A breach that caused Cryptome.org to infect visitors with virulent malware was one of at least six attacks reported to hit high-profile sites or services in the past few days. Others affected included Ticketmaster, websites for Mexico and the state of Alabama, Dutch ISP KPN, and the Microsoft store in India.
Cryptome, a repository of leaked documents and other information concerning free speech, privacy and cryptography, was attacked by hackers who left code on its servers that attempted to infect visitors using Windows PCs with a trojan spawned by the Blackhole Toolkit, the website reported on Sunday.
Cryptome founder John Young said in an e-mail that he believes the attackers were able to infect his website with a poisoned PHP file by exploiting a weakness in security or server software provided by Network Solutions, which hosts the Cryptome website.
“It is not yet clear how the attacker got past Network Solutions (our ISP)’s security which has been pretty good,” Young wrote in an e-mail to Ars. “A security expert sent a message just minutes ago which included a security scan of Cryptome which indicated the attacker likely knew how to bypass NetSol’s security with sophisticated tricks.”
The security expert said an exploit of the PHP management system gave attackers highly privileged write access to the Cryptome server’s document root. The attack was likely carried out by an automated script that swept large swaths of the Internet for vulnerable Web servers.
If the vulnerability that was exploited resides in the software Network Solutions provides its customers, other websites may be compromised by the same attack, said the security researcher, who asked to be identified as Lifeguard. A spokesman for Network Solutions didn’t immediately respond to requests for comment. Network Solutions customers who have recently experienced security breaches are encouraged to contact this reporter.
According to security firm Symantec, the Blackhole Toolkit exploits vulnerabilities in a variety of software packages running on Microsoft’s Windows operating system. The PHP code on Cryptome’s servers specifically excluded infecting machines using IP addresses from Google, presumably to keep the infection from coming to the attention of the company’s antimalware defenses. Indeed, Google’s safe browsing diagnostics for Cryptomeshowed no reports of compromise.
Word of the compromise came as at least five other high-profile sites and services were also reported to have had their security breached. They include government websites for Mexico and the state of Alabama, the Dutch ISP KPN, the UK arm of Ticketmaster, and the Microsoft store in India. Members of the loosely organized hacker collective Anonymous reportedly took credit for a denial-of-service attack that took out US government’s CIA website and then backed away from the claim.