Syrian Electronic Army hit NYT and Twitter

Pierluigi Paganini August 29, 2013

The group of Syrian Electronic Army hackers is intensification its hacking campaign pro-Assad. Details of the attacks against the HuffingtonPost UK, Twitter and the NYT.

The Syrian Electronic Army once again successful in an attack, to be precise the popular group of hacker this time hacked into Twitter, Huffington Post and NY Times’ registry accounts modifying DNS records and contact details. The attack to a DNS could allow hackers to redirect target domain visitors to any other site, a technique usable to server malware hijacking victim is on compromised website.

The Syria Electronic Army, is considered the cyber unit of government of Damascus, during the last months they have conducted numerous operation against numerous organization and companies. The operation of the group notorious to be a pro the Syrian president Bashar al-Assad are intensifying  in conjunction with the escalation of the deep political and social crisis which affects the country.

Just to mention the latest events early August the group has announced that at least three White House employees personal Gmail accounts were hacked, In July the Syria Electronic Army conducted a series of attacks exposing account details of major Communications Websites such as Truecaller, Tango and Viber.

Following the detailed timeline published by FireEye on the attacks:

  • July 16: SEA hacked the Swedish site Truecaller, home to the world’s largest online telephone directory, with over a billion phone numbers in over 100 countries. SEA claimed this attack also gave it access codes to more than a million Facebook, Twitter, LinkedIn, and Gmail accounts. The initial attack vector was an older, vulnerable version of WordPress.
  • July 21: SEA hacked the video and text messaging service Tango, stealing more than 1.5 TB of data, including user information, true names, phone numbers, emails, and personal contacts for millions of accounts. Again, the attack vector was a vulnerable version of WordPress CMS (v 3.2.1), which gave SEA unauthorized access to the database server.
  • July 24: SEA hacked Viber, a free online calling and messaging application used by more than 200 million users in 193 countries. Viber acknowledged the attack, explaining that the initial compromise vector was an email phishing scam which enabled SEA to access two customer support sites. Thus far, the company has denied that private user information was lost.

The list of victims of the Syrian Electronic Army is very long and included also BBC, the Associated Press, The Financial Times and  the Guardian. Compression for social media accounts could be used to spread fake and disturbing news, the attack against  Associated Press Twitter account disseminated the news of an attack against the White House causing the fall of the stock markets and losses for more than $100 billion dollars. The group is politically motivated and many security experts consider its campaigns as part of PSYOPs campaign directed by the Syrian Regime.  The Syrian Electronic Army first emerged in May 2011, during the first Syrian uprisings, when it conducted various attacks against social media for pro-Assad propaganda.

The latest  attack against Twitter was announced in the popular social media with a post of the screenshot of the Whois records for Twitter.com domain

Syrian Electronic Army Twitter DNS record

 

The Syrian Electronic Army also provided evidence of the hacked Twitter accounts in a second tweet:

 

Syrian Electronic Army 2

 

The hackers of the Syrian Electronic Army also altered the DNS records for the domain twimg.com which Twitter uses to maintain CSS, JS, images and more, this caused problems in displaying avatars for some users. following the statement issued by the company:

“At 20:49 UTC, our DNS provider experienced an issue in which it appears DNS records for various organizations were modified, including one of Twitter’s domains used for image serving, twimg.com. Viewing of images and photos was sporadically impacted. By 22:29 UTC, the original domain record for twimg.com was restored.  No Twitter user information was affected by this incident.”

The hackers also hit the NY Times with serious consequences, they redirected homepage visitors, the popular journal confirmed that its website was disrupted in attack by hackers.

[The attack was carried out by a group known as] “the Syrian Electronic Army, or someone trying very hard to be them.” The group attacked the company’s domain name registrar, Melbourne IT. The Web site first went down after 3 p.m.; once service was restored, the hackers quickly disrupted the site again. Shortly after 6 p.m., we believe that we are on the road to fixing the problem.” said Marc Frons, chief information officer for The New York Times Company.

Syrian Electronic Army NYT defeaced

 

MelbourneIT sent an email to all its customers that indicate that the hackers seems have used a reseller account as part of the hack. The information hasn’t confirmed but it is possible that the hackers exploited a flaw in the reseller interface that allowed a privilege escalation to take over control of other MelbourneIT customers.

The group of Syrian hackers also hit the HuffingtonPost UK altering its DNS records but as 4pm PST both HuffingtonPost UK’s and Twitter DNS records have been corrected, also Twimg and NY Times records have been fixed.

Just a few minutes ago the group has announced on Twitter and Facebook that its website and domain are down.

 

SEA_down

A possible countermeasure

The CloudFlare company posted an interesting article on the incident, I desire to extract the suggestion related to a possible countermeasure against this kind of attacks.

“There is one sensible measure that domains at risk should all put in place immediately. It is possible to put what is known as a registry lock in place for your domain. This prevents even the registrar from making changes to the registry automatically. If you run a whois query against your domain, you can see if you have a registry lock in place if it includes three status lines: serverDeleteProhibited, serverTransferProhibited, and serverUpdateProhibited.

Registrars generally do not make it easy to request registry locks because they make processes like automatic renewals more difficult. However, if you have a domain that may be at risk, you should insist that your registrar put a registry lock in place.”

The imminent strike of Syria by US and its allies will have serious repercussion also in the cyberspace .. It’s just the beginning.

Pierluigi Paganini

(Security Affairs – Syrian Electronic Army, hacking)



you might also like

leave a comment