Attacks/Breaches
5/7/2013
06:21 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

'OpUSA' Hacktivist Attacks Fall Short

Anonymous groups wage ad-hoc defacements, data dumps from a few lesser-known sites -- not the planned attacks on major U.S. government agencies, banks

Hacktivist groups under the Anonymous umbrella had warned they would take down major U.S. government and financial websites today in what they dubbed the OpUSA hacking campaign. But in the end, it was just a few defacements of lesser-known websites and seemingly random dumps of personal information online.

As of this posting, there were no reports of any major site disruptions or distributed denial-of-service (DDoS) attacks. According to Radware's Emergency Response Team, which kept a running report on the attacks updated on its website today there were at least a handful of victims, including the website of a small community bank in Arkansas, which got defaced by the attackers, and a database dump of users of the Bloodbanker.com website. Yesterday, the Embassy of Cape Verde in the U.S. suffered a defaced website, plus a few other isolated incidents occurred today in the name of OpUSA, including a dump of 10,000 alleged stolen Visa card accounts.

[Hacktivist groups plan denial-of-service attacks on banks, government sites. See Anonymous, LulzSec, OpUSA Plan Broad Attacks On Government Agencies, Banks On Tuesday.]

The seemingly disjointed campaign was a reflection of the evolving state of hacktivism and Anonymous, which is not one group with a common agenda, security experts say -- and possibly a lack of resources to pull off the effort. What was most striking about the lack of shock and awe of today's campaign was that it actually registered less hacktivist activity than when the hacktivist group Izz ad-Din al-Qassam Cyber Fighters were actively and successfully waging DDoS attacks on major financial institutions, notes Carl Herberger, vice president of security solutions for Radware. The Izz ad-Din al-Qassam Cyber Fighters went dark for a few days in deference to OpUSA and in order to avoid any confusion about their different motivations.

"When the Izz ad-Din al-Qassam Cyber Fighters decided to take a pass this week ... the level of attack activity dropped," Herberger says. "Our devices are under less load today than when [the Cyber Fighters were in action] last week."

The Cyber Fighters have more firepower and are more organized than the groups behind OpUSA appear to have, he says.

"There were some [OpUSA] attacks, and they were pedestrian in nature relative to what we've become used to and humbled with operations by [the Cyber Fighters]," he says. "The tools and techniques here were reminiscent of attacks 18 to 24 months ago."

Anonymous, under the guise of N4m3le55 Cr3w, AnonGhost and other groups, said May 7 would represent day one of the operation, which is in apparent protest to U.S. policies on Iraq, Afghanistan, and Pakistan. "You can not stop the internet hate machine from doxes, DNS attacks, defaces, redirects, ddos attacks, database leaks, and admin take overs. Greetings to Anonghost, Mauritania hackers, Ajax team, Muslim liberation army, ZHC, antisec, lulzsec, Redhat, team poison reborn and any other hackers joining operation USA," the attackers said in a post.

Among the list of U.S. government takedown targets were the websites of the Defense Department, NSA, the FBI, and the White House. Some 130 banks and credit unions were also listed, including Bank of America, Chase, Citibank, SunTrust, Wells Fargo, and nearly all major banks. None of the targets reported a DDoS attack as of this posting.

In a new Pastebin post this afternoon, the AnonGhost team listed successful OpUSA hacks today, including more than 100,000 email accounts, 60 U.S websites, 5,000 U.S. Facebook accounts, and an "agent from the U.S. House of Representatives," but it was unclear whether these were all confirmed attacks.

So why did the OpUSA DDoS operation fizzle? Sorin Mustaca, a security expert for Avira, says the attackers would need heavy botnet backing to wage the massive DDoS attacks they had promised. "You would have to have a very serious botnet at your disposal, which is not that complicated these days. If you don't own it, you have to pay for it," he says. "Then who is going to pay for those expenses? Why I don't really think anything is going to happen [today] is I'm not aware of any major botnets being online and used remotely" for this, he says.

Mustaca says one explanation could be that the hacktivists ultimately were looking to get hired for their services. "They might create the market so they could get paid," he says. "Somebody has to pay for" the botnet and other resources, he says, so they were attempting to demonstrate their capabilities.

Radware's Herberger says it's more of an indication of how different the OpUSA hacktivists are from the Izz ad-Din al-Qassam Cyber Fighters. OpUSA was only successful thus far at defacing a few small banks, he says. "The Cyber Fighters have the attribute of offensive cyberwar," he says. "These guys here are not clearly organized or skilled and don't have the choreography."

Even so, Herberger says he knows of at least two major U.S. investment banks that had not yet been attacked that experienced attack attempts last week. "It looked like they were testing [attack] tools and techniques" on the banks, he says.

Either way, you always take any attack threats seriously, experts say. "We should take all of these things very seriously and be glad when nothing happens," Herberger says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

CVE-2014-2716
Published: 2014-12-19
Ekahau B4 staff badge tag 5.7 with firmware 1.4.52, Real-Time Location System (RTLS) Controller 6.0.5-FINAL, and Activator 3 reuses the RC4 cipher stream, which makes it easier for remote attackers to obtain plaintext messages via an XOR operation on two ciphertexts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.