Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

AV Vendors Targeted in Defacement Campaign

Attacked Sites

The KDMS hacking team recently defaced several popular websites include Whatsapp.com and two Anti-Virus (AV) vendors AVG and Avira.

8700_35c7b974-aac4-4c89-b3c5-1d2f46b96534

 

Attack Vectors

The most likely attack vector is that the attackers were able to take control of the Domains through the registrar Network Solutions. Here is a screenshot of the domain details for Avira -

8405_27ad5961-acf4-4aea-be14-a6fef160a1a3

Notice that the DNS admin email address was also updated to point to the KDMS address. You can also see the new IP address listed for the bogus 173.193.136.42 (srv1.radioum.com.br):

8311_220a1f23-8239-43ba-9297-f9f606b86da6

Avira representatives have just confirmed this attack vector stating that Network Solutions received a fake "Reset Password" request that they honored whilie allowed KDMS to take over the domain.

Domain Account Takeover Details

So, how can an attacker take over a Domain account? Network Solutions provides the following details for their process to reset passwords:

To reset your password or request your User ID:

  1. Go to: https://www.networksolutions.com/manage-it/forget-login.jsp
  2. There are two options:
    • Retrieve Your User ID -- If you forget your User ID, it can be retrieved by entering the e-mail address on file for the User ID.
      1. Type your e-mail address in the Enter your e-mail address text box or type your domain name in the Enter a domain name text box then click on the Continue button
      2. If prompted, select the radio button next to the option you want then click on the Continue button
        • Send my User ID to the e-mail address of record
        • Update my e-mail address via fax process
      3. Your User ID will be sent to the e-mail address identified, or follow the on screen instructions for updating your e-mail address via the fax process
    • Reset Your Password -- If you forget your password, you will need to reset it for security reasons.
      1. Type your User ID in the Enter your User ID text box then click on the Continue button
      2. Select the radio button next to the option you want:
        • E-mail a link to reset my password
        • Answer my password security question [type the answer in the text box]
        • Update my e-mail address via fax process
      3. For security purposes, type the code you see under Your Code is in the Enter Code Here text box, then click on the Continue button
  3. Follow the instructions sent via e-mail or resulting from the fax update and when you are prompted to Reset Password, type a new password in the New Password text box and type it again in the Confirm Password text box (Passwords must be 4-16 characters in length) then click on theContinue button.
  4. Enumerating the target Admin's User ID is trivial and then you have 3 options for resetting the account password:

    12870_fd026d20-3120-4d2e-9ae3-3b015223a05a

    Being able to spoof CallerID and Fax numbers is quite easy -

    9044_47d4953b-d642-4335-833b-a584d00825eb

    And security questions are notoriously weak due to the amount of public data available online that can be quickly queried and correlated. Here is a great video example of a fake "Mind Reader" in Belgium.

    Impacts

    The initial negative impact to these AV companies is the hit to the public image. While these types of defacements are quickly recoverable once they regains control of the Domain admin accounts, the negative public perception may linger.

    Putting on the cyber-criminal had for a moment - what other uses could we have to wanting to take control of the DNS records of AV websites? Why not package up some bogus AV DAT updates? When clients using that AV software have automatic updates enabled, we could send them fake data that could then be used later on in client-side attacks to bypass the AV detection...

    Recommendations

    Better 2-Factor Authentication

    While some would argue that security questions are "2-factor", the point is that these are both from the same category of "Something you know" just like your password. You need to include another piece from either "Something you have" or "Something you are". In this case, it is easiest if Domain Registrars would add in SMS validation using cell phones. For goodness sakes, if Google can add in this type of 2-factor authentication to access your personal email, don't you think the same level of protection should be utilized for your commercial web domain registration???

    Domain Monitoring Services

    Ideally, access to the Domain admin accounts should be increased to prevent illegal access, however the best course of action is to prepare for when something does fail, how will you respond? There are many commercial offerings that will constantly monitor your domain criteria and immediately alert you to changes. Quick identification of illegal changes is crucial to minimizing damages.

Latest SpiderLabs Blogs

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising

During an Advanced Continual Threat Hunt (ACTH) investigation that took place in early December 2023, Trustwave SpiderLabs discovered Ov3r_Stealer, an infostealer distributed using Facebook...

Read More