Hackers Take Down +1 Million Websites, Deface Them with Message Reading “Jerusalem Is The Capitol of Palestine”

According to multiple sources, this past weekend, April 2nd 2019, unknown hackers launched a massive attack against the Hebrew based website known as Nagich, a web hosting platform utilized by more than 1 millions businesses/users across the Middle East – including Partner, 012 Mobile and Golan Telecom, Hapoalim Bank, Clinique, Estee Lauder, McDonalds, Subaru, Fiverr and Coca-Cola. For a period of time greater than 1 hour, hackers were able to poison Nagich‘s Domain Name Servers (DNS) and intercept/re-route all traffic flowing through them. In doing so, every visitor to a website hosted by Nagich, of which there are literally over 1 million, were re-directed to blank websites reading “Palestine is the Capital of Jerusalem.

Analyzing the attack a little further, it appears as though it wasn’t the hackers primary intent just to hijack, deface and re-route internet traffic in the region. Rather, it appears to be a failed attempt to deliver ransomware to every person unfortunate enough to have visited a site hosted by Nagich during the time of the attack. Once again, considering that the Nagich hosts over 1 million domains, the ransomware attacks could have theoretically compromised untold millions of people in just 1-2 hours time, which would have made it one of the single largest ransomware attacks in history.

For example, for a period of 1-2 hours, every visitor of a website hosted by Nagich was exposed to an auto-loading piece of malware crafted via JavaScript, attempting to deliver the following payload…

Malware Payload: hxxp://185.163.47.134/flashplayer_install.exe
Analysis of Ransomware: https://www.hybrid-analysis.com/sample/d7e118a3753a132fbedd262fdf4809a76ce121f758eb6c829d9c5de1ffab5a3b?environmentId=100

In statements to Noticia de Israel, according to Nagich, “the hackers entered the company’s DNS [Domain Name System] records and changed the number indicating Nagich’s domain name to redirect Nagich’s traffic to its own malicious server. And since all the companies that use Nagich used the same Javascript access code, all the pages of the clients’ websites that were not sufficiently protected were exposed.” However, at this moment in time there are no reports that anyone successfully downloaded the ransomware file, and despite the defacement of greater than 1 million websites via a singular attack, Israeli authorities are doing their best to spin the hack as a “failed attack.

Don’t get it twisted however, a defacement of +1 million websites in a single night is certainly world class. Moreover, given the US’s DNS hijacking during January and this most recent DNS attack of Israel in March, I’m going to go out on a limb and state that DNS poisoning attacks are only going to become more and more prevalent as we move forward throughout 2019 and beyond. You have been warned.



Categories: Hacking News

Tags: , , , , , , , ,

Leave a Reply

Your email address will not be published.

Do NOT follow this link or you will be banned from the site!
%d bloggers like this: