On Monday, we reported that hundreds of websites – including the
popular online electronics shop Conrad.nl were redirecting their
visitors to malware after the DNS servers of Dutch web hosting company
Webstekker were somehow hijacked.
Researchers from security firm Fox-IT have analyzed the attack and determined that a total of three web hosts have been impacted.
Web hosting companies Digitalus and Virtual Dynamix (VDX) have also had their DNS servers compromised. All the websites that use the DNS servers of these organizations have been configured to serve malware.
In a statement published on Monday, Digitalus representatives said the attackers modified the domain registration systems from SIDN, the Foundation for Internet Domain Registration in the Netherlands, with external name servers.
VDX has also noted that its own name servers have not suffered any changes and blamed the incident on SIDN. The company is working with SIDN on trying to determine what happened.
For the time being, it’s uncertain how the attackers managed to gain access to SIDN’s domain registration systems.
Webstekker has also published a brief statement. The company hasn't provided many explanations. Instead, it has denied reports that its DNS servers redirected website visitors to malware.
As far as the malware is concerned, Fox-IT has published an analysis of the attack.
“Every website that was being requested responded with a blank ‘Under construction’ page with an iframe on it. The iframe was a host running the Blackhole Exploit Kit. While initially we assumed conrad.nl was compromised we found out that the DNS servers were giving back responses with the same IP every time: 178.33.22.5,” Fox-IT experts noted.
The exploit kit leveraged Java and PDF vulnerabilities to push a piece of malware which in turn downloaded a Tor-powered threat.
It's worth noting that, back in July, cybercriminals managed to compromise the systems of both SIDN and DNS.be, the organization that administers the .be (Belgium) top-level domains.
Researchers from security firm Fox-IT have analyzed the attack and determined that a total of three web hosts have been impacted.
Web hosting companies Digitalus and Virtual Dynamix (VDX) have also had their DNS servers compromised. All the websites that use the DNS servers of these organizations have been configured to serve malware.
In a statement published on Monday, Digitalus representatives said the attackers modified the domain registration systems from SIDN, the Foundation for Internet Domain Registration in the Netherlands, with external name servers.
VDX has also noted that its own name servers have not suffered any changes and blamed the incident on SIDN. The company is working with SIDN on trying to determine what happened.
For the time being, it’s uncertain how the attackers managed to gain access to SIDN’s domain registration systems.
Webstekker has also published a brief statement. The company hasn't provided many explanations. Instead, it has denied reports that its DNS servers redirected website visitors to malware.
As far as the malware is concerned, Fox-IT has published an analysis of the attack.
“Every website that was being requested responded with a blank ‘Under construction’ page with an iframe on it. The iframe was a host running the Blackhole Exploit Kit. While initially we assumed conrad.nl was compromised we found out that the DNS servers were giving back responses with the same IP every time: 178.33.22.5,” Fox-IT experts noted.
The exploit kit leveraged Java and PDF vulnerabilities to push a piece of malware which in turn downloaded a Tor-powered threat.
It's worth noting that, back in July, cybercriminals managed to compromise the systems of both SIDN and DNS.be, the organization that administers the .be (Belgium) top-level domains.
No comments:
Post a Comment