Incidents

Hackers Target High Profile Domains

During the last days, several high profile domains have been defaced including domains from two prominent security companies. In addition to these, high profile domains such as alexa.com, whatsapp.com and redtube.com were also defaced. From our quick analysis It does not seem that the actual webserver has been compromised, the most possible attack vector was that the DNS have been hijacked.

When looking into this, there are some quite obvious traces but nothing that really confirms what the hackers did; or what kind of information they were able to obtain. When analyzing previous compromises and defaces it seems that there is a “new” trend within hacking groups and defacers to go for the DNS or domain registrars instead of compromising the actual webserver. When quickly analyzing the domain there were two indicators that stood out.

The domains who were compromised yesterday and today all had an very recent update record in their DNS, and they were all using the same DNS registrar – NETWORK SOLUTIONS, LLC.

Another interesting thing is that all domains that was attacked yesterday and today only had the status: “clientTransferProhibited” while the domain alexa.com who was updated 10 September 2013 also had additional “server” settings enabled. If this is related to the attack is very difficult to say.

Between the targets that were attacked, one very big hosting provider, LeaseWeb, wrote about their DNS compromise on their blog:

http://blog.leaseweb.com/2013/10/06/statement-on-dns-hijack-of-leaseweb-com-website/

Interestingly, after the compromise, LeaseWeb moved to a new registrar – KeySystems Gmbh.

At the moment we do not know if NETWORK SOLUTIONS were compromised, or if the attackers simply got hold of control panel logins by other methods such as bruteforcing. Additional to the DNS redirection/hi-hacking attack, were they only out for spreading a political message or are they actually leveraging an unknown exploit?

UPDATE:2013-10-08 16:30: Avira confirms that Network Solutions was hacked. More information about this can be found at the following article from Softpedia: http://news.softpedia.com/news/Avira-Confirms-Network-Solutions-Has-Been-Hacked-389422.shtml

At the time of writing, we do not know yet, but we really recommend that you update to the latest available product and signature database because there might be more compromised domains out there.

An image of the defaced website is found below:

208214087

Hackers Target High Profile Domains

Your email address will not be published. Required fields are marked *

 

Reports

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Andariel evolves to target South Korea with ransomware

In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. After a deep analysis, we came to a conclusion: the Andariel group was behind these attacks.

Operation TunnelSnake

A newly discovered rootkit that we dub ‘Moriya’ is used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled. The victims are located in Africa, South and South-East Asia.

Subscribe to our weekly e-mails

The hottest research right in your inbox