Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Bank Attackers Used PHP Websites As Launch Pads

WordPress sites with outdated TimThumb plug-in were among PHP-based sites hackers used to launch this fall's massive DDoS attacks, reports Arbor Network.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
The group that began targeting U.S. bank websites in September launched their large-scale, distributed denial-of-service (DDoS) attacks via a number of PHP-based websites that they'd previously exploited.

That finding comes from Arbor Networks, which said that attackers had compromised numerous PHP Web applications, such as Joomla, as well as many WordPress sites, many of which were using an outdated version of the TimThumb plug-in. After compromising the sites, attackers then loaded toolkits onto the sites that turned them into DDoS attack launch pads.

"Unmaintained sites running out-of-date extensions are easy targets and the attackers took full advantage of this to upload various PHP webshells which were then used to further deploy attack tools," according to a blog post by Dan Holden and Curt Wilson, who are part of the security engineering and response team at Arbor Networks.

[ Build bullet-proof Web apps. Read 6 Ways To Strengthen Web App Security. ]

After compromising the PHP-based websites and loading their attack toolkits, the bank attackers then either connected directly to the sites to issue commands, or else used intermediate servers, proxies or scripts. The particular attack tool that was most used by attackers, according to Arbor, was the "itsoknoproblembro" toolkit, which is also known as Brobot. Two other tools, KamiKaze and AMOS, were also used, but less frequently.

Those tools enabled attackers to launch "a mix of application layer attacks on HTTP, HTTPS and DNS with volumetric attack traffic on a variety of TCP, UDP, ICMP and other IP protocols," said Holden and Wilson. "The other obvious and uncommon factor at play was the launch of simultaneous attacks, at high bandwidth, to multiple companies in the same vertical."

The scale of those DDoS attacks disrupted the websites of leading Wall Street firms, including Bank of America, BB&T, JPMorgan Chase, Capital One, HSBC, New York Stock Exchange, Regions Financial, SunTrust, U.S. Bank and Wells Fargo. That was despite the attackers previewing which sites would be attacked, as well as the date and time their attacks would commence.

In late October, after more than a month of bank website attacks, the hacktivist group that claimed credit for the so-called Operational Ababil campaign promised a pause in its efforts. But the group broke its silence earlier this week, when it reemerged and promised to begin attacks this week against Bank of America, JPMorgan Chase, PNC Financial Services Group, SunTrust Banks and U.S. Bancorp.

Those attacks appeared to recommence Tuesday. A spokesman for PNC confirmed Thursday via email that the bank's website had been seeing "an unusual volume of electronic traffic at our Internet connection." But he declined to comment on whether that traffic had been caused by DDoS attacks.

According to Arbor, the new attacks "looked similar in construction to Brobot v1, however there is a newly crafted DNS packet attack and a few other attack changes in Brobot v2," showing that attackers' techniques are continuing to evolve.

What lessons can businesses draw from the Arbor finding that the DDoS bank attackers are using vulnerable WordPress and PHP sites as staging grounds? For starters, businesses should keep an eye on their websites for signs of outdated or unsecured PHP applications -- and not just to help prevent DDoS attacks. Indeed, criminals often use exploited websites to launch attacks and store stolen information.

"WordPress enables these organizations to set up an infrastructure on the Internet that exacerbates the challenge of locating them," said Jim Butterworth, CSO of HBGary, speaking by phone. "They're using it as an opportunistic technique for lifting stolen information, more so than using WordPress as an attack vector."

The gang behind the Eurograbber attack campaign, for example, reportedly used Zitmo Trojan spyware to steal $47 million or more from over 30,000 corporate and private banking customers. Although the gang used command-and-control servers to manage PCs infected with its malware, it had also exploited PHP websites to create drop zones for storing stolen information, as well as for pushing additional attack code to infected PCs. Using drop zones -- as a kind of criminal Dropbox -- helps attackers better cover their tracks and evade security defenses.

Despite those criminal tactics, Butterworth said businesses shouldn't avoid using PHP-based applications such as WordPress. Instead, they should inventory which PHP applications are being used, log network traffic to reveal inbound PHP requests that expose would-be attackers probing for such applications, and ensure that the PHP applications remain hardened against the toolkits and vulnerabilities used to exploit them. "Locate, patch and watch. That's the advice," he said.

Storing and protecting data are critical components of any successful cloud solution. Join our webcast, Cloud Storage Drivers: Auto-provisioning, Virtualization, Encryption, to stay ahead of the curve on automated and self-service storage, enterprise class data protection and service level management. Watch now or bookmark for later.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SpamIsLame
50%
50%
SpamIsLame,
User Rank: Apprentice
4/29/2013 | 9:35:17 PM
re: Bank Attackers Used PHP Websites As Launch Pads
I was recently brought in to investigate why a specific Unix web server was suddenly running this DDOS code. None of this appears to be documented anywhere. The results of my investigations so far are disappointing and troubling. There are a lot of really vulnerable servers out there being used for free by the criminal community at large.

The criminals behind this operation are placing code on very vulnerable, unsecured unix servers running PHP. If that PHP server allows an "eval" command to be run that allows a script to perform high-level, near-root-level functions like shutting down logging and restarting the web server, they place a file on it that allows it to run ANY command it receives, using the "eval" function.

This is why there's a bunch of reports out there that talk about how the botnet "learning" or "gaining new powers". It's a really wide-open, non-secure server that will run *any* command. It's not "learning". It's at the mercy of any idiot who knows how to send it a large sequence of commands to run.

SiL
MarkSitkowski
50%
50%
MarkSitkowski,
User Rank: Moderator
4/5/2013 | 4:58:18 AM
re: Bank Attackers Used PHP Websites As Launch Pads
Instead of waiting for your kernel to get overwhelmed with DNS replies for which it never asked, do this in your firewall:

block in on e1000g0 proto udp all
pass in on e1000g0 proto udp from our.dns.server1/32
pass in on e1000g0 proto udp from our.dns.server2/32
pass in on e1000g0 proto udp from any.xdmcp.box/32

The Unix kernel never sees any of that garbage, and the machine doesn't fall over.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14499
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper access control vulnerability. Successful exploitation of this vulnerability may allow an attacker to obtain all user accounts credentials.
CVE-2020-14501
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper authentication for critical function (CWE-306) issue. Successful exploitation of this vulnerability may allow an attacker to obtain the information of the user table, including the administrator credentials in plain text. An attacker may also ...
CVE-2020-14503
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper input validation vulnerability. Successful exploitation of this vulnerability could allow an attacker to remotely execute arbitrary code.
CVE-2020-14497
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, contains multiple SQL injection vulnerabilities that are vulnerable to the use of an attacker-controlled string in the construction of SQL queries. An attacker could extract user credentials, read or modify information, and remotely execute code.
CVE-2020-14505
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper neutralization of special elements used in a command (“command injection�) vulnerability. Successful exploitation of this vulnerability may allow an attacker to send a HTTP GET or POST request that create...