Hackers Take Down +1 Million Websites, Deface Them with Message Reading “Jerusalem Is The Capitol of Palestine”

According to multiple sources, this past weekend, April 2nd 2019, unknown hackers launched a massive attack against the Hebrew based website known as Nagich, a web hosting platform utilized by more than 1 millions businesses/users across the Middle East – including Partner, 012 Mobile and Golan Telecom, Hapoalim Bank, Clinique, Estee Lauder, McDonalds, Subaru, Fiverr and Coca-Cola. For a period of time greater than 1 hour, hackers were able to poison Nagich‘s Domain Name Servers (DNS) and intercept/re-route all traffic flowing through them. In doing so, every visitor to a website hosted by Nagich, of which there are literally over 1 million, were re-directed to blank websites reading “Palestine is the Capital of Jerusalem.

Analyzing the attack a little further, it appears as though it wasn’t the hackers primary intent just to hijack, deface and re-route internet traffic in the region. Rather, it appears to be a failed attempt to deliver ransomware to every person unfortunate enough to have visited a site hosted by Nagich during the time of the attack. Once again, considering that the Nagich hosts over 1 million domains, the ransomware attacks could have theoretically compromised untold millions of people in just 1-2 hours time, which would have made it one of the single largest ransomware attacks in history.

For example, for a period of 1-2 hours, every visitor of a website hosted by Nagich was exposed to an auto-loading piece of malware crafted via JavaScript, attempting to deliver the following payload…

Malware Payload: hxxp://185.163.47.134/flashplayer_install.exe
Analysis of Ransomware: https://www.hybrid-analysis.com/sample/d7e118a3753a132fbedd262fdf4809a76ce121f758eb6c829d9c5de1ffab5a3b?environmentId=100

In statements to Noticia de Israel, according to Nagich, “the hackers entered the company’s DNS [Domain Name System] records and changed the number indicating Nagich’s domain name to redirect Nagich’s traffic to its own malicious server. And since all the companies that use Nagich used the same Javascript access code, all the pages of the clients’ websites that were not sufficiently protected were exposed.” However, at this moment in time there are no reports that anyone successfully downloaded the ransomware file, and despite the defacement of greater than 1 million websites via a singular attack, Israeli authorities are doing their best to spin the hack as a “failed attack.

Don’t get it twisted however, a defacement of +1 million websites in a single night is certainly world class. Moreover, given the US’s DNS hijacking during January and this most recent DNS attack of Israel in March, I’m going to go out on a limb and state that DNS poisoning attacks are only going to become more and more prevalent as we move forward throughout 2019 and beyond. You have been warned.

Qurlla of New World Hackers Begins Infecting IoT Devices with New, Never Before Seen, TrojanXENE Ransomware

This morning, January 14th 2019, “Qurlla” of New World Hackers essentially launched/invented a new form of ransomware attack that the world has never seen before. Unlike traditional ransomware attacks which first require a user to click on a hyperlink and/or download a file, this ransomware is being spread via open ports on devices located on the Internet of Things (IoT).

Traditionally, the IoT has been used to build botnets for Bitcoin mining or DDoS attacks, essentially using malware to crawl different network systems on the IoT to infect any vulnerable devices on it. However, Qurlla appears to have coded a new piece of malware that scans vulnerable devices on the Internet of Things, injecting open ports built into their software directly with the ransomware itself – requiring no action from the device or its user whatsoever. Essentially, these devices are being infected simply by just existing dormantly on the IoT – something which, at least to my knowledge, no one has ever pulled off before.

https://twitter.com/Qurlla/status/1084880048799342596

To date, Qurlla claims to have compromised approximately 214,003 devices through a web service known as Shodan, the self described “Search Engine for The Internet of Things,” infecting at least 150,000 with his ransomware – including TV’s, laptops, PC’s and Raspberry Pi servers. He has also targeted Amazon Echo devices, printers and cell phones as well. In statements to Rogue Media Labs, Qurlla explained that this only the beginning, and he is still actively developing his source code – which will remain private until at least next month. For the time being, Qurlla is going to keep building upon his code – perhaps introducing a DDoS variant into the mix, allowing for infected devices to coordinate with one another to carry out DDoS attacks in the future.

While it is still very early and the attack was just launched a few hours ago, Qurlla says that he has already made over $300 from infected victims – asking $150 a piece to decrypt his ransomware. Qurlla calls his new ransomware “TrojanXENE,” a custom coded trojan which uses Ruby code to send TCP payloads and header redirects from a Google API – effecting devices found on on Shodan, using their API to send the payloads to get a response. To exploit the printers, Qurlla used CastHack source code from “HackerGiraffe,” modifying the payloads to deliver his variant.

Qurlla details that he uses a “simple SHA-1” to encrypt the devices, “but every payload is tweaked to pull off the attack” – depending on the type of device compromised. He explains how he “did code like a gui in C# earlier, but it wasn’t as efficient as just executing python commands in terminal to make this possible. There is really a mix of programming languages.” Upon turning on or accessing their device, users are greeted with a message stating that “You got Hacked” – which then redirects them to a BTC payment gateway. Reportedly, users are not allowed to do anything on their devices until a payment of $150 is made. Below is a screen shot of the messages left behind on infected devices.

Screen Shot from Infected IoT Device:

Image may contain: one or more people and text

https://twitter.com/Qurlla/status/1084839749746126849