Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/29/2013
04:13 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

No Proof Of Malware In New York Times DNS Hijacking Attack

No evidence thus far to confirm that the Syrian Electronic Army embedded malware on redirected Web pages, but investigation continues

Dropping malware isn't the usual M.O. for the Syrian Electronic Army (SEA): The pro-Assad hacktivist group is best-known for loudly spreading its message -- or even fake news -- via hijacked high-profile websites and Twitter accounts of media and other organizations, not for amassing bots or infecting machines. So when some security experts yesterday reported that malware may have been embedded in the Web pages the attackers redirected The New York Times website to, it signaled a possible shift in strategy by the group.

There is still no official confirmation yet whether the pages were infected, but security researchers at OpenDNS and AlienVault Labs say they did not see malware on the pages SEA used to redirect The New York Times' website traffic. The New York Times, meanwhile, has not yet ruled it out: In an email response today asking whether the newspaper could confirm that malware was present, a spokesperson said: "At this point, we are still investigating."

[The Syrian Electronic Army (SEA)'s hijacking of the Internet domains of The New York Times, two Twitter services, and The Huffington Post's U.K. site initially set off alarm bells over a potential domain-name system (DNS) security meltdown, but it appears the method and mission were much more simple and straightforward. See Syrian Electronic Army Strikes Again In 'Modern-Day Defacement.']

Matthew Prince, co-founder and CEO of CloudFlare, says there was some initial confusion yesterday as security experts worked via teleconference to investigate the attacks. The IP addresses used by SEA in the redirects were ones that were notorious for malware, which led to a misunderstanding that there was definitely malware on the pages. Prince and others on the call initially understood that OpenDNS had seen malware on the pages, which he clarified in an update late yesterday to his blog post detailing the genesis of the attacks.

It turned out that no one on the call had actually scanned for malware on the pages, so Prince says he updated his post to reflect the lack of malware evidence at this point. "There'd been malware on those IPs before, [but I'm] not sure whether there was at the time," Prince says.

As his updated post explains: "Technical teams from CloudFlare, OpenDNS and Google jumped on a conference call and discovered the site to which the NYTimes.com site was redirected was in internet space (the IP addresses) full of phishing and possible malware, although no malware distribution was witnessed. (Earlier, this read: "...discovered what appeared to be malware on the site to which the NYTimes.com site was redirected." The confusion was that the IP range contained malware and phishing according to scans run by OpenDNS. I misinterpreted that to mean that there was malware on the site itself.)"

Now that the dust has settled, security experts are more skeptical that the SEA used malware in the attacks.

"It seems like serving malware would be counter to their message," says HD Moore, chief research officer at Rapid7 and creator of Metasploit. Moore says he had heard malware was present, and he had seen a screenshot of the page, but had no evidence or logs to confirm it was serving up malware.

Adam Meyers, director of intelligence with CrowdStrike, says he has yet to see any evidence of malware. "I have yet to see a single hash or even a copy of the malware, so I'm unable to verify it," he says. Delivering malware would have been uncharacteristic of the SEA, he says, which is better know for its defacements, pro-Assad messaging, and "rabble-rousing," such as when it recently hacked the AP's Twitter account and posted a phony tweet that the White House had been bombed.

Another researcher, Paul Ferguson, doesn't believe that the redirected New York Times pages were infected with malware. "It could have been a lot worse if that had been the case ... we've seen that happen before in domain hijackings," says Ferguson, who is vice president of threat intelligence for Internet Identity.

The SEA sent a spearphishing email that duped a U.S. reseller of domain registrar Melbourne IT, which hosts The New York Times and many other high-profile domains, and gained the hacktivist group credentials to alter the newspaper's DNS records and redirect traffic to its own servers for several hours Tuesday evening.

Meanwhile, Melbourne IT today responded to a press inquiry for more details on the attack. "Staff of an overseas-based reseller unwittingly responded to a spear phishing attack which allowed attackers to access sensitive information, including usernames and passwords, which was used to access the reseller’s account on Melbourne IT systems. This resulted in unauthorized changes to the DNS records of two domain names associated with providing news related to the Syrian conflict," a spokesperson said in a email statement.

Bruce Tonkin, chief strategy officer for Melbourne IT, said in an email response today that the attackers logged into a reseller account at Melbourne IT to change the DNS name server records of nytimes.com and twimg.com, Twitter's image domain. The attacker also obtained credentials that allowed him or her to log into the reseller account directly via the .co.uk registry, leading to the huffingtonpost.co.uk and twitter.co.uk DNS record compromises, Tonkin says. "We didn't have a record of this on our systems, but the .co.uk registry was able to confirm the changes were made at the registry. Reseller staff did use our systems to restore the names at the .co.uk registry."

[UPDATE 8/30/13 6:40AM ET]: Tonkin also says his firm is unaware of any malware used to obtain its reseller staff's credentials, nor on the redirected pages used in the attack on media sites. But "our focus was on shutting down the attack, and not on analyzing the characteristics of the destination," he says.

"In my view, the sites the news readers visited were probably not configured for high traffic loads, and thus downloading malware wouldn't have been the objective of the hackers. Of course, the computers hosting the bad content could be used in other scenarios to download malware," Tonkin says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
8/30/2013 | 9:18:46 PM
re: No Proof Of Malware In New York Times DNS Hijacking Attack
Any speculation on why malware isn't a part of SEA's modus operandi?
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
CVE-2019-18197
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...
CVE-2019-4409
PUBLISHED: 2019-10-18
HCL Traveler versions 9.x and earlier are susceptible to cross-site scripting attacks. On the Problem Report page of the Traveler servlet pages, there is a field to specify a file attachment to provide additional problem details. An invalid file name returns an error message that includes the entere...