Registrar Hack at Root of NY Times and Twitter Attacks

ID THREATPOST:0A65AB257B6C967F2FC779132925D96C
Type threatpost
Reporter Dennis Fisher
Modified 2013-09-05T13:51:07


UPDATE–The attack that took down the New York Times Web site Tuesday afternoon, along with domains belonging to Twitter and the Huffington Post, was accomplished through the use of compromised credentials belonging to a reseller for the registrar that those companies use to buy their domains. MelbourneIT, the registrar the Times, Twitter and others use, was the initial target of the attack, which enabled the Syrian Electronic Army to change the DNS records for the targeted domains and redirect traffic from those sites to a domain that may have been hosting malware.

The attack’s effects were widespread, making the Times home page unavailable to some visitors for long periods of time Tuesday afternoon and also put control of domains that Twitter uses to host images in the hands of the SEA. The operation, which began in the early afternoon on Tuesday and continues to have effects in some places on Wednesday morning, shows how easily and quickly things can go downhill when a key piece of the Internet’s underlying infrastructure is compromised.

The attackers from the SEA, a group that professes loyalty to the Syrian president and has gone after a long list of media organizations and other high-profile targets in the last year or so, had full access to the DNS records for the Times,, a domain used to host images on Twitter, a Huffington Post site in the UK and some others. They were then able to change the records so that rather than pointing to, for example, the Times’ name servers pointed to a domain controlled by the attackers. Officials at CloudFlare, a cloud hosting provider that was involved in the effort to counter the attack, said that the domain to which visitors were redirected was serving malware.

In the midst of the attack, CloudFlare, along with technical teams from Google and OpenDNS, two of the larger providers of recursive DNS services worldwide, worked together to find the root of the problem and then clean it up by getting the correct data back in the DNS records.

“While NYT worked on getting the bad records corrected with MelbourneIT, we reached out to two of the largest recursive DNS providers: OpenDNS and Google. Technical teams from CloudFlare, OpenDNS and Google jumped on a conference call and discovered what appeared to be malware on the site to which the site was redirected. OpenDNS and Google’s DNS team worked to correct the hacked records for the customers of their recursive DNS services,” Matthew Prince, CEO of CloudFlare, wrote in an analysis of the attack and its aftermath.

“The OpenDNS team was also able to look for other domains that had been updated recently to name servers controlled by the Syrian Electronic Army. We discovered several domains that had been updated, including several belonging to Twitter and the Huffington Post. As mentioned above, these organizations also used MelbourneIT, suggesting that the compromise was more than just the NYT’s account.”

Officials at MelbourneIT said in an email statement that the company determined that one of its resellers was targeted in a spear-phishing attack, which ultimately resulted in the compromise of MelbourneIT’s systems.

“Staff of an overseas-based reseller unwittingly responded to a spear phishing attack which allowed attackers to access sensitive information, including usernames and passwords, which was used to access the reseller’s account on Melbourne IT systems. This resulted in unauthorized changes to the DNS records of two domain names associated with providing news related to the Syrian conflict,” the company’s statement said.

“I spent most of my day on a multi-hour video conference with cyber security and systems folks from a dozen Internet companies. What a day!” Rajiv Pant, the CTO of the New York Times, wrote on Twitter late Tuesday night.

Eventually, VeriSign, the registry that runs the .com TLD, rolled back the changes to the DNS records that had been compromised, and then locked them so that no further changes were possible. An email sent by MelbourneIT to its customers on Tuesday said that the attackers were able to compromise credentials belonging to a reseller partner of MelbourneIT, and then used them to access the backend system and change the DNS records.

“We are currently reviewing our logs to see see if we can obtain information on the identity of the party that has used the reseller credentials, and we will share this information with the reseller and any relevant law enforcement bodies,” the email says.

Prince of CloudFlare said that Tuesday’s attack show how serious the effects of a simple compromise like this one can be.

“The hack also illustrates the damage that can be done by redirecting a site’s DNS. DNS forms the heart of the Internet, not just the web. Email routing, too, depends on DNS to route message to the correct server,” he said.

_Image from Flickr photos of Subcircle. _