According to multiple sources, this past weekend, April 2nd 2019, unknown hackers launched a massive attack against the Hebrew based website known as Nagich, a web hosting platform utilized by more than 1 millions businesses/users across the Middle East – including Partner, 012 Mobile and Golan Telecom, Hapoalim Bank, Clinique, Estee Lauder, McDonalds, Subaru, Fiverr and Coca-Cola. For a period of time greater than 1 hour, hackers were able to poison Nagich‘s Domain Name Servers (DNS) and intercept/re-route all traffic flowing through them. In doing so, every visitor to a website hosted by Nagich, of which there are literally over 1 million, were re-directed to blank websites reading “Palestine is the Capital of Jerusalem.”
Analyzing the attack a little further, it appears as though it wasn’t the hackers primary intent just to hijack, deface and re-route internet traffic in the region. Rather, it appears to be a failed attempt to deliver ransomware to every person unfortunate enough to have visited a site hosted by Nagich during the time of the attack. Once again, considering that the Nagich hosts over 1 million domains, the ransomware attacks could have theoretically compromised untold millions of people in just 1-2 hours time, which would have made it one of the single largest ransomware attacks in history.
Malware Payload: hxxp://220.127.116.11/flashplayer_install.exe
Analysis of Ransomware: https://www.hybrid-analysis.com/sample/d7e118a3753a132fbedd262fdf4809a76ce121f758eb6c829d9c5de1ffab5a3b?environmentId=100
Don’t get it twisted however, a defacement of +1 million websites in a single night is certainly world class. Moreover, given the US’s DNS hijacking during January and this most recent DNS attack of Israel in March, I’m going to go out on a limb and state that DNS poisoning attacks are only going to become more and more prevalent as we move forward throughout 2019 and beyond. You have been warned.
— Yuval يوڤال Adam (@yuvadm) March 2, 2019
— SafetyDetective (@safetydet) March 2, 2019
חלק מכם, כשייכנסו ל @ynetalerts , יגלו כתובת מאיימת. וזו פירצה מהממת. מהממת. מה שהכי יפה הוא שצעקנו, התרענו, יללנו. @noamr אפילו דיבר על זה ב @ohcybermycyber
זה עזר? גורנישט
אגב, סביר להניח ש-Ynet אפילו לא יודעים שפרצו להם. עוד פרטים ממש בקרוב אבל קבעתי עם חברים ל #בירה וזה יחכה https://t.co/qweGII67tT
— Ran Bar-Zik (@barzik) March 2, 2019
— Autumn Good (@autumn_good_35) March 4, 2019