What’s HOT in Application Security Vol #25

WikiLeaks crippled by DDoS attacks

A group who call themselves AntiLeaks has claimed responsibility for the crippling hack on the famous site WikiLeaks and its founder Julian Assange.  WikiLinks claimed that that their servers were attacked by 10 Gbps of false traffic per second. The attack was also reported to be a sustained one lasting a total of 9 days. If this is true, it may also have been one of the longest sustained DDoS attacks on record.

The group AntiLeaks who claim they were behind the attacks,  stated that the purpose behind the attacks was a response to Assange’s recent attempt to seek political asylum in Ecuador. The group also referred to Julian Assange as a new ‘breed of political terrorist’ and are against what they see as the continued compromised security of the United States by highly classified leaked reports for which the WikiLeaks site is famous for.

For more information please go to:


New malware called Shamoon threatens energy companies

One of the world’s largest energy companies, Saudi Aramco has come under attack by a hacker group calling itself the Arab Youth Group. The attack came last week as security experts are warning of a new malicious malware threat called Shamroon which is specifically designed to attack companies in the energy sector.

The Malware is believed to corrupt files on a compromised computer and overwrites the Master Boot Record in an effort to render the computer inoperable.

Whist a detailed report has not yet been released, Aramco did acknowledge attack and said that the virus had infected personal workstations without affecting the primary components of the network.

In a statement posted on PasteBin, the hacking group claimed justification for the attack against ‘administrable structures and substructures’ due to what they claimed was the support shown to Israel by the United States and Saudi leaders.

For more information please go to:


Chip maker AMD’S Blog breached

Over the weekend chip maker AMD had their blog site blogs.amd.com breached. The hacking group R00tbeer succeeded in targeting AMD’s WordPress installation and defaced the domain as well as steeling the SQL file used to manage the content management system (CMS)

The AMD website was defaced and an SQL file with the username, hashed passwords and email were published for 185 accounts. One of the accounts was reportedly that of AMD’s general manager.

The website had an outdated version of WordPress installed, version 3.0. It is likely that R00tbeer targeted the main installation. The 3.0 version of WordPress was known to have a vulnerability that allows potential attackers to gain access to stored information on the database by targeting author permissions.

Earlier this month news agency Reuters fell victim to similar attacks, when hackers managed to compromise its WordPress installation and post fake news stories.

For more information please go to:


Top 3 signs your website is the target of an Automated Attack

One of the hackers favorite tools are automated SQL Injection and Remote File Inclusion tools. Using various easily attainable software, finding and exploiting website vulnerabilities has never been easier or more prolific.

Hackers favor these automated tools for a number of reasons. These tools are readily available on hacking forums or on the sites of legitimate developers who use them as tools for penetration testing.

High incoming request rate

A key to identifying an automated attack is the rate at which incoming requests arrive. A human visitor is unlikely to generate more than one HTTP request every 5 seconds. In contrast, automated tools will often issue more than 70 requests per minute.

However, things are rarely this simple. Hackers know that a high request rate is easy to spot and will often implement things such as slowing down the tools randomly in order to make traffic patterns resemble that of a human user. Other smart tools include attacking other sites in parallel with the result that the automated attack sends traffic to several sites in a rotation like manner meaning that although the tool generates requests at a very high rate, each site receives requests at a very human rate.

As a result a high incoming request rate is only one clue and should be coupled with other indicators.

Attack tool patterns

Due to the fact that attack tools are programed to perform certain tasks, there is only a limit to the number of actions that they can perform. By analyzing traffic records, it is sometimes possible to find patterns in behavior. A good example of this would be specific strings in generated SQL fragments used in SQL Injection.

Unusual Geographical visits

A very basic but effective tool is simply to be aware of where you are most likely to expect traffic from. For instance, if you have a small specialized shop in your local area and start seeing lots of traffic from China, alarm bells should start ringing. Whilst not proof in itself, coupled with the above mentioned ‘flags’ a closer examination shoulf definitely be carried out.

Image credit: madmonk111

The following two tabs change content below.


Jump to Category