The cyber attacks suffered by FederalNewsRadio.com and WTOP.com last week are part of a growing trend of breaches that take advantage of network weaknesses to indiscriminately go after visitors of popular websites.
While some analysts attributed the recent cyber breach, which caused both media websites to turn off access via Internet Explorer from May 7-11, to a “watering hole” type of attack, all indicators point to it being a “drive-by” attack, said John Spaulding, Washington, D.C. director of information systems for Hubbard Radio, the parent company of WTOP and Federal News Radio.
Spaulding said a drive-by attack is one where the malicious code is hidden on a Web page and a computer gets infected by visiting the website. A watering hole attack, on the other hand, is where the hacker targets a specific group of people who tend to go to a specific site.
Spaulding said both FederalNewsRadio.com and WTOP.com have been scrubbed of malware and vulnerabilities have been plugged. Users of all Internet browsers could safely access both sites starting late Saturday night. He encouraged website visitors who accessed the websites from any Web browser during the cyber attack, which occurred approximately May 5 to May 7, to update and run their security software and perform a malware scan on their computer.
“The malware did not target an IE vulnerability. However, the way it was deployed favored IE as the browser it would use to infect computers,” Spaulding said. “An intruder was able to exploit a different website hosted on our shared infrastructure. From there, they gained privileged access to WTOP.com and FederalNewsRadio.com after installing some hidden portals, which allowed them continued access to our sites. They implemented malicious code, which allowed malware to attempt to infect our site visitors’ computers.”
He added there is no evidence that indicates FederalNewsRadio.com and WTOP.com were specifically targeted.
Looking for money
Alma Cole, the former head of the Homeland Security Department’s security operations center and now vice president of cybersecurity at Robbins Gioia, said a successful drive-by attack usually installs two distinct kinds of malware: Fake AntiVirus and a Zeus Bot Trojan.
“The presence of Fake AntiVirus software clearly indicates that this was cyber criminals looking to make money, not a Nation State (APT) interested in espionage,” he said. “Zeus Bot is the most widespread criminal Trojan that is used primary for theft of banking and other credentials.”
Cole added the attack does not resemble and is not related to the well publicized attacks against other news agencies, and would not have included an overt intrusion into the networks of Federal News Radio or WTOP. Some systems may have been infected but this would have been collateral damage, he said.
Symantec found in 2012, drive-by Web attacks increased by one-third, possibly driven by malvertising. Malvertising is an ad that is infected with malware so when a user clicks on it, their computer becomes contaminated.
“Drive-by infections from websites will become even more common and even harder to block without advanced security software,” Symantec wrote in its report about what it sees as the future trends in cyber attacks. “Criminals will increasingly attack websites, using malvertising and website attack kits, as a means of infecting users. Software vendors will come under pressure to increase their efforts in fixing vulnerabilities promptly. Users and companies that employ them will need to be more proactive about maintaining their privacy and security in this new social media world.”
Symantec said small businesses — those with less than 250 employees — were victims of 31 percent of all cyber attacks in 2012, up from 18 percent the year before.
“Driven by attack toolkits, in 2012 the number of Web-based attacks increased by one-third and many of these attacks originated from the compromised websites of small businesses,” the report stated. “These massive attacks increase the risk of infection for all of us.”
Johannes Ullrich, the dean of research and a faculty member of the SANS Technology Institute, said Web applications are much more complex today than ever before.
“They have a lot of parts they are composed of and it’s really not easy to make sure all of them are secure,” he said in an interview with Federal News Radio. “Probably the hardest task is to prove something is secure.”
Ullrich said most of these drive-by attacks are random. He said SANS set up a “honeypot,” which is a trap to detect and counter hacker attacks, and generally “trap” more than a half dozen of these drive-by attacks a day.
“It doesn’t matter if it’s a big or small website,” he said. “Of course, the bigger websites tend to see more of these attacks and have to be more careful about this type of attack.”
Previously unknown weakness
The drive-by attack that impacted FederalNewsRadio.com and WTOP.com for about a week found a weakness in the network that was previously unknown, Spaulding said.
“The vulnerabilities that were exploited on the website have been corrected, and all the efforts have gone into assuring our users are safe to access our sites again,” he said. “In the short term, we’ve remediated the vulnerabilities that allowed the intrusion to occur and we’ve sanitized the environment of any back door access the intruder left behind. We’ve also taken steps to better protect our user database of emails and passwords. We will continue to harden our sites to evolving attack methods to do our best to prevent something like this from happening again. We realize it is a hostile environment.”
WTOP and Federal News Radio hired cybersecurity firm Mandiant to help fix and secure the networks.
“By enlisting Mandiant with the remediation steps, I’m highly confident that we have the back doors removed,” Spaulding said.
A Mandiant spokeswoman referred all questions about the steps it took and how it helped back to WTOP and Federal News Radio. This was the first successful large-scale and disabling intrusion against both websites, Spaulding said.
Joel Oxley, senior vice president and general manager of WTOP and Federal News Radio, said both sites saw decreases in Web traffic, but wouldn’t offer specific numbers or percentages.
“We, certainly with IE back up, feel we will soon get back to the levels we’ve been accustomed to,” Oxley said.
He said with any attack of this nature, the goal should be to act quickly and decisively, but not to let the pressure of getting the site back up overtake the need to take care of the site and its users.
“You have to take care of the user or listener first. That is primary. You do not have revenue of any significance if you don’t take good care of your users and listeners,” Oxley said.
Spaulding added the key for any organization is to create a plan, follow it and don’t be reluctant to call in trusted resources to improve how effective your response is and get additional manpower.