iStock_000023444420XSmall-300x199

The Week in Security: PWN2OWN, Double DDoSes, Malaysian Plane Crash Scams & Target’s Missed Alarms

Mar 16, 2014 By Sarah Vonnegut

This week in security was busy with a little bit of everything – breaches, hacking contests, cyber scams, hacktivism and more. Here’s the lowdown on all the biggest security stories of the week: 

Your Favorite Browser Was Pwned This Weekend

This weekend, the Big Four browsers – Mozilla Firefox, Google Chrome, Internet Explorer and Apple Safari – were each successfully exploited with as part of the Pwn2Own hacking competition that took place during the CanSecWest conference in Vancouver. Adobe Flash, Adobe Reader and Oracle’s Java were also exploited during the competition. The contest challenges security researchers to hack popular software with zero-day exploits, or vulnerabilities that haven’t been previously discovered.

Security researchers from around the world took part in the two day challenge, winning a grand total of $850,000, which marked a new record payout for the competition. One of the teams, Vupen, took home $400,000 of that for their five exploit discoveries. Many of the hackers chose to donate their winnings to charities helping the families of the Malaysian Airlines flight MH370. Pwn2Own has taken place annually at CanSecWest since it originated in 2007.

We can expect to see patches for most of the vulnerabilities exploited in the coming weeks and months, so make sure to update your browser regularly.  Read more about the competition results here.

NATO Sites Go Down, Linked To Tensions over Crimea

NATO spokesperson Oana Lungescu tweeted that several NATO sites were part of a DDoS attack on Saturday, though she stressed that the attacks did not affect operations and that experts were working to restore the sites. The attack did affect NATO’s email network,

A Ukrainian group that calls itself “cyber berkut” claimed the attacks were carried out by angry Ukrainians over NATO’s interference in the situation. The claims have not yet been verified. NATO is still working on getting the sites up and running as of the writing of this post. Interestingly, NATO’s Cooperative Cyber Defense Center of Excellence site was up and running before their general site.

Get all the details about the NATO cyberattack here.

mh370 videoBeware: Fake Malaysian Links Making the Social Media Rounds

Preying on people trying to get answers about what actually happened to the Malaysia Flight MH370 last week, scammers took the opportunity to post malicious links to social media sites including Facebook and Twitter.

The posts promised “Shocking Video” of the Malaysian flight found at sea, some including a screenshot of the plane floating in the water, complete with a fake ‘play’ button in the center. When someone clicks on the fake video, they are instead sent to a phishing site where they either try to get the user to participate in a survey or share the video on their Facebook or Twitter. The scammers make money from those who fill out the surveys by selling that data to third parties or getting the victims to click on ads.

Phishing and malware scams tend to rear their ugly heads in other similar situations, such as during the Japan Tsunami in 2011 and the massive earthquake in The Philippines last year. Chris Boyd, a malware analyst, told Wired.co.uk that previous scams have “ranged from Malware and 419 scams to fake donation pages and search engine poisoning.”

“Anything involving a potential disaster is big money for the scammers” he continued. Don’t fall victim to these scams:  refrain from blindly click on your friends’ links; directly visit news sites instead of clicking on potentially malicious links.

Continue reading about the headline scam here.

Syrian Electronic Army Hacked U.S. Central Command…Allegedly

Details are still emerging, but in a pretty serious game of “they said, they said,” the Syrian Electronic Army is claiming to have hacked and infiltrated Central Command while Centcom spokesperson Oscar Seara calls the claims “totally bogus.”

It appears the group may have hacked into the Army Knowledge Online site, which offers enterprise information services including email, directory, portals and more. The Syrian Electronic Army said they carried out the attack “due to Obama’s decision to attack #Syria with electronic warfare,” they tweeted on Friday. The SEA also posted a screenshot, via Twitter, of sensitive files claiming to be from military computer systems.

“Beware the Ides of March,” they tweeted on Friday, echoing the infamous foretelling of Julius Caesar’s death on March 15th. The group warned that in the coming days they would inform the public of “specific details and hundreds of documents” that it obtained, and claimed they had already been successful in penetrating many central repositories.

As of today, post-Ides of March, we’re still waiting on more information from the SEA. Read about the possible hack here.

Missed Alarms, Lost Opportunities in Target Breach

We’re finally getting the full picture behind one of the biggest breaches in history, and it’s a pretty clear picture of negligence. Hindsight is always 20/20, they say, and now Target, along with the rest of the country, is seeing their mistakes all too clearly now.

The company had recently deployed FireEye software designed to set off alarms and isolate incoming traffic when suspicious activity was detected, but when it was detected, Target’s security team ultimately decided that the warnings “did not warrant immediate follow-up,” spokeswoman Molly Snyder said. The alarms were triggered as the perpetrators would upload their tools onto Target’s network in order to collect the payment information. Had Target acted on these alarms – one on November 30th and another on December 2nd – and reacted as they were supposed to, the biggest data breach of all times most likely would not have happened.  

Amid these most recent allegations, Target’s CIO Beth M. Jacob resigned from her position at the company, but she may not be the only one to leave by the time the incident is totally over. Target has spent a total of $61 million to date in costs related to the breach and executives believe that number will continue rising. In addition, over 90 lawsuits to date have been filed against the retailer.

Read the full article at BusinessWeek.

Massive Botnet Takes Down 162,000 Sites With DDoS

Security researchers this week discovered an enormous botnet that ended up as part of a huge DDOS attack on a major website, first rendering it painfully slow before bringing it down for several hours.

More than 90,000 IP addresses were used to conduct a brute-force attack on the administrative portals of vulnerable WordPress systems. The attack used the username “admin” with 1,000+ of the most commonly used passwords to gain control of the sites. When all was said and done, the botnet was comprised of over 162,000 legitimate WordPress sites sending hundreds of requests per second to the intended, still nameless, victim. The attack is notable for abusing the XML-RPC protocol used for the pingbacks and trackbacks, making it an HTTP-based, application level attack. The HTTP GET DDOS barrages the intended victim with more requests than it can handle using standard URL requests, making it difficult to decipher between normal and malicious requests.  

If you own or run a WordPress site, here are some quick steps you can take to protect your system from DDOS attacks:

  1. Ensure your username and passwords are unique, secure, and changed every few months.
  2. Install a security plugin. Ars Technica recommends this one and this one.
  3. Make sure your WordPress installation and plugins are updated and upgraded.

Read more about this attack here and see a list of the sites implicated in the botnet here

The following two tabs change content below.
Sarah is in charge of social media and an editor and writer for the content team at Checkmarx. Her team sheds light on lesser-known AppSec issues and strives to launch content that will inspire, excite and teach security professionals about staying ahead of the hackers in an increasingly insecure world.

Latest posts by Sarah Vonnegut (see all)

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.