Hackers failed to trigger the download of ransomware because of a code error, but still succeeded in defacing thousands of websites.
On Saturday, Hackers launched a failed cyber-attack attempting to ransomware infect millions of Israelis.
A large third-party accessibility script is currently under an active DNS poisoning attack, served by @cloudflare‘s Israeli endpoint:
$ dig +short @126.96.36.199 https://t.co/c2ZLDNM0oY
Malicious host is serving a message supporting #OpJerusalem pic.twitter.com/gdHJGwfV7n
— Yuval يوڤال Adam (@yuvadm) March 2, 2019
According to current proof, the attack was carried out by hackers operating from Palestine.
Haha Israeli propaganda site @ynetnews has been hacked #OpJerusalem pic.twitter.com/LbVI7cgwUU
— Irfan Chowdhury (@irfan_c98) March 2, 2019
The incident took place on Saturday 2 March, when hackers successfully poisoned Nagich’s DNS records, a web service that provides an accessibility (a11y) widget embedded in thousands of Israel’s web sites for people with reading impairments to gain access.
Well, they maybe wanted to add #Ransomware ability, but they had error in their code. Only #defacement here.
OS = ParseOS()
if (OS != “Windows”) // Do only defacement
OS can never be Windows exactly.
— Idan Cohen (@_IdanCohen) March 3, 2019
According to reports by Israeli cyber security experts, hackers automatically embed malicious code on thousands of Israeli websites using Nagich widgets. The code would default the site with a message saying’ #OpJerusalem, Jerusalem is Palestine’ and would then initiate an automatic download for a Windows file named’ flashplayer install.exe,’ which is a file tainted with ransomware.
Here is the code in action. applause to newbie hackers! pic.twitter.com/YBhZMHnOGg
— Ido Naor (@IdoNaor1) March 3, 2019
But for the hackers, things didn’t go as planned. While the defacement message was displayed on thousands of web pages, including some of Israel’s major news sites, the file was not downloaded at all. Researchers only found the code to trigger the file download during the analysis of defacement messages. They said that a coding error prevented any auto-download operation. The error was that malicious code stop after the defacement and not trigger the ransomware download if your OS version is a new string than “Windows.”
The error was that there are no “Windows” user agent strings alone, since browser user agent strings also include the Windows version number, such as “Windows XP” or “Windows 10.” The file that was to be downloaded to users ‘ systems was, according to a analysis by CyberArk, a non-described ransomware strain, which would have encrypted files if users ever ran it.
The attack on Nagich lasted only a few hours on Saturday and the service recovered access to its DNS records and stopped delivery by the end of the day of the malicious code.