Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Anonymous Steps Into Gaza Crisis

Website defacing and Anonymous DDoS campaign pale next to ongoing cyberattacks apparently launched from Iran and Palestine, security experts say.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
As the Gaza crisis has escalated, so has the response from hackers.

After Israel began air strikes in the Gaza strip last Wednesday, Anonymous launched of Operation Israel (OpIsrael), which involves distributed denial-of-service (DDoS) attacks against Israeli government and business websites. By Tuesday, Israeli officials said they'd seen 44 million hacking attempts launched at government websites.

Beyond the DDoS attacks, multiple hacking groups have been practicing the digital equivalent of spray painting graffiti messages on walls, by defacing numerous Israeli websites, including the Facebook page of Israeli prime minister Silvan Shalom, which they recently customized with a "free Palestine" slogan. A group called the Z Company Hacking Crew claimed credit for the Facebook defacement, as well as taking over Shalom's Twitter, YouTube, and Blogspot accounts. "This hack is a team work. There were many members involved who were simultaneously handling different social media," read a Wednesday post to the group's Twitter feed.

The Z Company Hacking Crew disputed news reports that any element of Anonymous had participated in its attacks, saying via Twitter: "Please dont (sic) associate us with any one else. We are not hamas we are not anonymous." The group Wednesday promised to publish information it had stolen from Shalom, including "his contacts, docs, and some other interesting stuff."

Meanwhile, a hacker claiming to be "Zombie_KsA," the founder of the Pakistani PAKbugs black hat community, took credit for defacing the Israeli websites of BBC, Coca-Cola and Intel, as well as several websites managed by Microsoft. A Microsoft spokesman told Softpedia that it didn't appear that any customer data had been compromised as a result of the attacks.

But after the attacks, someone claiming to be the real Zombie_KsA said he wasn't behind the defacements, which he blamed on script kiddies who used his name. To try and clear his name, Zombie_KsA published an analysis of the attacks, on the PAKbugs website, noting it took him only five minutes to retrace the vulnerabilities the attackers had used to gain access to the website of an Israeli domain name registrar, Galcomm, which Microsoft and the other companies apparently used to register their domain names.

According to Zombie_KsA, attackers most likely didn't directly deface the targeted websites, but rather used a SQL injection attack -- via Havij or another automated attack tool--against the Galcomm site, then accessed the targeted companies' Galcomm accounts, altered the domain name settings for each site, then uploaded their website defacements.

"For security reasons we are not disclosing exact injectable links, and we have informed [the] right authorities about vulnerability," said Zombie_KsA, who also criticized the state of Galcomm's website, saying it had been "poorly coded in .NET."

Despite the uptick in DDoS attacks and website attacks being launched at Israeli government websites and businesses over the past week, security experts said the damage still pales in comparison to the malware-driven online espionage campaign that's been targeting Israel for the past year. Earlier this month, researchers at security firm Norman reported that for more than a year, a group of attackers has been using the xTreme remote access Trojan (RAT) to attack first targets in Palestine, and then Israel, using phishing emails referring to current news events.

"The attacker is unknown at this point, but the purpose is assumed to be espionage/surveillance," said Snorre Fagerland, principal security researcher at Norman, in a related report. "These attacks have been ongoing for at least a year."

The related attacks and resulting malware infections recently led Israeli authorities to take Israeli police computers offline, as well as to ban the use of removable media, through which the malicious backdoor software used by the attackers was apparently able to spread.

As with most types of cyber espionage, clearly identifying who launched or sponsored the attacks remains difficult. "It is interesting that the operation apparently shifted over time from Palestinian target to Israeli target," said Fagerland in a blog post. "This can be due to changes in the political situation, or maybe the first half of the operation uncovered something that caused the target shift." While some analysts have suggested that Iran was behind the attacks, Fagerland refused to speculate.

But Aviv Raff, the chief technology officer of Seculert, said that the location of the command-and-control servers involved, as well as the content of the emails, showed that the attacks came from Palestine, reported The New York Times.

Download the new issue of Must Reads, a compendium of our best recent coverage on IT-as-a-service. It includes articles on cloud computing myths, how to build an IT service catalog, security problems, and more. (Free registration required.)

Comment  | 
Print  | 
More Insights
//Comments
Newest First  |  Oldest First  |  Threaded View
IngaTuMa
IngaTuMa,
User Rank: Apprentice
11/22/2012 | 2:52:03 AM
re: Anonymous Steps Into Gaza Crisis
The Host, The Country of Palestine is almost dead, because of the Parasite is taking over it since 1947, a parasite called Israel!
Jamil1
Jamil1,
User Rank: Apprentice
11/22/2012 | 2:29:52 AM
re: Anonymous Steps Into Gaza Crisis
There is no such country as Palestine. Please tell me where it is located, what the currency is, and what countries have ambassadors there.
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Black Hat USA 2022 Attendee Report
Black Hat attendees are not sleeping well. Between concerns about attacks against cloud services, ransomware, and the growing risks to the global supply chain, these security pros have a lot to be worried about. Read our 2022 report to hear what they're concerned about now.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-35953
PUBLISHED: 2022-08-12
BookWyrm is a social network for tracking your reading, talking about books, writing reviews, and discovering what to read next. Some links in BookWyrm may be vulnerable to tabnabbing, a form of phishing that gives attackers an opportunity to redirect a user to a malicious site. The issue was patche...
CVE-2022-35956
PUBLISHED: 2022-08-12
This Rails gem adds two methods to the ActiveRecord::Base class that allow you to update many records on a single database hit, using a case sql statement for it. Before version 0.1.3 `update_by_case` gem used custom sql strings, and it was not sanitized, making it vulnerable to sql injection. Upgra...
CVE-2022-35943
PUBLISHED: 2022-08-12
Shield is an authentication and authorization framework for CodeIgniter 4. This vulnerability may allow [SameSite Attackers](https://canitakeyoursubdomain.name/) to bypass the [CodeIgniter4 CSRF protection](https://codeigniter4.github.io/userguide/libraries/security.html) mechanism with CodeIgniter ...
CVE-2022-2613
PUBLISHED: 2022-08-12
Use after free in Input in Google Chrome on Chrome OS prior to 104.0.5112.79 allowed a remote attacker who convinced a user to enage in specific user interactions to potentially exploit heap corruption via specific UI interactions.
CVE-2022-2614
PUBLISHED: 2022-08-12
Use after free in Sign-In Flow in Google Chrome prior to 104.0.5112.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.