Security Discussion on Silent Drive-by Malicious Payloads from Hacked servers

[DevTech]

First of all, there appears to be a segment of the technology community that does not believe in the existance of Silent Drive-by Malicious Payloads from Hacked servers or else they believe this is not possible with a major server. If you fall into that category, please try to keep this thread read-only.

 

The intended discussion is on how to deal with it, not on whether it exists or not.

 

I am hoping this thread will be a useful repository of information for server operators and for users wishing to protect themselves from this particular attack vector.

 

 

• I generated a giant load of links while trying to find a particular Google disclosure website - taking a while to organize the info

[DevTech]

Public Non-Silent Hacks

• Google Data Centers

 

The thread is on Silent Hacks. The stuff that makes all the news sites that people read is the flashy defacements with political agendas etc. This makes silent attacks fall into the boring category from a news point of view. Here are some examples of public attacks:

 

•   Google Malaysia Site DNS Hacked, Credit Claimed By ‘Team Madleets’ Hacker 1337 "There’s not much reason behind it, only to prove that security is just an illusion. It does not exist."
• Chinese hackers who breached Google gained access to sensitive data, U.S. officials say "Although Google disclosed an intrusion by Chinese hackers in 2010, it made no reference to the breach of the database with information on court orders. That breach prompted deep concerns in Washington and led to a heated, months-long dispute between Google and the FBI and Justice Department over whether the FBI could access technical logs and other information about the breach, according to the officials" "Last month, a senior Microsoft official suggested that Chinese hackers had targeted the company’s servers about the same time that Google’s system was compromised"
• World's Biggest Data Breaches
• Data Breach  List of Data Breaches
• Hackers stole Google SSL certificate, Dutch firm admits
• A massive cyberattack that led to a vulnerability in RSA's SecurID tags earlier this year also victimized Google, Facebook, Microsoft and many other big-named companies  "

  Those in the security industry have long suspected that RSA was not the hack's only victim, but no other companies have been willing to talk publicly about whether they had also been compromised.

  The names mentioned on Krebs' list include about a fifth of the Fortune 100, as well as many other massive corporations."

• Rewarded with $10,000 bounty for identifying an XML External Entity (XXE) vulnerability in one of the search engine’s features. "the researchers crafted their own button containing fishy XML entities. By sending it, they gain access to internal files stored in one of Google's production servers and managed to read the “/etc/passwd” and the “/etc/hosts” files from the server. By exploiting the same vulnerability the researchers said they could have access any other file on their server, or could have gain access to their internal systems through the SSRF exploitation."

[DevTech]

There was a time when sites  like Google and Microsoft provided what the security industry calls Full Disclosure - https://en.wikipedia.org/wiki/Full_disclosure_(computer_security)

 

These days, major sites are a bit more prideful of their reputation and have come up with the non-transparent concept they call Transparency which mainly pokes a stick at the government but to the credit of Google and Microsoft also includes some Malware issues.

 

Google:

 

https://www.google.com/transparencyreport/?hl=en

 

Microsoft:

 

https://www.microsoft.com/about/csr/transparencyhub/

 

Twitter:

 

https://transparency.twitter.com/

 

 

[DevTech]

MIsc Hacked Website Info:

 

• Three Israeli researchers uncovered that the major Chinese-based ISPs named China Telecom and China Unicom, two of Asia's largest network operators, have been engaged in an illegal practice of content injection in network traffic "Now, Chinese Internet Service Providers (ISPs) have been caught red-handed for injecting Advertisements as well as Malware through their network traffic. If an Internet user tries to access a domain that resides under these Chinese ISPs, the forged packet redirects the user's browser to parse the rogue network routes. As a result, the client's legitimate traffic will be redirected to malicious sites/ads, benefiting the ISPs."
• Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it "The infected Linux ISO images installed the complete OS with the Internet Relay Chat (IRC) backdoor Tsunami, giving the attackers access to the system via IRC servers."
• Drive-by download (definition - I think some people might be unfamiliar with the term)
• Google: Rebooting Responsible Disclosure: a focus on protecting end users
• Zero-day "Malware writers can exploit zero-day vulnerabilities through several different attack vectors. Sometimes, when users visit rogue Web sites, malicious code on the site can exploit vulnerabilities in Web browsers. Web browsers are a particular target for criminals because of their widespread distribution and usage."
• Project Zero News and updates from the Project Zero team at Google

[DevTech]

Misc Malware Notes:

 

• GozNym combines Nymaim and Gozi Trojans to hit 24 U.S. and Canadian banks "The new computer Trojan targets 22 websites that belong to banks, credit unions and e-commerce platforms based in the U.S., and two that belong to financial institutions from Canada. Business banking services appear to be a top target for GozNym's creators, according to the IBM researchers. Nymaim is what researchers call a dropper. Its purpose is to download and run other malware programs on infected computers. It is usually distributed through Web-based exploits launched from compromised websites. Nymaim uses detection evasion techniques such as encryption, anti-VM and anti-debugging routines, and control flow obfuscation. In the past, it has primarily been used to install ransomware on computers. This malware is as stealthy and persistent as the Nymaim loader while possessing the Gozi ISFB Trojan’s ability to manipulate Web sessions, resulting in advanced online banking fraud attacks, the IBM X-Force researchers said"

[DevTech]

Server Info

 

• How Hacked Servers Can Hurt Your Traffic
• Malware and unwanted software
• Social Engineering (Phishing and Deceptive Sites)
• How do I know if my site is hacked?
• Fixing the cloaked keywords and links hack
• Fixing the gibberish hack
• Disavow backlinks
• Common violations of the unwanted software policy
• Google Webmaster Help Forum