Categories: SecurityWorkspace

Attackers Prey On Visitors To Leaked Documents Site

Cryptome.org, a website known for publishing intelligence documents and leaked files, appears to have been compromised and infected with the Blackhole exploit kit, according to documents posted on the site.

Unknown attackers breached Cryptome.org on 8 February and installed the Blackhole exploit kit, Cryptome reported on 12 February. The infection was identified by a reader on 12 February. It’s not clear who may have been behind the attack, but Symantec appears to be investigating the incident.

Malicious script

Nearly all of Cryptome’s 6,000 pages in the main directory were altered to include the malicious PHP script that redirected site visitors to a third-party website, Cryptome said. Another 5,000 files in other subdirectories were also modified. It appears that the intruders managed to change the files without modifying the time stamp on the directory.

“Sneaky,” Cryptome said on its post.

Approximately 2,900 visitors are believed to have been redirected and compromised, according to an analysis of the logs. However, the logs did not show how access was gained through the Internet service provider.

A Cryptome reader analysed the malicious script and found that the attack script specifically avoided targeting IP addresses from Google to prevent the search engine from blacklisting the site.

Cryptome is a repository for tens of thousands of sensitive documents leaked from government agencies and the private sector, and this incident is not the first time Cryptome has been breached. The site was hit by a breach in 2010, shortly after posting documents critical of rival leak site WikiLeaks and its founder Julian Assange.

The Blackhole exploit kit is one of the most popular toolkits being used, according to a recent Security Labs report from M86 Security. Researchers analysed malicious URLs identified by the security firm between July and December 2011 and found that Blackhole was the source of about 95 percent of all the malicious links.

More than half the most common exploits in the last half of 2011 could be launched using Blackhole, including those targeting vulnerabilities in Adobe, Java and Microsoft products. Cyber-criminals are also constantly innovating to keep the toolkit up-to-date and effective with the latest exploits, according to M86.

Phoenix

Phoenix was considered to be the more popular toolkit, but it no longer appears to be the case. M86 researchers discovered it infected only 1.3 percent of the links analysed in the second half of 2011. Blackhole’s surging popularity might have to do with the fact that in 2011, the people behind the kit made the source code freely available for anyone to download and modify.

A commercial version of the kit sells for about $1,500 in the criminal underground.

Weak FTP credentials are generally the primary point of entry for attackers trying to inject code into websites, Stefan Tanase, a senior security researcher at Kaspersky Lab, said in a talk at the Kaspersky Lab Security Analyst Summit. If a website has been compromised, the first step is to change the FTP passwords.

Web administrators should also thoroughly check the source code of their files as well as all associated scripts to ensure that malicious code was not added, said Tanase.

Avast researchers in November reported that thousands of blogs hosted on WordPress.com had been compromised and infected with the Blackhole kit. Attackers used stolen or guessed FTP credentials to upload a malicious PHP file on to the server hosting the blogs, which then injected the malicious code into the files, according to Avast.

The attackers also exploited a known vulnerability in the TimThumb image resizing utility used by many of the blogs.

Many of the websites hosting Blackhole often are used to spread the Carberp Trojan on victims’ machines. Visitors redirected to the malicious website are hit by drive-by-downloads to install Carberp, often by exploiting Java vulnerabilities, according to an analysis by ESET.

Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.

Share
Published by
Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.

Recent Posts

Mark Zuckerberg Overtakes Bezos To Become Second-Richest Man

Billionaire battle. Meta's boss Mark Zuckerberg overtakes Jeff Bezos to become the world’s second richest…

21 hours ago

US, Microsoft Disrupts Russian FSB Hackers

Internet domains used by “Russian intelligence agents and their proxies” for cyberattacks, seized by the…

24 hours ago

Mike Lynch Died From Drowning, Coroner Inquest Rules

UK's tech billionaire Dr Mike Lynch died from drowning on his superyacht, but his daughter's…

1 day ago

Tesla Recalls 27,000 Cybertrucks Over Rear Camera Issue

Another recall for thousands of Tesla Cybertrucks over delay with rear camera, with could hamper…

2 days ago

Browser Firms Press EU To Reconsider Microsoft Edge As Gatekeeper

Browser firms write to European Commission alleging Microsoft's Edge web browser enjoys an unfair advantage

2 days ago

Microsoft Invests €4.3 Billion In Italy For AI, Cloud

Data centre and AI spending spree continues over at Microsoft, with Italy earmarked for €4.3…

2 days ago