We're used to hearing about cyber attacks against financial institutions and retailers. But another industry faces a growing threat: Media.
Digital media publishers strive to provide meaningful content and a user experience that will grow a dedicated base of content consumers. This allows the publisher to partner with and provide services to marketing and advertising concerns to build cash flow that can be used to further enhance the experience for content consumers.
This business model can be difficult enough to nurture and manage without having to worry about malicious interlopers looking to exploit it for their own ends. Be it for cybercrime, hacktivism, or simply to build a name, blackhat hackers routinely target digital media publishing properties.
Financially motivated cybercrime can range from the complex and sophisticated to the simple and brutal. The cybercrime schemes targeting publishers are no different.
In August of 2015 the SEC charged 32 defendants who were part of an intricate scheme to profit from nonpublic corporate earnings announcements which they would to inform their trading positions. They were gaining access to this information by hacking into newswire services.
In September of 2014 it was discovered that the popular Brazilian newspaper Estadão's website was hacked to serve malicious scripts that would attempt to compromise the home router of each person that visited the news provider's website.
The handlers of this router botnet could then sell access to it or use it for performing distributed denial of service (DDoS) attacks, sending spam, distributing malware, and fraudulently boosting web advertising billings by automatically clicking on Internet ads.
Publisher's websites can not only be manipulated to include server-side malicious scripts, they can also serve drive-by downloads of malware intended to sit on an end-user's machine to siphon sensitive data unwittingly join a network of other commandeered computers.
Just such an event impacted The Guardian newspaper and was detected by FireEye Labs in December of 2015. It was found that an archived Guardian article on Cybercrime was redirecting users to the Angler Exploit Kit which would attempt to infect the reader with Malware.
These are examples of more technically complex criminal schemes, but let us look at some of the more straightforward enterprises launched against news providers. The eve of the 26th anniversary of the Tiananmen Square protests saw China's state-run Central News Agency hacked and its main page defaced.
The defacement message was simple, one-sentence stating that the site would return to normal after money was sent to a specific Industrial and Commercial Bank of China account. Within the past few years we have seen the Russian hacker 'w0rm' hold ransom sensitive database dumps from CNET, Vice, and the Wall Street Journal while publicly publishing SQL injection (SQLi) vulnerabilities against ABC, USA Today, and CBC/Radio-Canada that could lead to sensitive data breaches. Just last year specialized news outlets CryptoCoinNews and Hacked.com both saw their website's uptime being held for ransom in a DDoS extortion scheme. In an email to the attack victims the criminals promised to make the site unreachable until an amount of Bitcoins were sent to a specific Bitcoin wallet address controlled by the attackers.
The almighty dollar isn't the only concept to spur attacks on digital media providers. Sometimes motivation takes the form of country, religion, culture, or personal belief. The pro-Assad hacking group Syrian Electronic Army (SEA) has been quite prolific in the past few years making sure to target news assets that would serve as bullhorns for their propaganda.
Unfortunately publishing outlets make tantalizing targets for their campaigns. The SEA's grab bag of tools, techniques, and procedures (TTPs) includes DNS hijacking, social media account takeovers, malware and phishing campaigns, DDoS attacks, exploitation of content management system (CMS) vulnerabilities, and their own Linux-based operating system from which to orchestrate it all.
The CyberCaliphate group also engaged in account takeovers targeting, among others, Newsweek and the International Business Times while many other Islamist computer hacking groups focus on website defacements to get their messages out. Within the past year many news sites have had to deal with attacks from groups like El Moujahidin, Admirale_Mouh, Team System DZ, Laakel En Person, Moroccan Islamic Union-Mail, Gaza Team, and the Muslim Electronic Army.
These groups focus mainly on spreading propaganda by exploiting vulnerabilities in CMS offerings like WordPress, Drupal, and Joomla as well as third party plugins that augment these platforms.
We can't talk about hacktivism without mentioning the loose hacktivist collective Anonymous. Hackers under the Anonymous banner are not averse to website database leaks, like Globo TV Brasil, and defacements, such as that of the popular Al-Hayat news outlet, Russia Today, multiple Embarcadero Media Group properties, or Israel's Haaretz.
However, the primary strike vector for Anonymous remains the DDoS attack. The pain of these DDoS attacks have been felt by groups like the Belgian Rossel, FrontPageMag, and even New York Magazine.
Motivations for attack are not limited to the financial or ideological. For many hackers the weight that their handle, or hacker name, carries is of grave concern. This often manifests as a need to be so prolific or to pull off such a big hack that they grab the attention of the media and their peers.
Operations in this vein are sometimes touted as hacks performed "simply for the lulz", internet slang meaning that the actions were performed solely for personal comedic relief. These types of attacks can take the form of Local File Inclusion (LFI) and SQLi such as the anti-media spree by NullCrew who publicly dumped sensitive data pilfered from Al Arabiya, CBC, and PBS.
Linker Squad used SQLi to acquire and subsequently leak sensitive data from the French TF1 Magazine. Zyklon under #Wonkasec used similar methods against sports news outlet Big Blue Interactive. EISurveillance, Fr0mShell, Poison99, Teap0t, DeleteSec, @1337mir, and @smitt3nz have all attacked news sites using such methods.
Data dumping is not the only way to raise one's profile in the underground, website defacements and DDoS attacks can also serve as ego builders. The Philippine BloodSec Hackers focus on defacing South East Asian websites catching a few news outlets in their attack sweeps. Similarly the mass defacer BLuE has caught out a few smaller, specialized news sites.
Last year cryptocurrency news site CoinFire felt the threefold pain of domain hijacking, social media account takeover and DDoS. However the media-related DDoS attack fresh in most folks minds is the New Year's Eve hit against the British Broadcasting Corporation (BBC). Many media outlets touted it as the 'biggest ever' DDoS attack. When ZDNet published a piece in late January refuting that title and questioning the attack size claims they became the target of a retaliatory DDoS attack claimed by the group New World Hackers.
The motives we explored will continue to drive malicious actors to attempt to infiltrate, manipulate, and adulturate the digital media publishing model and the digital properties therein. Publishing groups will not in the near future cease to use the digital platforms and technologies being targeted by these actors. What then is there to do?
As there is no silver bullet for or impenetrable shield against the myriad tools, strategies, and vectors employed by these attackers, defenders must equip themselves with up-to-date knowledge of the threats they face and a defense in depth mindset. When guarding against DNS hijacking make sure registry locks are in place and use multi-factor authentication where available. If your Registrar does not meet your security expectations choose to vote with your dollar by seeking out alternative providers.
When thinking about site defacement, malicious script hosting, LFI and SQLi make sure the technological components of your web presence are kept updated and are part of a regular patch process. Also consider employing a strong web application firewall (WAF) to block, alert on, and record attempts at malicious communication with your sites.
For DDoS, consider a protection provider that will both work with your unique environment and that will be able to stand up to any level of attack volume an actor can throw your way, you don't want to have to be managing a switch in providers in the middle of a siege.
Benjamin Brown is a member of Akamai's Security Intelligence Research Team (SIRT).