During the last days, several high profile domains have been defaced including domains from two prominent security companies. In addition to these, high profile domains such as alexa.com, whatsapp.com and redtube.com were also defaced. From our quick analysis It does not seem that the actual webserver has been compromised, the most possible attack vector was that the DNS have been hijacked.
When looking into this, there are some quite obvious traces but nothing that really confirms what the hackers did; or what kind of information they were able to obtain. When analyzing previous compromises and defaces it seems that there is a "new" trend within hacking groups and defacers to go for the DNS or domain registrars instead of compromising the actual webserver. When quickly analyzing the domain there were two indicators that stood out.
The domains who were compromised yesterday and today all had an very recent update record in their DNS, and they were all using the same DNS registrar – NETWORK SOLUTIONS, LLC.
Another interesting thing is that all domains that was attacked yesterday and today only had the status: "clientTransferProhibited" while the domain alexa.com who was updated 10 September 2013 also had additional "server" settings enabled. If this is related to the attack is very difficult to say.
Domain Name: REDTUBE.COM Registrar: NETWORK SOLUTIONS, LLC. Status: clientTransferProhibited Updated Date: 07-oct-2013 Domain Name: ALEXA.COM Registrar: NETWORK SOLUTIONS, LLC. Status: clientTransferProhibited Status: serverDeleteProhibited Status: serverTransferProhibited Status: serverUpdateProhibited Updated Date: 10-sep-2013 Domain Name: WHATSAPP.COM Registrar: NETWORK SOLUTIONS, LLC. Status: clientTransferProhibited Updated Date: 08-oct-2013
Between the targets that were attacked, one very big hosting provider, LeaseWeb, wrote about their DNS compromise on their blog:http://blog.leaseweb.com/2013/10/06/statement-on-dns-hijack-of-leaseweb-com-website/
Interestingly, after the compromise, LeaseWeb moved to a new registrar – KeySystems Gmbh.
At the moment we do not know if NETWORK SOLUTIONS were compromised, or if the attackers simply got hold of control panel logins by other methods such as bruteforcing. Additional to the DNS redirection/hi-hacking attack, were they only out for spreading a political message or are they actually leveraging an unknown exploit?
UPDATE:2013-10-08 16:30: Avira confirms that Network Solutions was hacked. More information about this can be found at the following article from Softpedia: http://news.softpedia.com/news/Avira-Confirms-Network-Solutions-Has-Been-Hacked-389422.shtml
At the time of writing, we do not know yet, but we really recommend that you update to the latest available product and signature database because there might be more compromised domains out there.
An image of the defaced website is found below:
2013 Nov 01, 14:16
kaspersky does not work for hackers
hacking in the u.s.a. is illegal and legal. it is against the law to hack a business, but hacking a home pc is perfectly legal. I have been hacked for the past 10 yrs. people at my job constantly hack into my pc and they tell everyone at work what all of my email say and lock me out of game servers. my internet connection is secure, my pc is secure, I have used every anti-virus on the market, I have even reported it to the police and fbi - their response it is perfectly legal to hack into a home pc as long as they don't steal a credit card number and use it. I asked one of the hackers and they told me they have hacking software that costs $800 that lets them break into any pc. I constantly change all of my passwords and even moved and they still break in 24/7.