Feeds

Department of Homeland Security website hacked!

Infected by massive attack sweeping the net

Secure remote control for conventional and virtual desktops

The sophisticated mass infection that's injecting attack code into hundreds of thousands of reputable web pages is growing and even infiltrated the website of the Department of Homeland Security.

While so-called SQL injections are nothing new, this latest attack, which we we reported earlier, is notable for its ability to infect huge numbers of pages using only a single string of text. At time of writing, Google searches here, here and here showed almost 520,000 pages containing the infection string, though the exact number changes almost constantly. As the screenshot below shows, even the DHS, which is responsible for protecting US infrastructure against cyber attacks, wasn't immune. Other hacked sites include those belonging to the United Nations and the UK Civil Service.

Screenshot of Google search showing DHS website

The attack causes infected sites to redirect visitors to destinations that attempt to install malware on vulnerable machines. At time of writing, the malicious payloads attacked vulnerabilities that already have been patched. And in any case all three of the redirection sites were down, possibly because they were unable to handle the demand. But should the attackers get their hands on a newer exploit - say, one targeting a zero-day vulnerability in QuickTime - it would be relatively easy for them to swap out the payload.

One reason the infection has spread so widely is the attackers have managed to find a single attack string that seems to work on tens of thousands of different sites. Most web applications are custom -built for a particular site, so attackers likewise have to custom design attack parameters to exploit weakness. Not so here.

"These guys look like they've found a methodology to get a successful SQL injection generically across [many] websites," said Jeremiah Grossman, CTO of WhiteHat Security, which helps companies secure web applications. "That right there is like a skeleton key."

The script is also notable for its ability to slip past web application defenses. The SQL query is mostly made up of HEX code, allowing it to obscure itself, at least to apps that use Microsoft SQL. MySQL and PostgreSQL are less easily fooled, according to researcher Ronald van den Heetkamp.

Sites are getting pwned because they fail to sanitize user supplied data. DHS security pros scrubbed the page clean the same day it got infected and took steps to make sure the same attack couldn't succeed against other parts of the DHS website, spokeswoman Amy Kudwa said.

"We're well aware of the fact that intrusions happen all the time and that's why we are doing all that we are to secure the .gov domain," she said.

In a recent interview with The Register, Greg Garcia, the DHS's assistant secretary for cybersecurity and telecommunications said: "our networks really are only as strong as the weakest link and because we are so interconnected, if there are companies that are not doing what they need to do to protect their networks, that in turn may be jeopardizing the security of companies that very well may be doing the right thing." (For the full interview, click here.)

While the number of pages that have been infected is high, not all are able to launch an attack once a user visits them, according to Roger Thompson, chief research officer of anti-virus provider AVG.

"Very often they're on a page but the stuff doesn't actually fire when you get there," he said. "This is not a cunning, premeditated task; it's just a blast. They're just planting the stuff where they can and the result is a lot of pages [that] don't do anything."

But webmasters should not be complacent about removing the injected code from their sites and fixing buggy web apps to make sure more don't spring up.

"It's the cleanup effort that's just going to be monstrous," said Grossman, who said affected companies will have to either remove each overwritten table record one at a time, or revert to a recent backup. "Either way, it's going to take forever."

Security workers better get cracking. ®

Beginner's guide to SSL certificates

More from The Register

next story
Facebook pays INFINITELY MORE UK corp tax than in 2012
Thanks for the £3k, Zuck. Doh! you're IN CREDIT. Guess not
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
YARR! Pirates walk the plank: DMCA magnets sink in Google results
Spaffing copyrighted stuff over the web? No search ranking for you
Don't bother telling people if you lose their data, say Euro bods
You read that right – with the proviso that it's encrypted
Apple SILENCES Bose, YANKS headphones from stores
The, er, Beats go on after noise-cancelling spat
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.