Hackers used Spear Phishing attack to hack CNN Blogs

Security analysts at Intelligence firm InterCrawler published the details of the investigation on recent attack against CNN Blogs and social media accounts.

Recently a few social media accounts belonging to CNN and blogs were compromised, including CNN’s main Facebook account, CNN Politics’ Facebook account and the Twitter pages for CNN and CNN’s Security Clearance. At the same time blogs Blogs for Political Ticker, The Lead, Security Clearance, The Situation Room and Crossfire were hacked.

According to  cyber intelligence firm IntelCrawler, attackers conducted a multi-stage spear phishing attack against CNN and Turner employees to obtain information used in successive attack to CNN blogs, as well as some third party publishing platforms based on WordPress and Hootsuite.

The e-mail messages appear to come from a trusted source, like colleagues or partners, and allowed attackers to compromise several of corporate e-mail accounts and started to spread malicious links using “getmail.turner.com/ecp” which in fact led to a fake authorization page for Microsoft Outlook Web App.

The analysts of IntelCrawler have also detected multi-stage redirect used to compromise users through several hypertext links with specially crafted active scripting content used for generation of unique strings for masking fake resource under legitimate corporate application.

After the click on the named one, which was in real pointing to http://miiu-catering.com/c.html, the user was immediately redirected to the following one designed as an e-mail corporate access for Turner.com employees which is still active:

http://getmail.turner.site90.com/uniquesig8c668abf5306900d50c7fb2e143ce9bd/uniquesig0/InternalSite/OWA/Login.asp?resource_id=7D4F3C8EBEE14DA99FBB4D62D5952E71&login_type=3&site_name=exchange2010&secure=1

The site was used to collect users’ credentials that were intercepted by bad actors in timeframes close to real-time using notifications sent to special resources. The first website, which has belonged to one of Thailand companies, seems to be hacked previously to place malicious content in order hide it and prevent from early detection on the first stage of the attack. The bad actors have chosen very similar link to real hyperlink on Turner.com e-mail services:

https://getmail.turner.com/uniquesig8c668abf5306900d50c7fb2e143ce9bd/uniquesig0/InternalSite/OWA/Login.asp?resource_id=7D4F3C8EBEE14DA99FBB4D62D5952E71&login_type=3&site_name=exchange2010&secure=1

After the research it was found that the bad actors have reproduced very high quality fake page for login using Java Script and templates of real Outlook Web App:

 

“Spear Phishing is a rising and a well known cyber threat, which is mutating and improving because of the appearance of new WEB-applications technologies and active use of online-scripting content” – comments Dan Clements, the President of IntelCrawler.

The Threat intelligence team of IntelCrawler notified CNN and other affected parties, it provided details of the attack and warned of the possibility that the campaign of bad actors might be in an active stage,  the mass-media agencies should be prepared for the similar incidents.

The risk that other attacker will adopt the same methodology  to hit enterprises and other media agencies, IntelCrawler notifies that the recent offensive has a very high correlation with the past attacks against famous corporations and mass-media agencies done by the same cyber criminals group.

To avoid being a victim of such attack, the experts recommended to monitor any suspicious activity related to malicious link distribution from corporate e-mail accounts and login attempts from other geographies, as well as to strengthen control of social media and third party publishing platform as one of the risk mitigation strategies to prevent reputation abuse against own brand and data leakage incidents.

About IntelCrawler

IntelCrawler.com is a multi-tier intelligence aggregator, which gathers information and cyber prints from a starting big data pool of over 3, 000, 000, 000 IPv4 and over 200, 000, 000 domain names, which are scanned for analytics and dissemination to drill down to a desired result. This finite pool of cyber prints is then narrowed further by comparing it to various databases and forum intelligence gathered from the underground and networked security company contacts. The final result could be the location of a particular keyboard or a computer housing the threat.

Pierluigi Paganini

(Security Affairs –  CNN, Spear Phishing)