Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/29/2013
04:13 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

No Proof Of Malware In New York Times DNS Hijacking Attack

No evidence thus far to confirm that the Syrian Electronic Army embedded malware on redirected Web pages, but investigation continues

Dropping malware isn't the usual M.O. for the Syrian Electronic Army (SEA): The pro-Assad hacktivist group is best-known for loudly spreading its message -- or even fake news -- via hijacked high-profile websites and Twitter accounts of media and other organizations, not for amassing bots or infecting machines. So when some security experts yesterday reported that malware may have been embedded in the Web pages the attackers redirected The New York Times website to, it signaled a possible shift in strategy by the group.

There is still no official confirmation yet whether the pages were infected, but security researchers at OpenDNS and AlienVault Labs say they did not see malware on the pages SEA used to redirect The New York Times' website traffic. The New York Times, meanwhile, has not yet ruled it out: In an email response today asking whether the newspaper could confirm that malware was present, a spokesperson said: "At this point, we are still investigating."

[The Syrian Electronic Army (SEA)'s hijacking of the Internet domains of The New York Times, two Twitter services, and The Huffington Post's U.K. site initially set off alarm bells over a potential domain-name system (DNS) security meltdown, but it appears the method and mission were much more simple and straightforward. See Syrian Electronic Army Strikes Again In 'Modern-Day Defacement.']

Matthew Prince, co-founder and CEO of CloudFlare, says there was some initial confusion yesterday as security experts worked via teleconference to investigate the attacks. The IP addresses used by SEA in the redirects were ones that were notorious for malware, which led to a misunderstanding that there was definitely malware on the pages. Prince and others on the call initially understood that OpenDNS had seen malware on the pages, which he clarified in an update late yesterday to his blog post detailing the genesis of the attacks.

It turned out that no one on the call had actually scanned for malware on the pages, so Prince says he updated his post to reflect the lack of malware evidence at this point. "There'd been malware on those IPs before, [but I'm] not sure whether there was at the time," Prince says.

As his updated post explains: "Technical teams from CloudFlare, OpenDNS and Google jumped on a conference call and discovered the site to which the NYTimes.com site was redirected was in internet space (the IP addresses) full of phishing and possible malware, although no malware distribution was witnessed. (Earlier, this read: "...discovered what appeared to be malware on the site to which the NYTimes.com site was redirected." The confusion was that the IP range contained malware and phishing according to scans run by OpenDNS. I misinterpreted that to mean that there was malware on the site itself.)"

Now that the dust has settled, security experts are more skeptical that the SEA used malware in the attacks.

"It seems like serving malware would be counter to their message," says HD Moore, chief research officer at Rapid7 and creator of Metasploit. Moore says he had heard malware was present, and he had seen a screenshot of the page, but had no evidence or logs to confirm it was serving up malware.

Adam Meyers, director of intelligence with CrowdStrike, says he has yet to see any evidence of malware. "I have yet to see a single hash or even a copy of the malware, so I'm unable to verify it," he says. Delivering malware would have been uncharacteristic of the SEA, he says, which is better know for its defacements, pro-Assad messaging, and "rabble-rousing," such as when it recently hacked the AP's Twitter account and posted a phony tweet that the White House had been bombed.

Another researcher, Paul Ferguson, doesn't believe that the redirected New York Times pages were infected with malware. "It could have been a lot worse if that had been the case ... we've seen that happen before in domain hijackings," says Ferguson, who is vice president of threat intelligence for Internet Identity.

The SEA sent a spearphishing email that duped a U.S. reseller of domain registrar Melbourne IT, which hosts The New York Times and many other high-profile domains, and gained the hacktivist group credentials to alter the newspaper's DNS records and redirect traffic to its own servers for several hours Tuesday evening.

Meanwhile, Melbourne IT today responded to a press inquiry for more details on the attack. "Staff of an overseas-based reseller unwittingly responded to a spear phishing attack which allowed attackers to access sensitive information, including usernames and passwords, which was used to access the reseller’s account on Melbourne IT systems. This resulted in unauthorized changes to the DNS records of two domain names associated with providing news related to the Syrian conflict," a spokesperson said in a email statement.

Bruce Tonkin, chief strategy officer for Melbourne IT, said in an email response today that the attackers logged into a reseller account at Melbourne IT to change the DNS name server records of nytimes.com and twimg.com, Twitter's image domain. The attacker also obtained credentials that allowed him or her to log into the reseller account directly via the .co.uk registry, leading to the huffingtonpost.co.uk and twitter.co.uk DNS record compromises, Tonkin says. "We didn't have a record of this on our systems, but the .co.uk registry was able to confirm the changes were made at the registry. Reseller staff did use our systems to restore the names at the .co.uk registry."

[UPDATE 8/30/13 6:40AM ET]: Tonkin also says his firm is unaware of any malware used to obtain its reseller staff's credentials, nor on the redirected pages used in the attack on media sites. But "our focus was on shutting down the attack, and not on analyzing the characteristics of the destination," he says.

"In my view, the sites the news readers visited were probably not configured for high traffic loads, and thus downloading malware wouldn't have been the objective of the hackers. Of course, the computers hosting the bad content could be used in other scenarios to download malware," Tonkin says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
8/30/2013 | 9:18:46 PM
re: No Proof Of Malware In New York Times DNS Hijacking Attack
Any speculation on why malware isn't a part of SEA's modus operandi?
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3113
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
CVE-2021-3162
PUBLISHED: 2021-01-15
Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.
CVE-2021-21242
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
CVE-2021-21245
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...