It was reported this weekend that a group called ‘System DZ’ are responsible for hacking multiple US Government websites on Sunday, IT security commented below.
Lee Munson, Security Researcher at Comparitech.com:
“While there is no way for sure to know how Ohio government websites were hacked recently, the likelihood is that the attackers leveraged cross-site scripting or SQL injection (as done previously, here) to gain access to the back end.
Such an attack is not overly sophisticated and is easy to pull off against a website that lacks basic security controls, such as correct read/write permissions, latest patch installs, etc.
Once the attacker had access to the administration side of the website, they simply needed to swap the homepage out for the message they had created.
The group allegedly behind the attack – Team System DZ – appears to be a pro-ISIS group formed around November 2015. According to the group’s Facebook page, it has been responsible for several previous defacements of lesser government and educational websites since its inception.”
Andrew Clarke, EMEA Director at One Identity:
“The most recent attack from the group known as team System DZ struck Ohio in the United States over the weekend. This attack is called a website defacement where the home page of a website, in this case government websites, are replaced by propaganda in support of the group’s belief or intentions. In general, these attacks do not garner the type of media attention as phishing schemes or ransomware because the hard dollar cost is difficult to calculate; rather, the negative impact is measured in lack of trust or brand damage. Sometimes however, they can be a front for a follow-on and more severe attack.
We have seen groups such as Team System DZ being active over recent months, but according to web-site deface tracker site Zone H, just since Friday morning they have been responsible for over 200 website defacements. There is no pattern to this – the web-sites covering a range of areas including US government offices.
Often the websites have been developed with WordPress – where several recently exposed vulnerabilities have increased the opportunity for this type of defacement. The best approach is to lessen the opportunity for compromise. One of the first steps to secure WordPress is to change the default username and password for admin. It is easily guessed by a potential hacker so an alternative account name for admin will help.
These attacks are performed by storing a malicious file on the target server that gets executed at a specific time. Rectifying the situation is not difficult and is a multi-step process. First, the admin takes the server offline to ensure the negative message is not spread any further. Then, the admin must find the offending file(s). This is the tough step as it’s difficult to determine when the offending file was uploaded or by whom. There are several websites available to aid in this action. Next, a restore from a state prior to the offending file being uploaded is performed and “presto,” the website is restored. To be prepared for a potential defacement, organisations are encouraged to regularly backup their web-site, so if the rollback is required it can be done quickly and easily.
Since the most common way that hackers can access a WordPress account is through compromised or easily guessed passwords, a strong 12-character password should be selected. Passwords should then be managed effectively through a password management tool that causes a password to be reset frequently and provides a self-service capability to minimise administration tasks. This can be done through privileged account management solutions as well as multi-factor authentication. Going forward, the admin needs to make sure backups are performed regularly and that access to the server is hardened. In addition, ensuring the firewalls are configured to limit access is always a good idea.”
Itsik Mantin, Director of Security Research at Imperva:
“Website defacement attacks are probably the most common and easy-to-mount class of web attacks. The group Team System DZ that is claimed to be behind this attack has history of defacement attacks for political purposes and, from previous analysis of incidents attributed to them, it seems that their way of work is mostly opportunistic, using basichacking tools like brute force on admin passwords on large number of sites of interest, and once finding sites that are unprotected, take over these sites and plant the group’s message in the site.
Without referring specifically to this incident, and regardless of the actual method that was used in this attack, the sad fact is that even today, after at least 20 years of research of web attacks and mitigations, and with numerous web attack protection solutions available in the market, still significant portion of web applications are vulnerable to some of the oldest trick in the web attack book, like password brute force.”
Chris Olson, CEO at The Media Trust:
“Website defacement is a typical tactic used by hacktivists seeking to have their voices heard. While the cause is still being investigated, it wouldn’t surprise me to discover that this defacement leveraged a phishing attack (via email or website third-party code) to obtain administrative privileges and access the web server. During the past 10 months, The Media Trust has detected a 35% increase in web-based phishing incidents. In these scenarios, employees visit reputable websites–news, travel, office supplies, weather, etc.–during the course of their day and are presented with a fake survey or sweepstakes requesting input of personal information. In other scenarios, bad actors exploit the digital advertising ecosystem to profile website visitors and inject malware only when certain conditions are met.”
Chris explains,“Traditional security defenses like blacklists, whitelists, generic threat intelligence, AVs, web filters and firewalls can’t keep up with the highly-dynamic digital environment. IT departments need an additional layer of protection that leverages real-time threat intelligence regarding active, rapidly-morphing threats propagating in the digital ecosystem. This web-based attack data exposes real malware events that can be proactively arrested before penetrating the enterprise network and endpoints.”