Cryptome.org, a repository of leaked documents, has been hit by hackers who are using the popular Blackhole exploit toolkit to redirect visitors to malicious Websites.
Cryptome.org, a Website known for publishing intelligence
documents and leaked files, appears to have been compromised and infected with
the Blackhole exploit kit, according to documents posted on the site.
Unknown attackers breached Cryptome.org on Feb. 8 and
installed the Blackhole exploit kit, Cryptome
Feb. 12. The infection was identified by
a reader on Feb. 12. It's not clear who may have been behind the attack, but
Symantec appears to be investigating the incident.
Nearly all of Cryptome's 6,000 pages in the main directory
were altered to include the malicious PHP script that redirected site visitors
to a third-party Website, Cryptome said. Another 5,000 files in other
subdirectories were also modified. It appears that the intruders managed to
change the files without modifying the time stamp on the directory.
"Sneaky," Cryptome said on its post.
Approximately 2,900 visitors are believed to have been
redirected and compromised, according to an analysis of the logs. However, the
logs did not show how access was gained through the Internet service provider.
A Cryptome reader analyzed the malicious script and found
that the attack script specifically avoided targeting IP addresses from Google
to prevent the search engine from blacklisting the site.
Cryptome is a repository for tens of thousands of sensitive documents
leaked from government agencies and the private sector, and this incident is not
the first time Cryptome has been breached. The site was hit by a breach in 2010,
shortly after posting documents critical of rival leak site WikiLeaks and its
founder Julian Assange.
The Blackhole exploit kit is one of the most popular
toolkits being used, according to a recent Security Labs report from M86
Security. Researchers analyzed malicious URLs identified by the security firm
between July and December 2011 and found that Blackhole was the source of about
95 percent of all the malicious links.
More than half the most common exploits in the last half
of 2011 could be launched using Blackhole, including those targeting
vulnerabilities in Adobe, Java and Microsoft products. Cyber-criminals are also
constantly innovating to keep the toolkit up-to-date and effective with the
latest exploits, according to M86.
was considered to be the more popular toolkit, but it no longer appears to be the case. M86 researchers discovered it infected only
1.3 percent of the links analyzed in the second half of 2011. Blackhole's surging popularity might have to do with
the fact that in 2011, the people behind the kit made the source code freely available
for anyone to download and modify. A commercial version of the kit sells for
about $1,500 in the criminal underground.
Weak FTP credentials are generally the primary point of
entry for attackers trying to inject code into Websites, Stefan Tanase, a
senior security researcher at Kaspersky Lab, said in a talk at the Kaspersky Lab Security Analyst Summit. If a Website has been
compromised, the first step is to change the FTP passwords. Web administrators should
also thoroughly check the source code of their files as well as all associated
scripts to ensure that malicious code was not added, said Tanase.
Avast researchers in November reported that thousands of
blogs hosted on Wordpress.com had been compromised and infected with the
Blackhole kit. Attackers used stolen or guessed FTP credentials to upload a
malicious PHP file on to the server hosting the blogs, which then injected the
malicious code into the files, according to Avast. The attackers also exploited
a known vulnerability in the TimThumb image resizing utility used by many of
Many of the Websites hosting Blackhole often are used to
spread the Carberp Trojan on victims' machines. Visitors redirected to the
malicious Website are hit by drive-by-downloads to install Carberp, often by
exploiting Java vulnerabilities, according to an analysis by ESET.