Mistaken identity: Indiana Dept. of Education hacked a second time

Defacement message suggests attackers were targeting domains in India

drupal7
Credit: Drupal

Late last week, the Indiana Department of Education was defaced for a second time; just days after attackers claiming to represent the Nigeria Cyber Army used a vulnerability in the website's CMS platform to initiate the first attack.

The second attack left behind a longer, taunting message, which suggests mistaken identity as a possible reason for the attack.

During the first incident, the attackers targeted a flaw in Drupal, which if exploited would enable SQL Injection, and – in some cases – total control over the targeted host. The attackers left a single message, a graffiti-like tag to mark their presence and signal a successful exploitation.

In response, the Indiana Department of Education took their main website offline for several hours. Based on the statement issued at the time, the presumption was that the department's IT staff would patch the website in order to prevent further attacks of this type.

The Nigeria Cyber Army returned a few days later, and defaced the website for a second time. Instead of a single tag however, the defacement included iconography and a longer message:

"...Security is just an Illusion. Suprised (sic) we are here agaian (sic)? The last time this site was down no patch was done and our message is help us educate the entire Indian script kiddies who call themselves hackers to quit the Nigerian cyber space. Expect us..."

Again, the Indiana Department of Education pulled their website offline, and once it returned, it appeared to be running the latest version of Drupal. Salted Hash attempted to contact the Indiana Department of Education about the incident, but there was no response by time this story was published.

On closer examination, the mention of Indian script kiddies during the second attack looked out of place. The domain in question belongs to a government department within the State of Indiana, so why mention Indian hackers?

If one considers how groups like the Nigeria Cyber Army operate, the message takes on a new meaning, and suggests that the State of Indiana wasn't the target at all, the Indian government was.

Tools, Tactics, and Procedures:

As is the case with similar groups, the Nigeria Cyber Army mostly targets websites with easily exploited vulnerabilities that scanners and targeted Google searches can quickly identify.

In a majority of cases, SQL Injection is the top attack vector and CMS platforms are the common attack surface. However, local or remote file include vulnerabilities, and default credentials in the administrative areas of the website, are popular as well.

Examples of recent attacks can be seen on the Nigeria Cyber Army Facebook page.

It's likely that the Nigeria Cyber Army was scanning for vulnerable Drupal installations or vulnerable websites in general. One way to do this would be to filter results by domain, such as gov.in for India. However, if the results were reversed – in.gov – then the domains are maintained by Indiana, not India.

Such a mistake could be the result of poor scripting or a quick glance at the URL. But no matter what the reason is for the mistake, the result would be the same; a vulnerable domain is discovered and exploited.

The scanning and exploitation can be done by a number of methods, including automation.

The Nigeria Cyber Army for example, uses a script that was allegedly written by a different group – the Bangladesh Cyber Army – that offers total control over the compromised host.

Salted Hash discovered a live example of this tool on a server in Indonesia. Once installed, usually during the initial attack, the script can be used to scan the server for additional vulnerable sites, if discovered they can all be defaced with a single command.

This is why mitigation of the Drupal attacks recommended a full server check, because one vulnerable domain made it possible for the attackers to install backdoors or compromise additional websites on the host.

Prevention and Protection:

Being caught in the crossfire due to a case of mistaken identity would certainly make for a long and frustrating day – but it isn't something one can easily avoid.

When it comes to preventing these types of attacks, the standard best practices will apply.

Attackers like the Nigeria Cyber Army target low hanging fruit. For the Indiana Department of Education, the low hanging fruit was a vulnerable, unpatched installation of Drupal. Again, while the target was supposed to be India, the fact that Indiana showed up in the list of vulnerable domains made them a valid target no matter what.

Vulnerable code of any sort is fair game in the eyes of attackers like the Nigeria Cyber Army, making it essential that patches are applied as soon as they are available, especially if they relate to critical vulnerabilities.

Moreover, when applications are developed in-house, following development best practices, and limiting the usage of third-party libraries and code, will also help lower the chance of success with these types of attacks.

Update:

As this story was being posted, AnonGhost defaced the primary domain for Parke County in Indiana. This wasn't a case of mistaken identity, but a targeted attack. Parke County uses an outdated Drupal installation, and was likely discovered through a Google search.

The defacement message, pro-privacy and anti-government, is the same message that's been used several times by AnonGhost over the last year.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.