Pierluigi Paganini
August 29, 2013
The Syrian Electronic Army once again successful in an attack, to be precise the popular group of hacker this time hacked into Twitter, Huffington Post and NY Times’ registry accounts modifying DNS records and contact details. The attack to a DNS could allow hackers to redirect target domain visitors to any other site, a technique usable to server malware hijacking victim is on compromised website.
The Syria Electronic Army, is considered the cyber unit of government of Damascus, during the last months they have conducted numerous operation against numerous organization and companies. The operation of the group notorious to be a pro the Syrian president Bashar al-Assad are intensifying in conjunction with the escalation of the deep political and social crisis which affects the country.
Just to mention the latest events early August the group has announced that at least three White House employees personal Gmail accounts were hacked, In July the Syria Electronic Army conducted a series of attacks exposing account details of major Communications Websites such as Truecaller, Tango and Viber.
Following the detailed timeline published by FireEye on the attacks:
The list of victims of the Syrian Electronic Army is very long and included also BBC, the Associated Press, The Financial Times and the Guardian. Compression for social media accounts could be used to spread fake and disturbing news, the attack against Associated Press Twitter account disseminated the news of an attack against the White House causing the fall of the stock markets and losses for more than $100 billion dollars. The group is politically motivated and many security experts consider its campaigns as part of PSYOPs campaign directed by the Syrian Regime. The Syrian Electronic Army first emerged in May 2011, during the first Syrian uprisings, when it conducted various attacks against social media for pro-Assad propaganda.
The latest attack against Twitter was announced in the popular social media with a post of the screenshot of the Whois records for Twitter.com domain
The Syrian Electronic Army also provided evidence of the hacked Twitter accounts in a second tweet:
The hackers of the Syrian Electronic Army also altered the DNS records for the domain twimg.com which Twitter uses to maintain CSS, JS, images and more, this caused problems in displaying avatars for some users. following the statement issued by the company:
“At 20:49 UTC, our DNS provider experienced an issue in which it appears DNS records for various organizations were modified, including one of Twitter’s domains used for image serving, twimg.com. Viewing of images and photos was sporadically impacted. By 22:29 UTC, the original domain record for twimg.com was restored. No Twitter user information was affected by this incident.”
The hackers also hit the NY Times with serious consequences, they redirected homepage visitors, the popular journal confirmed that its website was disrupted in attack by hackers.
[The attack was carried out by a group known as] “the Syrian Electronic Army, or someone trying very hard to be them.” The group attacked the company’s domain name registrar, Melbourne IT. The Web site first went down after 3 p.m.; once service was restored, the hackers quickly disrupted the site again. Shortly after 6 p.m., we believe that we are on the road to fixing the problem.” said Marc Frons, chief information officer for The New York Times Company.
MelbourneIT sent an email to all its customers that indicate that the hackers seems have used a reseller account as part of the hack. The information hasn’t confirmed but it is possible that the hackers exploited a flaw in the reseller interface that allowed a privilege escalation to take over control of other MelbourneIT customers.
The group of Syrian hackers also hit the HuffingtonPost UK altering its DNS records but as 4pm PST both HuffingtonPost UK’s and Twitter DNS records have been corrected, also Twimg and NY Times records have been fixed.
Just a few minutes ago the group has announced on Twitter and Facebook that its website and domain are down.
A possible countermeasure
The CloudFlare company posted an interesting article on the incident, I desire to extract the suggestion related to a possible countermeasure against this kind of attacks.
“There is one sensible measure that domains at risk should all put in place immediately. It is possible to put what is known as a registry lock in place for your domain. This prevents even the registrar from making changes to the registry automatically. If you run a whois query against your domain, you can see if you have a registry lock in place if it includes three status lines: serverDeleteProhibited, serverTransferProhibited, and serverUpdateProhibited.
Registrars generally do not make it easy to request registry locks because they make processes like automatic renewals more difficult. However, if you have a domain that may be at risk, you should insist that your registrar put a registry lock in place.”
The imminent strike of Syria by US and its allies will have serious repercussion also in the cyberspace .. It’s just the beginning.
(Security Affairs – Syrian Electronic Army, hacking)
