AV Vendors Targeted in Defacement Campaign

Attacked Sites

The KDMS hacking team recently defaced several popular websites include Whatsapp.com and two Anti-Virus (AV) vendors AVG and Avira.

Screen Shot 2013-10-08 at 10.59.27 AM

Attack Vectors

The most likely attack vector is that the attackers were able to take control of the Domains through the registrar Network Solutions. Here is a screenshot of the domain details for Avira -

Screen Shot 2013-10-08 at 11.02.38 AM

Notice that the DNS admin email address was also updated to point to the KDMS address. You can also see the new IP address listed for the bogus 173.193.136.42 (srv1.radioum.com.br):

Screen Shot 2013-10-08 at 11.23.36 AM

Avira representatives have just confirmed this attack vector stating that Network Solutions received a fake "Reset Password" request that they honored whilie allowed KDMS to take over the domain.

Domain Account Takeover Details

So, how can an attacker take over a Domain account? Network Solutions provides the following details for their process to reset passwords:

To reset your password or request your User ID:

  1. Go to: https://www.networksolutions.com/manage-it/forget-login.jsp
  2. There are two options:
    • Retrieve Your User ID -- If you forget your User ID, it can be retrieved by entering the e-mail address on file for the User ID.
      1. Type your e-mail address in the Enter your e-mail address text box or type your domain name in the Enter a domain name text box then click on the Continue button
      2. If prompted, select the radio button next to the option you want then click on the Continue button
        • Send my User ID to the e-mail address of record
        • Update my e-mail address via fax process
      3. Your User ID will be sent to the e-mail address identified, or follow the on screen instructions for updating your e-mail address via the fax process
    • Reset Your Password -- If you forget your password, you will need to reset it for security reasons.
      1. Type your User ID in the Enter your User ID text box then click on the Continue button
      2. Select the radio button next to the option you want:
        • E-mail a link to reset my password
        • Answer my password security question [type the answer in the text box]
        • Update my e-mail address via fax process
      3. For security purposes, type the code you see under Your Code is in the Enter Code Here text box, then click on the Continue button
  3. Follow the instructions sent via e-mail or resulting from the fax update and when you are prompted to Reset Password, type a new password in the New Password text box and type it again in the Confirm Password text box (Passwords must be 4-16 characters in length) then click on theContinue button.
  4. Enumerating the target Admin's User ID is trivial and then you have 3 options for resetting the account password:

    Screen Shot 2013-10-08 at 11.48.29 AM

    Being able to spoof CallerID and Fax numbers is quite easy -

    Screen Shot 2013-10-08 at 11.55.23 AM

    And security questions are notoriously weak due to the amount of public data available online that can be quickly queried and correlated. Here is a great video example of a fake "Mind Reader" in Belgium.

    Impacts

    The initial negative impact to these AV companies is the hit to the public image. While these types of defacements are quickly recoverable once they regains control of the Domain admin accounts, the negative public perception may linger.

    Putting on the cyber-criminal had for a moment - what other uses could we have to wanting to take control of the DNS records of AV websites? Why not package up some bogus AV DAT updates? When clients using that AV software have automatic updates enabled, we could send them fake data that could then be used later on in client-side attacks to bypass the AV detection...

    Recommendations

    Better 2-Factor Authentication

    While some would argue that security questions are "2-factor", the point is that these are both from the same category of "Something you know" just like your password. You need to include another piece from either "Something you have" or "Something you are". In this case, it is easiest if Domain Registrars would add in SMS validation using cell phones. For goodness sakes, if Google can add in this type of 2-factor authentication to access your personal email, don't you think the same level of protection should be utilized for your commercial web domain registration???

    Domain Monitoring Services

    Ideally, access to the Domain admin accounts should be increased to prevent illegal access, however the best course of action is to prepare for when something does fail, how will you respond? There are many commercial offerings that will constantly monitor your domain criteria and immediately alert you to changes. Quick identification of illegal changes is crucial to minimizing damages.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.