Mediaboss Marketing

The DarkLeech attack compromised at least 20,000 legitimate websites around the world last year. It also made its mark as an example of a trend -- attackers targeting Internet infrastructure as a stepping stone to more potent attacks.

In the latest edition of its annual security report, Cisco Systems spotlights this increased focus on gaining access to Web servers, name servers and datacenters with the goal of taking advantage of their processing power and bandwidth.

"Through this approach, exploits can reach many more unsuspecting computer users and have a far greater impact on the organizations targeted, whether the goal is to make a political statement, undermine an adversary, or generate revenue," according to the report. "In essence, this trend in targeting Internet infrastructure means the foundation of the Web itself cannot be trusted."

Hackers use a variety of techniques to gain root access to hosting servers, including placing Trojans on management workstations to steal login credentials and exploiting vulnerabilities on third-party management tools used on the servers.

"CMS plays a huge role in this picture," explained Levi Gundert, Cisco technical lead for threat research, analysis and communications (TRAC). "So many people run content management software, whether it be WordPress or Joomla or what have you ...the vulnerability lists for these types of CMS are very extensive."

One compromised hosting server can infect thousands of websites. In addition, websites hosted on compromised servers may act as both a redirectors and a "malware repository," the report noted. Rather than many compromised sites loading malware from only a few malicious domains, "the relationship has now become many-to-many, hampering takedown efforts."

Once the server is compromised, the attackers can implement SSHD backdoors and install rogue modules into Web server software like Apache, Gundert said.

[Read how distributed denial-of-service attacks are a growing cause of costly data center outages in "DDoS Attacks Wreak Havoc On Data Centers."]

This is essentially what happened in the DarkLeech campaign: Sites were infected with a Secure Shell daemon (SSHD) backdoor that enabled the attackers to remotely upload malicious Apache modules and inject IFrames in real-time on hosted websites. The end result is that users were served exploits via the Blackhole crimeware kit.

"Because the DarkLeech IFrame injections occur only at the moment of a site visit, signs of the infection may not be readily apparent," the report notes.

Read the original post:
Cisco Security Report: Internet Infrastructure Under Attack