Bank Attackers Used PHP Websites As Launch Pads

WordPress sites with outdated TimThumb plug-in were among PHP-based sites hackers used to launch this fall's massive DDoS attacks, reports Arbor Network.



Who Is Hacking U.S. Banks? 8 Facts (click image for larger view and for slideshow)

The group that began targeting U.S. bank websites in September launched their large-scale, distributed denial-of-service (DDoS) attacks via a number of PHP-based websites that they'd previously exploited.

That finding comes from Arbor Networks, which said that attackers had compromised numerous PHP Web applications, such as Joomla, as well as many WordPress sites, many of which were using an outdated version of the TimThumb plug-in. After compromising the sites, attackers then loaded toolkits onto the sites that turned them into DDoS attack launch pads.

"Unmaintained sites running out-of-date extensions are easy targets and the attackers took full advantage of this to upload various PHP webshells which were then used to further deploy attack tools," according to a blog post by Dan Holden and Curt Wilson, who are part of the security engineering and response team at Arbor Networks.

[ Build bullet-proof Web apps. Read 6 Ways To Strengthen Web App Security. ]

After compromising the PHP-based websites and loading their attack toolkits, the bank attackers then either connected directly to the sites to issue commands, or else used intermediate servers, proxies or scripts. The particular attack tool that was most used by attackers, according to Arbor, was the "itsoknoproblembro" toolkit, which is also known as Brobot. Two other tools, KamiKaze and AMOS, were also used, but less frequently.

Those tools enabled attackers to launch "a mix of application layer attacks on HTTP, HTTPS and DNS with volumetric attack traffic on a variety of TCP, UDP, ICMP and other IP protocols," said Holden and Wilson. "The other obvious and uncommon factor at play was the launch of simultaneous attacks, at high bandwidth, to multiple companies in the same vertical."

The scale of those DDoS attacks disrupted the websites of leading Wall Street firms, including Bank of America, BB&T, JPMorgan Chase, Capital One, HSBC, New York Stock Exchange, Regions Financial, SunTrust, U.S. Bank and Wells Fargo. That was despite the attackers previewing which sites would be attacked, as well as the date and time their attacks would commence.

In late October, after more than a month of bank website attacks, the hacktivist group that claimed credit for the so-called Operational Ababil campaign promised a pause in its efforts. But the group broke its silence earlier this week, when it reemerged and promised to begin attacks this week against Bank of America, JPMorgan Chase, PNC Financial Services Group, SunTrust Banks and U.S. Bancorp.

Those attacks appeared to recommence Tuesday. A spokesman for PNC confirmed Thursday via email that the bank's website had been seeing "an unusual volume of electronic traffic at our Internet connection." But he declined to comment on whether that traffic had been caused by DDoS attacks.

According to Arbor, the new attacks "looked similar in construction to Brobot v1, however there is a newly crafted DNS packet attack and a few other attack changes in Brobot v2," showing that attackers' techniques are continuing to evolve.

What lessons can businesses draw from the Arbor finding that the DDoS bank attackers are using vulnerable WordPress and PHP sites as staging grounds? For starters, businesses should keep an eye on their websites for signs of outdated or unsecured PHP applications -- and not just to help prevent DDoS attacks. Indeed, criminals often use exploited websites to launch attacks and store stolen information.

"WordPress enables these organizations to set up an infrastructure on the Internet that exacerbates the challenge of locating them," said Jim Butterworth, CSO of HBGary, speaking by phone. "They're using it as an opportunistic technique for lifting stolen information, more so than using WordPress as an attack vector."

The gang behind the Eurograbber attack campaign, for example, reportedly used Zitmo Trojan spyware to steal $47 million or more from over 30,000 corporate and private banking customers. Although the gang used command-and-control servers to manage PCs infected with its malware, it had also exploited PHP websites to create drop zones for storing stolen information, as well as for pushing additional attack code to infected PCs. Using drop zones -- as a kind of criminal Dropbox -- helps attackers better cover their tracks and evade security defenses.

Despite those criminal tactics, Butterworth said businesses shouldn't avoid using PHP-based applications such as WordPress. Instead, they should inventory which PHP applications are being used, log network traffic to reveal inbound PHP requests that expose would-be attackers probing for such applications, and ensure that the PHP applications remain hardened against the toolkits and vulnerabilities used to exploit them. "Locate, patch and watch. That's the advice," he said.

Storing and protecting data are critical components of any successful cloud solution. Join our webcast, Cloud Storage Drivers: Auto-provisioning, Virtualization, Encryption, to stay ahead of the curve on automated and self-service storage, enterprise class data protection and service level management. Watch now or bookmark for later.