Incidents

Hackers Target High Profile Domains

During the last days, several high profile domains have been defaced including domains from two prominent security companies. In addition to these, high profile domains such as alexa.com, whatsapp.com and redtube.com were also defaced. From our quick analysis It does not seem that the actual webserver has been compromised, the most possible attack vector was that the DNS have been hijacked.

When looking into this, there are some quite obvious traces but nothing that really confirms what the hackers did; or what kind of information they were able to obtain. When analyzing previous compromises and defaces it seems that there is a “new” trend within hacking groups and defacers to go for the DNS or domain registrars instead of compromising the actual webserver. When quickly analyzing the domain there were two indicators that stood out.

The domains who were compromised yesterday and today all had an very recent update record in their DNS, and they were all using the same DNS registrar – NETWORK SOLUTIONS, LLC.

Another interesting thing is that all domains that was attacked yesterday and today only had the status: “clientTransferProhibited” while the domain alexa.com who was updated 10 September 2013 also had additional “server” settings enabled. If this is related to the attack is very difficult to say.

Between the targets that were attacked, one very big hosting provider, LeaseWeb, wrote about their DNS compromise on their blog:

http://blog.leaseweb.com/2013/10/06/statement-on-dns-hijack-of-leaseweb-com-website/

Interestingly, after the compromise, LeaseWeb moved to a new registrar – KeySystems Gmbh.

At the moment we do not know if NETWORK SOLUTIONS were compromised, or if the attackers simply got hold of control panel logins by other methods such as bruteforcing. Additional to the DNS redirection/hi-hacking attack, were they only out for spreading a political message or are they actually leveraging an unknown exploit?

UPDATE:2013-10-08 16:30: Avira confirms that Network Solutions was hacked. More information about this can be found at the following article from Softpedia: http://news.softpedia.com/news/Avira-Confirms-Network-Solutions-Has-Been-Hacked-389422.shtml

At the time of writing, we do not know yet, but we really recommend that you update to the latest available product and signature database because there might be more compromised domains out there.

An image of the defaced website is found below:

208214087

Hackers Target High Profile Domains

Your email address will not be published. Required fields are marked *

 

Reports

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox