CERT mailing list archives

TA13-141A: Washington, DC Radio Station Web Site Compromises

From: "US-CERT" <US-CERT () public govdelivery com>
Date: Wed, 22 May 2013 11:16:02 -0500
US Computer Emergency Readiness Team banner graphic

National Cyber Awareness System:

TA13-141A: Washington, DC Radio Station Web Site Compromises [ https://www.us-cert.gov/ncas/alerts/TA13-141A ] 
05/20/2013 05:59 PM EDT 
Original release date: May 20, 2013 | Last revised: May 22, 2013

Systems Affected

  * Microsoft Windows systems running Adobe Reader, Acrobat, or Oracle Java 

Overview

On May 16, 2013, US-CERT was notified that both www.federalnewsradio[.]com and www.wtop[.]com had been compromised to 
redirect Internet Explorer users to an exploit kit. As of May 17, 2013, US-CERT analysis confirms that no malicious 
code remains on either site.

Description

The compromised websites were modified to contain a hidden iframe referencing a JavaScript file on a dynamic-DNS host. 
The file returned from this site was identified as the Fiesta exploit kit. The kit uses one of several known 
vulnerabilities to attempt to download an executable:


  * 

CVE-2009-0927: Stack-based buffer overflow in Adobe Reader and Adobe Acrobat [ 
http://www.adobe.com/support/security/bulletins/apsb09-04.html ]


  * 

CVE-2010-0188: Unspecified vulnerability in Adobe Reader and Acrobat [ 
http://www.adobe.com/support/security/bulletins/apsb10-07.html ]


  * 

CVE-2013-0422 [ http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html ]: Multiple 
vulnerabilities in Oracle Java 7 before Update 11 [ 
http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html ]

Any systems visiting running vulnerable versions of Adobe Reader or Acrobat or Oracle Java may have been compromised.

Impact

The exploit kit, once successful, delivers and executes a known variant of the ZeroAccess Trojan. Additionally, 
according to open source reporting [ 
http://www.invincea.com/2013/05/k-i-a-wtop-com-fednewsradio-and-tech-blogger-john-dvorak-blog-site-hijacked-exploits-java-and-adobe-to-distribute-fake-av-2/
 ], the malware also downloads and installs a variant of FakeAV/Kazy malware.

The ZeroAccess Trojan attempts to beacon to one of two hardcoded command-and-control addresses, 194[.]165[.]17[.]3 and 
209[.]68[.]32[.]176. The beaconing occurs using an HTTP GET using the Opera/10 user-agent string.

After beaconing, the malware then downloads a custom Microsoft Cabinet file and the malware uses port 16464/udp to 
connect to the peer-to-peer network. This cabinet file contains several lists of IP addresses, as well as a fake flash 
installer.

Solution

*Apply Updates*

Updated software that addresses the vulnerabilities referenced in this incident has been available for years. It is 
imperative to apply current security updates to software that is commonly targeted by attackers.


  * Adobe provided updates for the Adobe Reader and Acrobat vulnerabilities (CVE-2009-0927 [ 
http://www.adobe.com/support/security/bulletins/apsb09-04.html ] and CVE-2010-0188 [ 
http://www.adobe.com/support/security/bulletins/apsb10-07.html ]) in Adobe Security Bulletins APSB09-04 [ 
https://www.adobe.com/support/security/bulletins/apsb09-04.html ] and APSB10-07 [ 
http://www.adobe.com/support/security/bulletins/apsb10-07.html ] respectively. 
  * Oracle released Oracle Security Alert for CVE-2013-0422 [ 
http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html ] to address the Java vulnerability. 

In order to defend against additional vulnerabilities, install the most recent versions of Adobe Reader, Acrobat, and 
Oracle Java. At the time of publication, Adobe Security Bulletin APSB13-15 [ 
http://www.adobe.com/support/security/bulletins/apsb13-15.html ] documents current security updates for Adobe Reader 
and Acrobat, and Oracle Java SE Critical Patch Update Advisory - April 2013 [ 
http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html ] documents vulnerabilities addressed by 
Java 7 Update 21.

*Identify Compromised Systems*

Monitor activity to the following IP addresses as a potential indicator of compromise where permitted and practical:


  * 209[.]68[.]32[.]176 
  * 194[.]165[.]17[.]3 

References

  * WTOP and Federal News Radio Websites Back After Cyber Attack [ 
http://wtop.com/41/3319697/WTOP-and-Federal-News-Radio-Websites-Back-After-Cyber-Attack/ ] 
  * K.I.A. – WTOP.com, FedNewsRadio and Tech Blogger John Dvorak Blog Site Hijacked – Exploits Java and Adobe to 
Distribute Fake A/V [ 
http://www.invincea.com/2013/05/k-i-a-wtop-com-fednewsradio-and-tech-blogger-john-dvorak-blog-site-hijacked-exploits-java-and-adobe-to-distribute-fake-av-2/
 ] 
  * Stack-based buffer overflow in Adobe Reader and Adobe Acrobat [ 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0927 ] 
  * Unspecified vulnerability in Adobe Reader and Acrobat [ 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0188 ] 
  * Adobe Security Bulletin APSB09-04 [ http://www.adobe.com/support/security/bulletins/apsb09-04.html ] 
  * Adobe Security Bulletin APSB10-07 [ http://www.adobe.com/support/security/bulletins/apsb10-07.html ] 
  * Adobe Security Bulletin APSB13-15 [ http://www.adobe.com/support/security/bulletins/apsb13-15.html ] 
  * Multiple vulnerabilities in Oracle Java 7 before Update 11 [ 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422 ] 
  * Oracle Security Alert for CVE-2013-0422 [ 
http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html ] 
  * Oracle Java SE Critical Patch Update Advisory - April 2013 [ 
http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html ] 

Revision History

  * Initial release 
  * Updated Solution section 
________________________________________________________________________

This product is provided subject to this Notification [ http://www.us-cert.gov/privacy/notification ] and this Privacy 
& Use [ http://www.us-cert.gov/privacy/ ] policy.

________________________________________________________________________

OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ 
http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ 
http://www.us-cert.gov/related-resources ] 

STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ]
Current thread:

TA13-141A: Washington, DC Radio Station Web Site Compromises US-CERT (May 21)
- <Possible follow-ups>
- TA13-141A: Washington, DC Radio Station Web Site Compromises US-CERT (May 22)
- TA13-141A: Washington, DC Radio Station Web Site Compromises US-CERT (May 22)