Anonymous took over a million Israeli web pages by exploiting flaw in third-party plugin

News by Jay Jay

Hacker group Anonymous successfully took over a million web pages associated with Israeli domains of Fiverr, Coca-Cola, McDonald's, and ToysRUs and attempted to inject ransomware for a short period.

Hacker group Anonymous successfully took over one million web pages associated with Israeli domains of well-known companies such as Fiverr, Coca-Cola, McDonald's, and ToysRUs and attempted to inject ransomware for a short period before the attacks were contained, according to SafetyDetective.
The attacks took place during the weekend and involved hackers from Anonymous exploiting vulnerabilities in third-party plugins in Israeli domains to take control of such domains and redirecting Internet traffic to their own websites.
According to SafetyDetective, a website offering expert advice and reviews on antivirus products and solutions, the cyber-attack targeted frequently-visited Israeli domains including mcdonalds.co.il, and cocacola.co.il. The attackers went on to deface such domains by inserting content supporting Palestinians' rights regarding Jerusalem, suggesting that the hackers were either Palestinians or identified with the Palestinian cause. 
The hackers were able to replace the accessibility plugin with malicious JavaScript code that displayed the political message, and embedded a link that downloads ransomware to the users’ computer. Though at first not all researchers were able to detect the problem, a change to the DNS server produced the vulnerability.
"By taking control of DNS server records, Anonymous was instead able to redirect traffic to one of its servers. As more DNS servers began to produce the vulnerability, more surfers began seeing the message," SafetyDetective noted.
"All in all the issue was resolved in under an hour; but it demonstrated the risk of using an unsecured third party plug-in across so many websites. It was lucky that the hackers decided to make the attack about a contentious political message rather than focusing on economic damage, which would have resulted in much greater harm. As little as a basic Java script is all it takes to create wide-spread havoc on so many sites," a company statement added.
Its website also highlighted that the vulnerability exploited by Anonymous hackers was well-known and was highlighted by security researchers in the past. SafetyDetective says that despite the warnings, nagich.com, the developer behind the plugin, failed to fix the security vulnerability, thereby allowing hackers to launch a coordinated attack on several popular domains.
Commenting on the take-over of a million web pages by hackers politically opposed to Israel, Matthew McKenna, VP EMEA at SecurityScorecard, told SC Magazine UK that hackers behind the campaign leveraged the vulnerability on certain sites using this plugin to replace the plugin info with their message; and they got their hands on this plugin’s DNS information (by maybe hacking the company or their DNS service). 
"They then changed DNS records so that any company using the plugin would be directed to the hackers’ site instead of the plugin site. By changing the plugin company's DNS, the hackers managed to get all sites using this plugin directed to their site, instead of attacking all sites separately," he said.
"This story brings around the security risks that can come about when working with third parties. As some third-party plugins are used to fetch, push or process information leveraging plugin providers' webservices, or provide critical functionalities such as authentication or access controls to your environment or data, understanding the security maturity and risks of these third-party plugin providers is a crucial part of any company's risk assessments and governance," he added.
Eoin Keary, CEO and co-founder of Edgescan, said that companies frequently overlook the software security "food chain" which means that third-party components can be ripe for exploitation if not maintained.
"It’s normal for any organisation to use third-party components, but maintenance and governance of the cyber-security posture is as important as focusing on the organisation’s own systems. Because third-party components can be used across many domains, attacking a single point can result in disruption to potentially thousands of hosts and related pages," he explained.
"The challenges related to the cyber-security food chain are not fully addressed by today’s solutions and are a common governance "blind spot" in many organisations, both large and small. Do we know who wrote the code we are using? Is it secure? What’s is its origin? Is it maintained? Many organisations can’t answer these simple questions, and that in itself is a vulnerability," he added.
Laurie Mercer, security engineer at HackerOne, says that while the vulnerability can be plugged by securely configuring the DNS servers, it can also be avoided by using defence in depth measures such as strict content security policies. Organisations need to ask themselves that if such a vulnerability is observed by someone, how would the person report it and how quickly would they be able to respond to it.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event