Hacking Group, Anonymous, Defaces Thai Police Websites

This week, we hear the latest on the defacement of Thai police websites by Anonymous and the BlackEnergy Trojan, associated with disruption to power supplies in Ukraine.

Breach

Thai Police Websites Defaced by Anonymous

The hacking collective Anonymous has claimed responsibility for the defacement of 14 Thai police websites. The affected websites displayed the iconic Anonymous mask coupled with the text “Failed Law. We want Justice. #BoycottThailand.” Also displayed was the name of a hacker group associated with Anonymous “Blink Hacker Group.”

Anonymous stated that the attacks are in protest against the death sentences handed to two individuals from Myanmar found guilty of murdering two British nationals in 2014.  This operation is in addition to the ongoing Anonymous activity protesting against the implementation of a single gateway for Internet access in Thailand.

Organizations need to be aware that they may become the target of a technically proficient hacking group with little notice. Keeping systems fully patched remains a first line of defense; however, systems may still contain misconfigurations, logic or implementation flaws that allow attackers to breach systems and cause high profile embarrassing breaches.

Deploying a defense in-depth strategy, coupled with monitoring of key systems, can deter attackers who may simply move on to an easier target or help detect an attack and prevent harm from being incurred.

References:  Hackers attack Thai police websites to protest British murder verdicts | Anonymous 'declare war' on Thai police over British murder case

Mitigation Strategies:

  • Security Operations Center team provides around-the-clock security monitoring, daily log review, web application firewall management and advanced anomaly detection. 
  • Network traffic analysis to detect data exfiltration
  • IDS signatures would detect the intrusion and possible data leakage

Malware

BlackEnergy Trojan Disrupts Ukranian Power Resources

The BlackEnergy Trojan has been associated with the recent disruption to power supplies in the Ivano-Frankivsk region of Ukraine. The power outage occurred on December 23 and lasted for a few hours. The incident is still under investigation and the exact role (if any) of the malware cannot be established.

The Trojan is modular in nature, allowing modules with additional functionality to be included in attacks if required. The malware associated with the attack against the energy sector is reported to include a SSH backdoor, allowing attackers to execute commands on infected machines, and KillDisk, a wiper function that wipes key files and sectors from the drives of infected machines.

Determined and well-resourced malware writers are some of the most difficult threat actors to protect against. Their malware may be sophisticated and written as a bespoke project for a particular target, complicating detection. Organizations that manage critical infrastructure, such as the energy industry, need to be aware of the risk that such threat actors pose to their systems and the potential consequences of attackers gaining access to those systems.

References: First known hacker-caused power outage signals troubling escalation | BlackEnergy trojan strikes again: Attacks Ukranian electric power industry

Mitigation Strategies:

  • Log management could detect external IP information from the attacker if logs are configured.
  • 24x7 Security Monitoring to provide anomaly detection
  • IDS signatures can be written to detect the malware call back information.

Top 20 IP Addresses

217.23.15.180 - NEW 200.133.1.131 - NEW
62.212.82.51 - NEW 92.249.104.63 - NEW
166.62.102.232 - NEW 180.97.221.22 - NEW
195.154.199.128 - NEW 190.114.225.141 - NEW
195.154.240.184 - NEW 180.150.227.242 - NEW
85.25.198.199 - NEW 81.138.20.196 - NEW
101.99.50.34 - NEW 185.4.64.42 - NEW
223.73.36.225 - NEW 217.114.221.48 - NEW
27.255.67.21 - NEW 5.189.154.187 - NEW
5.9.77.176 - NEW 193.201.227.196 - NEW

These IPs are collated from the most frequent IP addresses that are detected as having attempted to attack our customers. Occasionally this list may include the IP addresses of legitimate penetration testers who have been contracted to launch cyber attacks against an organization as part of an exercise. These attacks are identical to those sent from criminals. They are detected, blocked, and processed in the same way as any other cyber attack. We aim to remove the IP addresses from known penetration testing companies, even though they represent the source of some of our most frequent attacks. Occasionally such IP addresses escape our vigilance and are included in the list. Recipients of this list should take their own steps to verify the validity and relevance of the content before blacklisting.