During the last days, several high profile domains have been defaced including domains from two prominent security companies. In addition to these, high profile domains such as alexa.com, whatsapp.com and redtube.com were also defaced. From our quick analysis It does not seem that the actual webserver has been compromised, the most possible attack vector was that the DNS have been hijacked.
When looking into this, there are some quite obvious traces but nothing that really confirms what the hackers did; or what kind of information they were able to obtain. When analyzing previous compromises and defaces it seems that there is a "new" trend within hacking groups and defacers to go for the DNS or domain registrars instead of compromising the actual webserver. When quickly analyzing the domain there were two indicators that stood out.
The domains who were compromised yesterday and today all had an very recent update record in their DNS, and they were all using the same DNS registrar - NETWORK SOLUTIONS, LLC.
Another interesting thing is that all domains that was attacked yesterday and today only had the status: "clientTransferProhibited" while the domain alexa.com who was updated 10 September 2013 also had additional "server" settings enabled. If this is related to the attack is very difficult to say.
Domain Name: REDTUBE.COM Registrar: NETWORK SOLUTIONS, LLC. Status: clientTransferProhibited Updated Date: 07-oct-2013 Domain Name: ALEXA.COM Registrar: NETWORK SOLUTIONS, LLC. Status: clientTransferProhibited Status: serverDeleteProhibited Status: serverTransferProhibited Status: serverUpdateProhibited Updated Date: 10-sep-2013 Domain Name: WHATSAPP.COM Registrar: NETWORK SOLUTIONS, LLC. Status: clientTransferProhibited Updated Date: 08-oct-2013
Between the targets that were attacked, one very big hosting provider, LeaseWeb, wrote about their DNS compromise on their blog:
Interestingly, after the compromise, LeaseWeb moved to a new registrar - KeySystems Gmbh.
At the moment we do not know if NETWORK SOLUTIONS were compromised, or if the attackers simply got hold of control panel logins by other methods such as bruteforcing. Additional to the DNS redirection/hi-hacking attack, were they only out for spreading a political message or are they actually leveraging an unknown exploit?
UPDATE:2013-10-08 16:30: Avira confirms that Network Solutions was hacked. More information about this can be found at the following article from Softpedia: http://news.softpedia.com/news/Avira-Confirms-Network-Solutions-Has-Been-Hacked-389422.shtml
At the time of writing, we do not know yet, but we really recommend that you update to the latest available product and signature database because there might be more compromised domains out there.
An image of the defaced website is found below: