arrest?

Members of the hacktivist collective have defaced websites, and taunted LulzSec leader Sabu for turning informer. But will he have company?

Anonymous: 10 Facts About The Hacktivist Group
Anonymous: 10 Facts About The Hacktivist Group
(click image for larger view and for slideshow)
After the Department of Justice Tuesday announced the arrest of 28-year-old Hector Xavier Monsegur, better known as LulzSec leader "Sabu," hacktivists responded quickly.

One of the first targets was antivirus vendor Panda Labs--which had helped authorities arrest 25 alleged Anonymous hackers last month--which saw its website defaced with an open statement, issued by the Anonymous and Lulzsec-offshoot group AntiSec, accompanied by a previously released LulzXmas video recapping the top exploits of Anonymous in 2011.

In the missive, AntiSec claimed to have built a back door into Panda's antivirus software. "Hello friends!, better known for its ... ANTIVIRUS WE HAVE BACKDOORED, has earning money working with Law Enforcement to lurk and snitch on anonymous activists," it read. "They helped to jail 25 anonymous in different countries and they were actively participating in our IRC channels trying to dox many others."

[ For more on the arrest, see LulzSec Sabu Arrest: Don't Relax Yet, IT. ]

AntiSec also released numerous employee access credentials, and said it had "owned" 35 different Panda websites. But Panda Labs technical director Luis Corrons said via Twitter that attackers had only accessed non-critical company websites. "It was only an external server with blogs and marketing sites."

According to a statement released by Panda, "On March 6th the hacking group LulzSec, part of Anonymous, obtained access to a Panda Security webserver hosted outside of the Panda Security internal network." (Despite that statement, the website defacement text said the attack had been conducted by AntiSec, although "DeathToSnitches" and "LulzSec" were mentioned in the heading.)

Panda said that only marketing-related data and outdated user credentials--from employees who'd left the company at least five years prior--were accessed, and that "the attack did not breach Panda Security's internal network and neither source code, update servers, nor customer data was accessed."

One targeted Panda marketing site had included a blog posted Tuesday with the title "Where is the lulz now?" that discussed the "really good news ... that LulzSec members have been arrested." As of press time, the company's blog and press pages, amongst other parts of its website, remained unreachable. According to a post made to the AnonymousIRC Twitter channel, " ... they're still locked out from their own servers."

Meanwhile, AntiSec Tuesday also announced that it had hacked the Delaware Correctional Officer's Forum website. It remained offline Wednesday.

In the wake of the apparent LulzSec takedown, what's next for Anonymous and its affiliates? "Anyone who trusted Sabu is going to be in a panic right now," Jennifer Emick, a former member of Anonymous who began working against it after it switched to attacking the U.S. government, told Reuters. "Hard drives are being deleted."

But although federal authorities might have arrested the alleged core members of LulzSec, other hacktivists appear to still be operating with abandon, and security experts have said that aside from the threat of being arrested, there's little to stop them from doing so.

In its Panda-delivered missive, for example, AntiSec sounded brazen, giving a shout-out to LulzSec and "Antisec fallen friends," taunting the FBI and other law enforcement organizations--"come at us bros ... we are waiting for you"--and including a somewhat poignant reference to Sabu, who authorities said had helped to put away five other hackers after he turned informant in June 2011. "As usually happens FBI menaced him to take his sons away we understand, but we were your family too (remember what you liked to say?). It's sad and we cant imagine how it feels having to look at the mirror each morning and see there the guy who shopped their friends to police," read the website defacement.

Accordingly, despite the LulzSec arrests, "the barrier to entry for imitators and at-large members of these groups to research, surveil and carry out attacks against cyber targets remains unacceptably low," said Nick Selby managing director of TRM Partners, on his Police-Led Intelligence blog.

"While this may be the end or a serious blow to the LulzSec crowd, groups of hackers intent on causing damage pre-date and will certainly post-date these events. Don't bet that attacks will stop"--or that many website and database administrators will take the time to properly lock down their systems, which would block these types of attacks.

Until that happens, expect ongoing hacktivist attacks, as well as efforts by law enforcement agencies to corral the worst offenders. Notably, authorities have said that Sabu isn't the only member of Anonymous who's turned informer.

Security concerns give many companies pause as they consider migrating portions of their IT operations to cloud-based services. But you can stay safe in the cloud. In our Cloud Security report, we explain the risks and guide you in setting appropriate cloud security policies, processes, and controls. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
3/15/2012 | 1:59:02 AM
re: What's Next For Anonymous After Sabu Arrest?
@readers: Do you think this will serve as a deterrent for some of the people who are not the core people orchestrating hacks but still participate in some of the DDoS attacks?
Brian Prince, InformationWeek/Dark Reading Comment Moderator
User Rank: Apprentice
3/7/2012 | 10:59:44 PM
re: What's Next For Anonymous After Sabu Arrest?
unless you acquiesce to living in a totalitarian society the actions of groups like anonymous are imperative. the government is as fallible as the systems we have created. anonymous may not be "right" but they are "necessary" for society to continue to evolve.

sabu is simply a disgrace.
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.