Attackers Prey On Visitors To Leaked Documents Site

Hackers have used the Blackhole exploit toolkit to compromise the Crytome.org document-leak website and infect thousands of visitors

Cryptome.org, a website known for publishing intelligence documents and leaked files, appears to have been compromised and infected with the Blackhole exploit kit, according to documents posted on the site.

Unknown attackers breached Cryptome.org on 8 February and installed the Blackhole exploit kit, Cryptome reported on 12 February. The infection was identified by a reader on 12 February. It’s not clear who may have been behind the attack, but Symantec appears to be investigating the incident.

Malicious script

Nearly all of Cryptome’s 6,000 pages in the main directory were altered to include the malicious PHP script that redirected site visitors to a third-party website, Cryptome said. Another 5,000 files in other subdirectories were also modified. It appears that the intruders managed to change the files without modifying the time stamp on the directory.

“Sneaky,” Cryptome said on its post.

Approximately 2,900 visitors are believed to have been redirected and compromised, according to an analysis of the logs. However, the logs did not show how access was gained through the Internet service provider.

A Cryptome reader analysed the malicious script and found that the attack script specifically avoided targeting IP addresses from Google to prevent the search engine from blacklisting the site.

Cryptome is a repository for tens of thousands of sensitive documents leaked from government agencies and the private sector, and this incident is not the first time Cryptome has been breached. The site was hit by a breach in 2010, shortly after posting documents critical of rival leak site WikiLeaks and its founder Julian Assange.

The Blackhole exploit kit is one of the most popular toolkits being used, according to a recent Security Labs report from M86 Security. Researchers analysed malicious URLs identified by the security firm between July and December 2011 and found that Blackhole was the source of about 95 percent of all the malicious links.

More than half the most common exploits in the last half of 2011 could be launched using Blackhole, including those targeting vulnerabilities in Adobe, Java and Microsoft products. Cyber-criminals are also constantly innovating to keep the toolkit up-to-date and effective with the latest exploits, according to M86.

Phoenix

Phoenix was considered to be the more popular toolkit, but it no longer appears to be the case. M86 researchers discovered it infected only 1.3 percent of the links analysed in the second half of 2011. Blackhole’s surging popularity might have to do with the fact that in 2011, the people behind the kit made the source code freely available for anyone to download and modify.

A commercial version of the kit sells for about $1,500 in the criminal underground.

Weak FTP credentials are generally the primary point of entry for attackers trying to inject code into websites, Stefan Tanase, a senior security researcher at Kaspersky Lab, said in a talk at the Kaspersky Lab Security Analyst Summit. If a website has been compromised, the first step is to change the FTP passwords.

Web administrators should also thoroughly check the source code of their files as well as all associated scripts to ensure that malicious code was not added, said Tanase.

Avast researchers in November reported that thousands of blogs hosted on WordPress.com had been compromised and infected with the Blackhole kit. Attackers used stolen or guessed FTP credentials to upload a malicious PHP file on to the server hosting the blogs, which then injected the malicious code into the files, according to Avast.

The attackers also exploited a known vulnerability in the TimThumb image resizing utility used by many of the blogs.

Many of the websites hosting Blackhole often are used to spread the Carberp Trojan on victims’ machines. Visitors redirected to the malicious website are hit by drive-by-downloads to install Carberp, often by exploiting Java vulnerabilities, according to an analysis by ESET.