Follow-up: Syrian Electronic Army responds to attack article

Earlier this week, Salted Hash published a first-hand account of an attack by the Syrian Electronic Army (SEA) against IDG Enterprise. Later that same day, one of the group’s members responded.

The first response from the SEA was a message that included an IDG staffer’s email address and password. This information was presented for shock value, as a way to prove that the SEA were in fact successful in their Phishing attack against IDG.

But the information presented wasn’t correct, as there were inconsistencies. So the attempt at shock and fear turned into something completely different.

The Phishing attack on IDG used a fake Outlook Web Access (OWA) portal as the landing page. The OWA portal represented a version that IDG doesn’t use, so when the staffer in question viewed the page, he reported it immediately.

As mentioned in the original article on the attack, awareness emails are common at IDG. However, awareness isn’t a cure-all, and our security team understands that someone will fall for a Phishing attack eventually. Staffers are encouraged to report anything suspect, and no one is punished for being a victim.

In this case, when the staffer noticed the odd OWA portal, they reported it and the email that led them to it. Their password was reset by the security team because it was potentially exposed. Thanks to the SEA member’s attempt at intimidation, it’s clear this was the right move to make.

A known bad actor:

The SEA member in question calls himself Th3Pr0. He’s been active for some time, but came to my attention when he hacked Harvard University in 2011. At the time, he leaked a SQL database taken from the school’s CMS platform, which was hosted on the sever he exploited. In addition to the database leak, he also defaced one of the school’s domains with anti-American propaganda.

Th3Pr0 has told the media that he is the “Leader Of Special Operations Department” – without actually explaining what that title entails. In addition, he’s stated that he’s a teenager; noting that he hadn’t yet finished high school at the time the SEA attacked the Associated Press last year.

Researchers have linked Th3Pr0 to the name Hatem Deeb. He denies that’s his name, and takes offense to the reference. According to him, Deeb is actually a friend that has helped pay for servers and other things in the past and he has no role within the SEA. But while his real name may or may not be known (the evidence says otherwise), Th3Pr0’s history with the SEA is undisputed.

The notion that the attack on IDG wasn’t a SEA decision, but the act of a single individual, is an interesting one.

So, who is the rogue actor? What was their motive? How are targets determined by the powers that be within the SEA’s ranks? Are all targets vetted and weighed in order to get the most impact?

Given the lackluster performance of the original Phishing attack against IDG, and confirmation that it was only a single individual who conducted it, his remarks seem to prove that there is an A Team and a B Team within the group. It’s the B Team that perform the lower-level attacks.

When compared to the attacks against MelbourneIT, which led to DNS redirects on Twitter, the New York Times, and Huffington Post websites, the attack on IDG was small potatoes.

The group has also targeted the Associated Press, CBS News, the Guardian, and others. But again, those attacks were more focused, so it would seem that IDG got lucky.

However, Th3Pr0 hinted at further attacks, so what’s next?

Dodging bullets:

The fact that a single hacker online promised additional attacks isn’t something to panic over, but that doesn’t mean that the threats should be dismissed. The best practice, after an attack is identified, and either stopped or avoided, is to keep your guard up.

Groups like the SEA go for the low-hanging fruit. This means they will use Phishing and scan websites for easily exploited vulnerabilities.

Phishing is their primary source of access, because once an account is compromised, it can be harvested for additional information (such as usernames and passwords) and used to stage further Phishing attacks from a trusted source. Keep in mind, email isn’t the only way to obtain information, as a phone call works just as well in many cases.

In the past, the SEA has focused on SQL Injection, but they’re not going to ignore Remote or Local File Include vulnerabilities. If your website is using an older version of WordPress or Joomla (or outdated add-on scripts and themes), Apache, PHP, PHPMyAdmin, MySQL, etc., it’s vulnerable. It will be compromised. Attacks using known vulnerabilities only take a few moments to complete for most automated scanners.

If the SEA gains access to the webserver, it’s used to stage further attacks against the current victim, as well as host additional attacks for as long as they can remain in control. In addition, such access enables them to deface the website.

However, if they can control the hosting over the domain, then they will direct the URL to a server they control, which is why domain locking is an important security step when dealing with them.

This type of attack surface is usually related to Phishing, because victims have kept the registration emails from the registrar, thus enabling the SEA to access the hosting account directly.

As mentioned previously, when dealing with the SEA, communication is the key. After that, it’s wise to focus on limiting the attack surface as much as possible.

In the previous article, Ira Winkler suggested some mitigation steps for dealing with the SEA and similar groups. They’re worth repeating:

• Make sure that all URLs related to the company are locked, which will prevent them from being transferred or otherwise altered at the registrar level.

• When it comes to social media, such as Twitter or Facebook, use two-factor authentication options.

• Related to the second point, make sure that the people responsible for social media accounts are aware of any potential threats, and know how to deal with Phishing or Social Engineering attempts. Special attention should be paid to people who have access to Tweetdeck, Hootsuite, or the equivalents.

• Special attention should be given to users on mobile devices, as they lack the ability to perform the anti-Phishing checks that most desktop users can, including hovering over URLs to determine the actual source. In addition most mobile users are without anti-Phishing (reputation based) protections, and lack the ability to detect malicious attachments.

When they attack, the SEA is looking to spread propaganda and gain attention. If their victim can be embarrassed, then that’s icing on the cake. Ironically, others have tried to embarrass the SEA in the past, particularly Th3Pr0.

Not too long ago, a file said to be an archive of the SEA’s website appeared on the Web. The SEA, it was claimed, had been hacked. On Twitter, the SEA denied this, and demanded that those stating otherwise show proof.

Salted Hash has seen this archive, which appears to be a replica of the SEA domain. In the interest of providing proof, the following data comes from the server’s /etc/passwd file and the corresponding shadow file entry.

root:x:0:0:root:/root:/bin/bash

root:$1$u/w2Z/Bb$X3CScVo.SDDVybHnPR0rB.:15703:0:99999:7:::

sea:x:10002:505::/var/www/vhosts/sea.sy:/bin/false

sea:$1$2U0ooGu5$g7VrHa135vtffNXzsxxsG0:15822:0:99999:7:::

The point, made by those who leaked the archive file, is that even hackers can be hacked.

When it comes down to it, dealing with the SEA or groups like them requires vigilance and awareness. Doing so will only make their jobs that much harder, but that doesn’t mean it makes their jobs impossible.

So while the SEA may target low-hanging fruit, they can’t be dismissed out-of-hand because they’re still highly successful.

However, they’re not perfect, and as shown previously, some of their methods are easily spotted and can be mitigated. The trick is knowing what to look for, and knowing where you’re weakest when it comes to an attack surface.