Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/29/2013
04:13 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

No Proof Of Malware In New York Times DNS Hijacking Attack

No evidence thus far to confirm that the Syrian Electronic Army embedded malware on redirected Web pages, but investigation continues

Dropping malware isn't the usual M.O. for the Syrian Electronic Army (SEA): The pro-Assad hacktivist group is best-known for loudly spreading its message -- or even fake news -- via hijacked high-profile websites and Twitter accounts of media and other organizations, not for amassing bots or infecting machines. So when some security experts yesterday reported that malware may have been embedded in the Web pages the attackers redirected The New York Times website to, it signaled a possible shift in strategy by the group.

There is still no official confirmation yet whether the pages were infected, but security researchers at OpenDNS and AlienVault Labs say they did not see malware on the pages SEA used to redirect The New York Times' website traffic. The New York Times, meanwhile, has not yet ruled it out: In an email response today asking whether the newspaper could confirm that malware was present, a spokesperson said: "At this point, we are still investigating."

[The Syrian Electronic Army (SEA)'s hijacking of the Internet domains of The New York Times, two Twitter services, and The Huffington Post's U.K. site initially set off alarm bells over a potential domain-name system (DNS) security meltdown, but it appears the method and mission were much more simple and straightforward. See Syrian Electronic Army Strikes Again In 'Modern-Day Defacement.']

Matthew Prince, co-founder and CEO of CloudFlare, says there was some initial confusion yesterday as security experts worked via teleconference to investigate the attacks. The IP addresses used by SEA in the redirects were ones that were notorious for malware, which led to a misunderstanding that there was definitely malware on the pages. Prince and others on the call initially understood that OpenDNS had seen malware on the pages, which he clarified in an update late yesterday to his blog post detailing the genesis of the attacks.

It turned out that no one on the call had actually scanned for malware on the pages, so Prince says he updated his post to reflect the lack of malware evidence at this point. "There'd been malware on those IPs before, [but I'm] not sure whether there was at the time," Prince says.

As his updated post explains: "Technical teams from CloudFlare, OpenDNS and Google jumped on a conference call and discovered the site to which the NYTimes.com site was redirected was in internet space (the IP addresses) full of phishing and possible malware, although no malware distribution was witnessed. (Earlier, this read: "...discovered what appeared to be malware on the site to which the NYTimes.com site was redirected." The confusion was that the IP range contained malware and phishing according to scans run by OpenDNS. I misinterpreted that to mean that there was malware on the site itself.)"

Now that the dust has settled, security experts are more skeptical that the SEA used malware in the attacks.

"It seems like serving malware would be counter to their message," says HD Moore, chief research officer at Rapid7 and creator of Metasploit. Moore says he had heard malware was present, and he had seen a screenshot of the page, but had no evidence or logs to confirm it was serving up malware.

Adam Meyers, director of intelligence with CrowdStrike, says he has yet to see any evidence of malware. "I have yet to see a single hash or even a copy of the malware, so I'm unable to verify it," he says. Delivering malware would have been uncharacteristic of the SEA, he says, which is better know for its defacements, pro-Assad messaging, and "rabble-rousing," such as when it recently hacked the AP's Twitter account and posted a phony tweet that the White House had been bombed.

Another researcher, Paul Ferguson, doesn't believe that the redirected New York Times pages were infected with malware. "It could have been a lot worse if that had been the case ... we've seen that happen before in domain hijackings," says Ferguson, who is vice president of threat intelligence for Internet Identity.

The SEA sent a spearphishing email that duped a U.S. reseller of domain registrar Melbourne IT, which hosts The New York Times and many other high-profile domains, and gained the hacktivist group credentials to alter the newspaper's DNS records and redirect traffic to its own servers for several hours Tuesday evening.

Meanwhile, Melbourne IT today responded to a press inquiry for more details on the attack. "Staff of an overseas-based reseller unwittingly responded to a spear phishing attack which allowed attackers to access sensitive information, including usernames and passwords, which was used to access the reseller’s account on Melbourne IT systems. This resulted in unauthorized changes to the DNS records of two domain names associated with providing news related to the Syrian conflict," a spokesperson said in a email statement.

Bruce Tonkin, chief strategy officer for Melbourne IT, said in an email response today that the attackers logged into a reseller account at Melbourne IT to change the DNS name server records of nytimes.com and twimg.com, Twitter's image domain. The attacker also obtained credentials that allowed him or her to log into the reseller account directly via the .co.uk registry, leading to the huffingtonpost.co.uk and twitter.co.uk DNS record compromises, Tonkin says. "We didn't have a record of this on our systems, but the .co.uk registry was able to confirm the changes were made at the registry. Reseller staff did use our systems to restore the names at the .co.uk registry."

[UPDATE 8/30/13 6:40AM ET]: Tonkin also says his firm is unaware of any malware used to obtain its reseller staff's credentials, nor on the redirected pages used in the attack on media sites. But "our focus was on shutting down the attack, and not on analyzing the characteristics of the destination," he says.

"In my view, the sites the news readers visited were probably not configured for high traffic loads, and thus downloading malware wouldn't have been the objective of the hackers. Of course, the computers hosting the bad content could be used in other scenarios to download malware," Tonkin says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
8/30/2013 | 9:18:46 PM
re: No Proof Of Malware In New York Times DNS Hijacking Attack
Any speculation on why malware isn't a part of SEA's modus operandi?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
6 Ways Passwords Fail Basic Security Tests
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/28/2020
'Act of War' Clause Could Nix Cyber Insurance Payouts
Robert Lemos, Contributing Writer,  10/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How to Measure and Reduce Cybersecurity Risk in Your Organization
In this Tech Digest, we examine the difficult practice of measuring cyber-risk that has long been an elusive target for enterprises. Download it today!
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27014
PUBLISHED: 2020-10-30
Trend Micro Antivirus for Mac 2020 (Consumer) contains a race condition vulnerability in the Web Threat Protection Blocklist component, that if exploited, could allow an attacker to case a kernel panic or crash. An attacker must first obtain the ability to execute high-privileged code on the targ...
CVE-2020-27015
PUBLISHED: 2020-10-30
Trend Micro Antivirus for Mac 2020 (Consumer) contains an Error Message Information Disclosure vulnerability that if exploited, could allow kernel pointers and debug messages to leak to userland. An attacker must first obtain the ability to execute high-privi...
CVE-2020-27885
PUBLISHED: 2020-10-29
Cross-Site Scripting (XSS) vulnerability on WSO2 API Manager 3.1.0. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged-in user’s session by stealing cookies which means that a malicious hacker can change the logged-in user’s pass...
CVE-2020-25646
PUBLISHED: 2020-10-29
A flaw was found in Ansible Collection community.crypto. openssl_privatekey_info exposes private key in logs. This directly impacts confidentiality
CVE-2020-26205
PUBLISHED: 2020-10-29
Sal is a multi-tenanted reporting dashboard for Munki with the ability to display information from Facter. In Sal through version 4.1.6 there is an XSS vulnerability on the machine_list view.