Telephony DoS, OpFreeKorea, and Darkleech
What do zombie video games, North Korea, and emergency telephone systems have in common? They’ve all been compromised by cyber attackers this week.
If you’re too busy dousing IT fires to keep up with InfoSec news on your own, give our weekly security news summary a try. In this short video, I quickly highlight the biggest security stories from the week, and give some practical defense tips along the way.
This week’s episode covers a new telephony denial of service (TDos) extortion scheme , a serious flaw in a common database system, the latest Anonymous operation, and a mysterious Apache hijacking campaign that has affected over 20,000 web servers. Watch the video below for the full scoop, and check out the Reference section for additional stories.
(Episode Runtime: 9:03)
Direct YouTube Link: http://www.youtube.com/watch?v=K18Snt0Lrm0
Episode References:
- DHS warns of TDoS attacks – Krebs on Security
- DHS’s PDF document on TDoS attacks – DHS
- Microsoft Patch Day to include nine security bulletins – WGSC
- PostgreSQL update fixes serious security vulnerability – WGSC
- Anonymous launches OpFreeKorea campaign against North Korea – The Register
- Attackers steal credentials from War Z video game servers – Kotaku
- Ars Technica uncovers mysterious Apache server hijack campaign – Ars Technica
- Extras:
- New advanced malware monitors for mouse clicks – Information World
- Great PBS video on the positive origin of the term “hacker” – YouTube
- Carberp (Zeus variant) gang taken down – Ars Technica
- Krebs thinks he’s identified the Flashback malware author – Krebs on Security
- Japanese portal hacks affects 100,000 users – Computer World
- Scribd compromised and passwords stolen – The H Security
— Corey Nachreiner, CISSP (@SecAdept)
Ryan says
The Apache exploit is particularly disconcerting — it’s affecting some pretty huge sites. You don’t have to run Wireshark if you aren’t familiar with it — the default developer console in Chrome will show you the network traffic you need to find or just use Firebug in Firefox. Both of those will show all the HTTP requests the website is making.
The theory right now is that they’re getting in through Plesk, cPanel or WordPress vulnerabilities. Best way to detect is to check your Apache modules that are loaded onto the system (/usr/lib64/httpd/modules on centos) and compare that list against a list of legitimate Apache modules. The attackers are naming them in a way that they look legitimate so it’s worth it to take the time and look.
Then — make sure sure you update Plesk, cPanel, WordPress and any WP plugins you might be running on that server. (Should be doing that anyway…)
Corey Nachreiner says
That’s awesome info, Ryan! Thanks for sharing.
I agree this is pretty scary. The evasion techniques it uses to just not load the iframes for certain visitors are particularly nefarious and ingenious. I can’t help but respect its authors’ ideas, despite their malicious intent.
I’m guessing cPanel, though the WordPress framework is a likely candidate too. I remember another mysterious web site hijacking months ago. The commonality there was cPanel.
Thanks for reminding me of Chrome’s built in developer console (which pretty much reminds me of Firebug anyway)… and your tip for checking out the system modules is the most valuable!
Ryan says
Almost like a nasty little rootkit except you can detect it once you start digging around. There are a few blog posts out there that help admins like me dig around into this stuff. This one in particular is very helpful and even goes so far as to suggest a couple greps to uncover the nefarious little buggers: http://blog.unmaskparasites.com/2012/09/10/malicious-apache-module-injects-iframes/
Alexander Kushnarev (Rainbow Security) says
Thank you for additional material, Ryan. It provides more or less detailed explanation about “masquerading and evasion” techniques, on which Darkleech is based. Or better name it “Apache ninja rootkit”… And until “core” of Apache 0-day (which opens root-door for hackers to upload and execute.so modules, modify httpd.conf etc.) will be revealed and protection signatures will be created – monitoring modules will be one of the effective way to notice infection. Agree with you and Corey.
Also should notice, that during last 2 months I’ve read very frequently about “innovative and smart ” hacking technologies – virtual skimmers for POS terminals, DDOS with recursive DNS, VoIP Dos (TDos), SWATing, mysterious Darkleech attacking Apache. Am I wrong, or looks like a period of new spiral turn of hacking evolution started? If so – hope that new spiral turn of security protection evolution will follow.
Corey Nachreiner says
I agree Alexander.. attackers have upped their game now, especially in security evasion. Security technology is definitely due for some evolution to keep up/ahead of the game.
Alexander Kushnarev (Rainbow Security) says
Thank you for additional material, Ryan. It provides more or less detailed explanation about “masquerading and evasion” techniques, on which Darkleech is based. Or better name it “Apache ninja rootkit”… And until “core” of Apache 0-day (which opens root-door for hackers to upload and execute.so modules, modify httpd.conf etc.) will be revealed and protection signatures will be created – monitoring modules will be one of the effective way to notice infection. Agree with you and Corey.
Also should notice, that during last 2 months I’ve read very frequently about “innovative and smart ” hacking technologies – virtual skimmers for POS terminals, DDOS with recursive DNS, VoIP Dos (TDos), SWATing, mysterious Darkleech attacking Apache. Am I wrong, or looks like a period of new spiral turn of hacking evolution started? If so – hope that new spiral turn of security protection evolution will follow.
Corey Nachreiner says
I agree Alexander.. attackers have upped their game now, especially in security evasion. Security technology is definitely due for some evolution to keep up/ahead of the game.
click here says
Hello, I think your blog might be having browser compatibility issues.
When I look at your blog in Firefox, it looks fine but when opening in Internet Explorer,
it has some overlapping. I just wanted to give you
a quick heads up! Other then that, fantastic blog!
click here says
Hello, I think your blog might be having browser compatibility issues.
When I look at your blog in Firefox, it looks fine but when opening in Internet Explorer,
it has some overlapping. I just wanted to give you
a quick heads up! Other then that, fantastic blog!