Guy Fawkes Day was November 5th, and a variety of loosely affiliated movements from Occupy to Anonymous joined to commemorate the day with a Million Mask March. However, it seems that Anonymous or at least Anonymous affiliated hackers in Asia decided to get an early start on the festivities with a variety of attacks against government websites in Australia, Singapore, and the Philippines.
Thus far, these attacks all bear the unmistakable signs of hacktivism, in that the compromised sites were defaced with political messages. Obviously, these sorts of attacks are nothing new, and we have been seeing a bit of their resurgence in the past few months. Prior to this action from Anonymous, the Syrian Electronic Army or SEA had claimed responsibility for a string of attacks targeting large news media organizations ranging from the New York Times to Twitter.
Whenever one of these attacks makes the news, it always seems to spur questions about how such a thing can continue to happen. I wanted to briefly share some of the more common tactics we are seeing against legitimate websites.
First, it's important to realize that websites, and more specifically web servers, are very common targets for attackers. If the website accepts input from an end-user, that site can be subject to a variety of injection techniques that can allow an attacker to compromise data that the website serves, or ultimately compromise the server itself. These attacks will typically exploit a weakness in the way that the website or application validates a user's input, which allows an attacker to send specially crafted input to compromise the webserver or application. These attacks are extremely common, and are generally mitigated through a combination of IPS to detection injection attacks, web-application firewalling to detect specific attacks against web applications, vulnerability testing of websites, and training to ensure secure coding and web development practices.
Ultimately, people manage websites, and those people will have passwords to authenticate themselves when managing the site. If an attacker can compromise those credentials, then the attacker gains all the privileges and access of the administrator. This technique was heavily utilized earlier in the year when the SEA was able to steal Twitter credentials for news organizations and was able to send out fake news updates that caused significant movement in financial markets.
This approach can somewhat bridge the gap between hacktivism and the more advanced threats or APTs. To steal a valid user's credentials, attackers will send targeted phishing emails in order to lure the user into entering their credentials into the attacker's website or to deliver malware to the target that will steal the user's password from the local machine. This approach includes some of the basics of an APT, but ultimately the goal is still to gain notoriety for the attacker. Mitigating these attacks requires a complete approach to cybersecurity capable of blocking all types of malicious traffic and content ranging from drive-by downloads, exploits and malware to command and control traffic and malicious URLs, as well as proactive testing of any unknown files or traffic to expose hidden threats. Additionally, end-user training can help users learn to recognize phishing attempts, and two-factor authentication should be implemented to protect web resources from simple password compromises.
Sign up for CIO Asia eNewsletters.