Categories: SecurityWorkspace

Attackers Prey On Visitors To Leaked Documents Site

Cryptome.org, a website known for publishing intelligence documents and leaked files, appears to have been compromised and infected with the Blackhole exploit kit, according to documents posted on the site.

Unknown attackers breached Cryptome.org on 8 February and installed the Blackhole exploit kit, Cryptome reported on 12 February. The infection was identified by a reader on 12 February. It’s not clear who may have been behind the attack, but Symantec appears to be investigating the incident.

Malicious script

Nearly all of Cryptome’s 6,000 pages in the main directory were altered to include the malicious PHP script that redirected site visitors to a third-party website, Cryptome said. Another 5,000 files in other subdirectories were also modified. It appears that the intruders managed to change the files without modifying the time stamp on the directory.

“Sneaky,” Cryptome said on its post.

Approximately 2,900 visitors are believed to have been redirected and compromised, according to an analysis of the logs. However, the logs did not show how access was gained through the Internet service provider.

A Cryptome reader analysed the malicious script and found that the attack script specifically avoided targeting IP addresses from Google to prevent the search engine from blacklisting the site.

Cryptome is a repository for tens of thousands of sensitive documents leaked from government agencies and the private sector, and this incident is not the first time Cryptome has been breached. The site was hit by a breach in 2010, shortly after posting documents critical of rival leak site WikiLeaks and its founder Julian Assange.

The Blackhole exploit kit is one of the most popular toolkits being used, according to a recent Security Labs report from M86 Security. Researchers analysed malicious URLs identified by the security firm between July and December 2011 and found that Blackhole was the source of about 95 percent of all the malicious links.

More than half the most common exploits in the last half of 2011 could be launched using Blackhole, including those targeting vulnerabilities in Adobe, Java and Microsoft products. Cyber-criminals are also constantly innovating to keep the toolkit up-to-date and effective with the latest exploits, according to M86.

Phoenix

Phoenix was considered to be the more popular toolkit, but it no longer appears to be the case. M86 researchers discovered it infected only 1.3 percent of the links analysed in the second half of 2011. Blackhole’s surging popularity might have to do with the fact that in 2011, the people behind the kit made the source code freely available for anyone to download and modify.

A commercial version of the kit sells for about $1,500 in the criminal underground.

Weak FTP credentials are generally the primary point of entry for attackers trying to inject code into websites, Stefan Tanase, a senior security researcher at Kaspersky Lab, said in a talk at the Kaspersky Lab Security Analyst Summit. If a website has been compromised, the first step is to change the FTP passwords.

Web administrators should also thoroughly check the source code of their files as well as all associated scripts to ensure that malicious code was not added, said Tanase.

Avast researchers in November reported that thousands of blogs hosted on WordPress.com had been compromised and infected with the Blackhole kit. Attackers used stolen or guessed FTP credentials to upload a malicious PHP file on to the server hosting the blogs, which then injected the malicious code into the files, according to Avast.

The attackers also exploited a known vulnerability in the TimThumb image resizing utility used by many of the blogs.

Many of the websites hosting Blackhole often are used to spread the Carberp Trojan on victims’ machines. Visitors redirected to the malicious website are hit by drive-by-downloads to install Carberp, often by exploiting Java vulnerabilities, according to an analysis by ESET.

Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.

Share
Published by
Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.

Recent Posts

Is the Digital Transformation of Businesses Complete?

Digital transformation is an ongoing journey, requiring continuous adaptation, strong leadership, and skilled talent to…

20 hours ago

Craig Wright Faces Contempt Claim Over Bitcoin Lawsuit

Australian computer scientist faces contempt-of-court claim after suing Jack Dorsey's Block and Bitcoin Core developers…

21 hours ago

OpenAI Adds ChatGPT Search Features

OpenAI's ChatGPT gets search features, putting it in direct competition with Microsoft and Google, amidst…

21 hours ago

Google Maps Steers Into Local Information With AI Chat

New Google Maps allows users to ask for detailed information on local spots, adds AI-summarised…

22 hours ago

Huawei Sees Sales Surge, But Profits Fall

US-sanctioned Huawei sees sales surge in first three quarters of 2024 on domestic smartphone popularity,…

22 hours ago

Apple Posts China Sales Decline, Ramping Pressure On AI Strategy

Apple posts slight decline in China sales for fourth quarter, as Tim Cook negotiates to…

23 hours ago