Hackers Take Down +1 Million Websites, Deface Them with Message Reading “Jerusalem Is The Capitol of Palestine”

According to multiple sources, this past weekend, April 2nd 2019, unknown hackers launched a massive attack against the Hebrew based website known as Nagich, a web hosting platform utilized by more than 1 millions businesses/users across the Middle East – including Partner, 012 Mobile and Golan Telecom, Hapoalim Bank, Clinique, Estee Lauder, McDonalds, Subaru, Fiverr and Coca-Cola. For a period of time greater than 1 hour, hackers were able to poison Nagich‘s Domain Name Servers (DNS) and intercept/re-route all traffic flowing through them. In doing so, every visitor to a website hosted by Nagich, of which there are literally over 1 million, were re-directed to blank websites reading “Palestine is the Capital of Jerusalem.

Analyzing the attack a little further, it appears as though it wasn’t the hackers primary intent just to hijack, deface and re-route internet traffic in the region. Rather, it appears to be a failed attempt to deliver ransomware to every person unfortunate enough to have visited a site hosted by Nagich during the time of the attack. Once again, considering that the Nagich hosts over 1 million domains, the ransomware attacks could have theoretically compromised untold millions of people in just 1-2 hours time, which would have made it one of the single largest ransomware attacks in history.

For example, for a period of 1-2 hours, every visitor of a website hosted by Nagich was exposed to an auto-loading piece of malware crafted via JavaScript, attempting to deliver the following payload…

Malware Payload: hxxp://185.163.47.134/flashplayer_install.exe
Analysis of Ransomware: https://www.hybrid-analysis.com/sample/d7e118a3753a132fbedd262fdf4809a76ce121f758eb6c829d9c5de1ffab5a3b?environmentId=100

In statements to Noticia de Israel, according to Nagich, “the hackers entered the company’s DNS [Domain Name System] records and changed the number indicating Nagich’s domain name to redirect Nagich’s traffic to its own malicious server. And since all the companies that use Nagich used the same Javascript access code, all the pages of the clients’ websites that were not sufficiently protected were exposed.” However, at this moment in time there are no reports that anyone successfully downloaded the ransomware file, and despite the defacement of greater than 1 million websites via a singular attack, Israeli authorities are doing their best to spin the hack as a “failed attack.

Don’t get it twisted however, a defacement of +1 million websites in a single night is certainly world class. Moreover, given the US’s DNS hijacking during January and this most recent DNS attack of Israel in March, I’m going to go out on a limb and state that DNS poisoning attacks are only going to become more and more prevalent as we move forward throughout 2019 and beyond. You have been warned.

US CERT – DHS Releases Emergency Directive In Response To Widespread “Infrastructure Tampering Campaign” Targetting US Executive Branch

Considering that I’ve been a little lost in the world of underground hacks and leaks the last few weeks, I’m not exactly sure how well its been reported in the “Main Stream Media” that part of the US Governments ongoing shutdown involves the temporary laying off of US Government IT workers. Quite literally meaning that nearly every website owned by the US Federal Government is currently out in the open with no one on staff to mitigate attacks or secure them. For example, as was just reported by Netcraft earlier this week, since the shutdown first began “130 TLS certificates used by U.S. government websites have expired without being renewed” – up from 80 just last week.

Full Press Release from Netcraft: https://news.netcraft.com/archives/2019/01/16/manufacturing-gov-and-white-house-security-suffer-under-u-s-shutdown.html

Before moving on, truth be told, I am writing this article following up on a report from Adam Longo, concerning a DDoS attack effecting NASA.gov tonight. For those of you unaware, the site is currently being taken offline via a coordinated DDoS attack at the hands of Mecz1nho Markov – leader of the Brasilian based hacking group Pryzraky. For the purposes of this article, the news serves as a perfect reminder of just one of the small problems presented by the US Government shutdown – strictly in regards to cyber, IT and/or data security.

All of this is important to understand because hackers have been talking about all of this for weeks now, and indubitably countless threat actors have since gone on to do irreparable damage to our Government and US Government systems/server over the same time period of our shutdown. If you need any proof of this, look no further than Emergency Declaration 19-01 issued to the public by US CERT and Department of Homeland Security on January 22nd 2019. In it, the DHS explains how it’s their duty to inform the US public or any Government agencies of any immediate threats presented to their systems, either in live time or into the immediate future. In this particular instance, the DHS is now warning of “DNS Infrastructure Tampering” campaigns actively being carried out by unknown and malicious international threat actors or Advanced Persistent Threats (APT’s).

More specifically, the Department of Homeland Security explains how, dating back to January 10th 2019, their “Cybersecurity and Infrastructure Security Agency (CISA)” has been “tracking a series of incidentsinvolving Domain Name System (DNS) infrastructure tampering.” Explaining that CISA is now “aware of multiple executive branch agency domains that were impacted by the tampering campaign,” adding that each/every effected agency has since been contacted privately about this matter.

Read Full Emergency Directive from DHS: https://cyber.dhs.gov/ed/19-01/

Now, in my professional experience I know that DNS level attacks usually involve the hijacking of network internet traffic in hopes of either intercepting and stealing said traffic, or cutting off traffic to the end destination – the website itself. For example, this is how Wikileaks was ‘hacked’ by OurMine in 2017. With that said however, DNS level attacks can also lead to the complete hijacking of a websites “Name Servers,” quite literally granting hackers full and complete administrator level control over a website and all of its contents – including every piece of data entered onto the websites back-end, normally shielded from public eye.

In this particular instance, as was explained/described by the DHS themselves in Emergency Directive 19-01 posted above:

In response to the incidents and to stay out ahead of future DNS level attacks like it in the future, the DHS has also submitted to following recommendations for all US Government website administrators:

As stated, all agencies, departments, organizations and websites affiliated with the US Government’s Executive Branch are to conduct full and complete audits of their online systems, DNS records and web traffic – with full reports due back to the DHS by February 5th 2019 at the very latest. From there, Government researchers can begin putting together the full scale of these hacks/attacks, as well as what information the hackers were able to steal – and for how long. Possibly implicated under the umbrella of the US Executive Branch are the US Military, White House, Immigration and Custom Enforcement, National Security Agency, as well as state and local law enforcement agencies – among many others.

Additionally, once again given my experience, I do not think it would be unreasonable to speculate that we won’t see any of the information uncovered by hackers the last few weeks for quite some time down the road. Say for example the start of the 2020 US Presidential election season, which due to kick off in less than 12 months time. If I had a guess, I would assume that any information targeted by hackers over the last two weeks was acquired specifically for this very purpose; to interfere with and/or manipulate the course of the 2020 US Presidential elections. Though even I admit that statement is merely speculative and remains to be seen.