The Syrian Electronic Army (SEA), an online hacktivist group with ties to embattled Syrian President Bashar al-Assad has launched its most devastating cyber-attack yet, taking down multiple Web destinations, including The New York Times.
The New York Times’ Twitter feed first publicly acknowledged that the NYtimes.com site was down at 4:47 p.m. EDT on Aug. 27 and commented that, “The New York Times Web site is experiencing technical difficulties. We are working on fully restoring the site.”
The New York Times also suffered an outage on Aug. 14. At the time, that incident was also labeled as technical difficulties. The incident today, however, has now been confirmed to be a malicious cyber-attack by the SEA.
New York Times Editor Eileen Murphy confirmed at 4:27 EDT that the,”… issue is most likely result of malicious external attack.”
HD Moore, Chief Research Officer at security vendor Rapid7, told eWEEK that in his analysis the attack took aim at the NYtimes.com domain registrar Domain Name System (DNS) provider. The registrar is the vendor that hosts the DNS records for a given domain, linking a common name (i.e., NYtimes.com) to an IP address. If an attacker, such as the SEA, can get access to the DNS records, they can redirect the traffic for a domain to an arbitrary location.
“It appears that all of the affected domains are part of the MelbourneIT registrar,” Moore said. “My guess is that SEA found a way to hijack other people’s domains through this provider’s Web interface.”
In addition to NYtimes.com, Moore noted that other domains managed by MelbourneIT include Yahoo.com, Google.com, Ikea.com, Microsoft.com, AOL.com and Adobe.com. Initial reports indicate that the SEA exploitation was limited to The New York Times, Twitter’s image service and The Huffington Post.
“The fact that they were able to compromise Twitter, The New York Times and The Huffington Post points to a deeper problem at the registrar and not a weakness on the part of one of the affected organizations,” Moore said.
Last week, the SEA was able to exploit the widely deployed ShareThis.com service by way of its domain registrar, GoDaddy. GoDaddy told eWEEK that they were not breached, leading to speculation that in fact ShareThis.com was the victim of a phishing credential attack from the SEA.
A phishing credential attack is one where a malicious email is sent to the victim. The victim clicks on a message, infecting their computer and eventually leading to information disclosure including user name and password information.
On Aug. 15, the SEA was implicated in the breach of third-party widget provider Outbrain, which was on The Washington Post Website. In that incident, the Outbrain breach enabled some traffic from The Washington Post to be redirected to the SEA.
What Should Enterprises Do Now?
With three attacks against media Websites in as many weeks, the SEA is definitely a cause for concern among Website operators in general. For the current attack, Moore suggests at this point that enterprises block access to domains managed by MelbourneIT.
“The challenge is that since the registrar appears to be affected, there is little users or the owners of those domains can do about the situation,” Moore said. “All traffic to and from a domain hosted by MelbourneIT should be considered suspect until the situation is resolved.”
Moore added that the risk is that until the situation is conclusively resolved, for example, it would be possible for SEA to redirect all email destined to one of those domains to the SEA.
Jason Lancaster, Senior Intelligence Analyst at Hewlett-Packard Security Research told eWEEK that DNS is a vital system to the operation of the Internet.
“Domain owners must be protective of administrative access to their domain management and vigilant to domain hijacking,” Lancaster said. “Domain owners should monitor for host name, mail exchange, name server and other important record changes.”
If a change is made outside an approved process, administrators should be alerted, Lancaster added.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.