Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Syrian Electronic Army Returns, Smacks Down Tango

Pro-Assad hacktivists steal Tango chat app's user details and deletes related article from Daily Dot media site despite its knowledge of imminent attack.

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
The Syrian Electronic Army (SEA), a band of hackers loyal to Syrian president Bashar al-Assad, claims to have stolen a database filled with details for users of the Tango video and voice chat app.

According to a "Tango app website/databases hacked" notice posted to the SEA's site Friday, the group said it obtained "more than 1.5 TB of the daily-backups of the servers [sic] network," as well as four databases containing "millions of the app users phone numbers and contacts and their emails."

"Much of the information in the databases that were downloaded will be delivered to the Syrian government," the group promised.

[ Beware suspect emails. Read Phishing Attackers Diversify, Target Facebook Credentials. ]

Software developer Tango confirmed Saturday that its systems had been breached, although it didn't name SEA as the culprit. "Tango experienced a cyber intrusion that resulted in unauthorized access to some data. We are working on increasing our security systems," read a Saturday tweet from Tango's official Twitter account. "We sincerely apologize for any inconvenience this breach may have caused our members."

Tango's app, which offers free calls for users, is similar to Skype and WhatsApp, and works on Android, iOS and Windows Phone devices, as well as Windows and Mac OS X. Launched in 2009, the app now counts over 120 million users across 210 countries, and works in 39 languages.

In the wake of the breach, Tango reportedly took its website offline and redirected users to its Facebook page. As of Tuesday, its website was again working, but made no mention of the data breach.

The SEA appeared to have gained access to Tango's systems by exploiting a vulnerability in an outdated version of its WordPress content management system, reported E Hacking News, which both broke the story and then proceeded to give Tango related information security tips. Although the current version of WordPress is 3.5.2 -- and was released last month -- according to a screenshot published by the SEA, Tango was using version 3.2.1 of the software, which was released back in July 2011.

But the SEA didn't stop there. Following the attacks, news site The Daily Dot published a story about the Tango hack Monday, illustrating it with a caricature of Assad from political caricaturist "DonkeyHotey". The SEA took offense at the image and sounded a related warning to The Daily Dot. "Dear @dailydot, please remove the attached picture in this article ... or we will do something you will not like it," the group tweeted Monday.

When the publication declined to comply, the SEA apparently seized control of at least one staffer's Gmail account, then used those credentials to access the publication's online control panel and excise the offending article, including the image. "This time we deleted that article, the second time we will delete all your website," the hackers tweeted Tuesday.

The SEA also leaked a series of Gmail messages between the publications' staffers, asking what should be done about a threat that "came from a smaller Twitter account." In reply, a reporter reminded staffers "to not use your work username/password on a shady-looking site," saying they needed to safeguard their Gmail credentials. "Fortunately, we've been covering the SEA, and we know their usual tactics. It's really, really basic," said the reporter.

Basic or no, at least one staffer apparently fell for an SEA phishing attack. Tuesday, the SEA posted a picture of what it said was "the stupid @dailydot administration panel," but blamed the publication for forcing its hand. "We said 'please' it's your fault," tweeted the hackers.

The SEA has regularly attacked news outlets that it sees as espousing a negative view of the current Syrian regime, which is led by President Bashar al-Assad and the Ba'ath Party. The group's typical modus operandi involves seizing a target's Twitter feeds and using them to broadcast hoax posts. Targets have ranged from the Guardian and BBC to the AP and satire site The Onion.

To date, Syria's two-year civil war has claimed an estimated 93,000 lives.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-35419
PUBLISHED: 2021-04-14
Cross Site Scripting (XSS) in Group Office CRM 6.4.196 via the SET_LANGUAGE parameter.
CVE-2021-28060
PUBLISHED: 2021-04-14
A Server-Side Request Forgery (SSRF) vulnerability in Group Office 6.4.196 allows a remote attacker to forge GET requests to arbitrary URLs via the url parameter to group/api/upload.php.
CVE-2021-28825
PUBLISHED: 2021-04-14
The Windows Installation component of TIBCO Software Inc.'s TIBCO Messaging - Eclipse Mosquitto Distribution - Core - Community Edition and TIBCO Messaging - Eclipse Mosquitto Distribution - Core - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker with l...
CVE-2021-28826
PUBLISHED: 2021-04-14
The Windows Installation component of TIBCO Software Inc.'s TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Community Edition and TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker wi...
CVE-2021-28855
PUBLISHED: 2021-04-14
In Deark before 1.5.8, a specially crafted input file can cause a NULL pointer dereference in the dbuf_write function (src/deark-dbuf.c).