Update (6-28-18): Click the thumbnail image on the right to view our full report titled “Web Defacement Campaigns Uncovered: Gaining Insights From Deface Pages Using DefPloreX-NG.”
The ACM ASIA Conference on Computer and Communications Security (ACM ASIACCS) is an avenue for cybersecurity research breakthroughs, techniques, and tools. At the ACM ASIACCS 2018 in Incheon, South Korea, we presented our research using DefPloreX-NG, a tool for identifying and tracking web defacement campaigns using historical and live data. “DefPloreX-NG” is a play on the phrase “defacement explorer.” The appended “NG” acronym means “Next Generation,” signifying improvements from the previous version of the tool. DefPloreX-NG is equipped with an enhanced machine learning algorithm and new visualization templates to give security analysts and other professionals a better understanding of web defacement campaigns.
DefPloreX-NG: A Robust Tool for CERTs/CSIRTs and Web Admins
In the face of cybersecurity incidents such as web defacement, Computer Emergency Readiness Teams (CERTs)/Computer Security Incident Response Teams (CSIRTs) are in charge of coordinating with governments, industry players, academia and research community, relevant organizations, among others, to disseminate clear and actionable information and alerts to the general public. A tool like DefPloreX-NG can be beneficial for CERTs/CSIRTs and government cybersecurity agencies given that government websites have become prone to defacement attacks over the years.
Through machine learning algorithms, DefPloreX-NG builds intelligence information to identify defacement campaigns, that is, related defacements that are conducted by the same actor or group. This kind of information can help CERTs/CSIRTs understand attackers’ modi operandi as well as their motives such as promoting propaganda concerning religious beliefs or political orientations — something that is common among modern defacers. More importantly, the tool can provide CERTs/CSIRTs insights on how, when conducting web defacement campaigns, attackers are organized in groups that can be located in the same country or in different countries. With these types of information on hand, CERTs/CSIRTs can then prepare government website administrators or other relevant IT staff from defacers’ attack schemes, especially whenever ideology-related events loom (historically, websites are defaced following elections, crises, terrorist attacks, and so on).
Our research paper slated for release this month, which expands on our ACM ASIACCS presentation, details our findings on the motives and organization behind web defacement campaigns. Using DefPloreX-NG, we conducted a large-scale measurement on 13 million defacement records from January 1998 to September 2016. We discovered that nearly half of the attackers (47 percent) behind defacement campaigns belonged to one or more groups.
Another key finding during our analysis is that 70 percent of the campaigns were conducted jointly. Furthermore, campaigns that shared common motives, goals, or targets were often driven by similar geopolitical or religious ideologies. For example, various defacement campaigns (labelled in the tool as alepo_se_pierden, savesyria, save_halab, stoptheholocaust, aleppo_is_burning, aleppo_é_in_fiamme, etc.), advocated for the end of the war in Aleppo. And, to illustrate a point previously mentioned, these joint campaigns were operated by hacking groups from multiple countries.
Our previous research already identified common methods used by attackers to compromise sites: exploiting common vulnerabilities such as local file inclusion, SQL injection, and password guessing; social engineering; server intrusion; URL poisoning; man-in-the-middle attacks. If web administrators are aware which group/s of defacers are likely to attack and which attack method they will use to break a website’s security, they can easily implement solutions and mitigation techniques in anticipation of a web defacement campaign.
Countermeasures Against Defacers’ Attack Methods
Armed with information on web defacers’ motives and methods, IT teams can proactively address the common vulnerabilities used in attacks — at a well-timed manner. Here are some measures to take to stay secure against web defacement attacks and similar threats:
- Enforce long-term, basic security policies, including strong password rules, strict admin security policies, and correct configurations.
- Filter, monitor, and block malicious traffic using web application firewalls.
- Implement secure coding standards on websites and test deployed codes.
- Patch systems and networks regularly. This minimizes the risk of attacks that use vulnerability exploits in unpatched/outdated software. Scan web applications for vulnerabilities regularly as well to prevent SQL injection and cross-site scripting attacks.
- Deploy multilayered protection and solutions that can shield at-risk websites from common methods used by defacers. Trend Micro™️ Deep Security™️ and Vulnerability Protection solutions provide virtual patching to protect servers and endpoints from threats that exploit vulnerabilities
Here’s what we presented at the ACM ASIACCS 2018: