Hackers used Spear Phishing attack to hack CNN Blogs

Security analysts at Intelligence firm InterCrawler published the details of the investigation on recent attack against CNN Blogs and social media accounts.

Recently a few social media accounts belonging to CNN and blogs were compromised, including CNN’s main Facebook account, CNN Politics’ Facebook account and the Twitter pages for CNN and CNN’s Security Clearance. At the same time blogs Blogs for Political Ticker, The Lead, Security Clearance, The Situation Room and Crossfire were hacked.

According to  cyber intelligence firm IntelCrawler, attackers conducted a multi-stage spear phishing attack against CNN and Turner employees to obtain information used in successive attack to CNN blogs, as well as some third party publishing platforms based on WordPress and Hootsuite.

The e-mail messages appear to come from a trusted source, like colleagues or partners, and allowed attackers to compromise several of corporate e-mail accounts and started to spread malicious links using “getmail.turner.com/ecp” which in fact led to a fake authorization page for Microsoft Outlook Web App.

The analysts of IntelCrawler have also detected multi-stage redirect used to compromise users through several hypertext links with specially crafted active scripting content used for generation of unique strings for masking fake resource under legitimate corporate application.

After the click on the named one, which was in real pointing to http://miiu-catering.com/c.html, the user was immediately redirected to the following one designed as an e-mail corporate access for Turner.com employees which is still active:

http://getmail.turner.site90.com/uniquesig8c668abf5306900d50c7fb2e143ce9bd/uniquesig0/InternalSite/OWA/Login.asp?resource_id=7D4F3C8EBEE14DA99FBB4D62D5952E71&login_type=3&site_name=exchange2010&secure=1

The site was used to collect users’ credentials that were intercepted by bad actors in timeframes close to real-time using notifications sent to special resources. The first website, which has belonged to one of Thailand companies, seems to be hacked previously to place malicious content in order hide it and prevent from early detection on the first stage of the attack. The bad actors have chosen very similar link to real hyperlink on Turner.com e-mail services:

https://getmail.turner.com/uniquesig8c668abf5306900d50c7fb2e143ce9bd/uniquesig0/InternalSite/OWA/Login.asp?resource_id=7D4F3C8EBEE14DA99FBB4D62D5952E71&login_type=3&site_name=exchange2010&secure=1

After the research it was found that the bad actors have reproduced very high quality fake page for login using Java Script and templates of real Outlook Web App:

 

“Spear Phishing is a rising and a well known cyber threat, which is mutating and improving because of the appearance of new WEB-applications technologies and active use of online-scripting content” – comments Dan Clements, the President of IntelCrawler.

The Threat intelligence team of IntelCrawler notified CNN and other affected parties, it provided details of the attack and warned of the possibility that the campaign of bad actors might be in an active stage,  the mass-media agencies should be prepared for the similar incidents.

The risk that other attacker will adopt the same methodology  to hit enterprises and other media agencies, IntelCrawler notifies that the recent offensive has a very high correlation with the past attacks against famous corporations and mass-media agencies done by the same cyber criminals group.

To avoid being a victim of such attack, the experts recommended to monitor any suspicious activity related to malicious link distribution from corporate e-mail accounts and login attempts from other geographies, as well as to strengthen control of social media and third party publishing platform as one of the risk mitigation strategies to prevent reputation abuse against own brand and data leakage incidents.

About IntelCrawler

IntelCrawler.com is a multi-tier intelligence aggregator, which gathers information and cyber prints from a starting big data pool of over 3, 000, 000, 000 IPv4 and over 200, 000, 000 domain names, which are scanned for analytics and dissemination to drill down to a desired result. This finite pool of cyber prints is then narrowed further by comparing it to various databases and forum intelligence gathered from the underground and networked security company contacts. The final result could be the location of a particular keyboard or a computer housing the threat.

Pierluigi Paganini

(Security Affairs –  CNN, Spear Phishing)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

11 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

18 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.