Cryptome.org hacked into serving up Blackhole exploit kit

Filed Under: Featured, Malware, Vulnerability

Cryptome logoCryptome.org, a website dedicated to publishing secret and censored information, was infected with a variant of the Blackhole exploit kit for the past four days.

Fortunately the operators of Cryptome were able to restore the site from backup tapes and remove the malicious code before too many people were compromised by the exploit code.

Cryptome believes the malware, which Sophos detects as Mal/Iframe-X, attempted to infect 2,863 visitors after all of the sites HTML files were modified on February 8th, 2012.

The code in place was specifically targeting Windows users using Internet Explorer 6, 7 and 8 and directing them offsite where the Blackhole exploit code was located.

One comment made to Cryptome's blog about the incident makes some interesting observations on how the server may have been exploited.

Creative Commons image of a Black hole courtesy of WikiMedia CommonsIt appears the web server supports Microsoft Frontpage extensions (WebDAV) which are designed to allow Microsoft Frontpage users to publish web pages without all the scary complexity of FTP or SSH/SCP.

Frontpage hasn't existed for quite some time and the web server extensions that support it have been buggy and had many security vulnerabilities from day one (zero?).

I recently had a security incident on a personal web server (which I will write up once my research is complete) and thought this might be a good time to highlight some best practices.

Maintaining a secure online presence is not easy, but there are some thing you should think about if you operate a web site.

  • Reduce the threat surface. Don't load WebDAV, Frontpage, PHP/Perl/Python/Ruby or any other module into your web server that you aren't actively using. The less moving parts you have, the harder it is to break.

  • Turn off debugging and server status pages. Many sites are happy to tell you precisely what software is installed and enabled on the server allowing attackers to precisely exploit known vulnerabilities.

    WinSCP logo
  • Stop using FTP. It's dead, okay? Unencrypted passwords, communications channels that are not firewall/NAT friendly, etc, etc. Use a secure protocol for publication like SCP or SFTP, preferably with protected keys rather than passwords.

  • Consider using a version control system like Git or CVS to publish and monitor your sites. Not only can you easily undo mistakes, but recovering from an incident is often easier.

  • Watch your logs carefully and consider using tools that can block known attack patterns like a web application firewall.

Owning a web site is like owning a home. It comes with the responsibility of maintenance and care to keep it in tip-top shape. Unfortunately it also comes with a bit of liability if you don't invest the necessary time.

Creative Commons image of a black hole courtesy of WikiMedia Commons.

, , , , , ,

You might like

2 Responses to Cryptome.org hacked into serving up Blackhole exploit kit

  1. Roger Moore · 921 days ago

    There's nothing secret about Cryptome, it's been around for ages. A better way to describe it would have been to say it's lesser known than Wikileaks or something... but secret, no.

    • Craig · 920 days ago

      They didn't say the organisation was secret - just that the information they expose is.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.