"Local businesses and those who use the internet must adhere to the simple instructions that have been repeatedly given by both CyberSecurity Malaysia and local cybersecurity professionals," said Rajagopal.
"Attacks are always going to take place and both government and industry sectors need to elevate security beyond just being a compliance mechanism," he said. "Overall, we are still a very reactive driven society. I am sure the people affected by the latest will take security more seriously now that they've been hacked ... but the question is for how long?"
How the hacks happened
Meanwhile, in his early analysis, independent threat intelligence specialist Azril Rahim (pic below) said the hacker group mainly exploited the web hosting service Hostgator.
"Almost all of the defaced websites are hosted on the same web-hosting server (220.127.116.11) that is belong to Hostgator," said Azril, adding that "Hostgator web hosting has had a few web-defacement and vulnerabilities issues in the past. It clearly shows the company is lacking on protecting its own web-hosting service."
Usually small businesses and freelancers used such services because they are cheap, he said. So far, major corporate and government sites have not been affected.
After running some tests, Azril said:
1. It is highly possible that the attack involved tampering with .HTACCESS file that resides on every account, which redirects all requests to the domain website into a single URL/html file (the deface URL or html page).
"This is because your URL extension, following the compromised domain name in the browser (e.g. www.innercircle.com/testhacked.html or www.innercircle.com/blabla.html), will direct you back to the defaced page by the running Apache Server," he added.
2. It is also highly possible that the attacker(s) gained access by installing the infamous c99 or r57 PHP backdoor shell via CPANEL interface. An installed c99/r57 will allow an attacker to go into other user accounts on the same server to effect exploitation routines. The .HTACCESS file can be altered using the c99/r57 route.
3. To install this backdoor shell, the attacker has to open an account with the hosting company and upload the codes.
4. This backdoor shell is easy to detect via HTTP logs or IDS/IPS. However, it requires an active monitoring from the hosting provider to raise the alert or trigger
Azril's advice is to subscribe to services from established or reputable web hosting companies, which also provide eCommerce web hosting.
"Do not go for cheap web hosting subscriptions," he said. "These always come with the penalty of poor security. If you're running a critical or important website, please consider subscribing to a virtual server or dedicated host. Avoid installing CPanel and using SSH to login to manage the server. Subscribe to enterprise WAF services such as CloudFlare or AWS for DDoS Protection."
Security hygiene reminders from CyberSecurity Malaysia
As a preventive measure, CyberSecurity Malaysia has released an alert to advise System Administrators to take necessary steps to secure their systems against unwanted incidents as well from other security threats. Checklist items include:
- Organisations are recommended to apply defence in depth strategy to protect their networks. Make sure systems, applications and third party add-ons are updated with latest upgrades and security patches.
- If you're running on older versions of operating systems or software, ensure that they are upgraded to the latest versions - older versions may have some vulnerability that can be manipulated by intruders.
- Please make sure that your web based applications and network based appliances are patched accordingly.
- You may refer to your respective vendors' websites for the latest patches, service packs and upgrades.
- Organisations are recommended to regularly conduct vulnerability assessment and penetration testing on their systems.
- You may also refer to CyberSecurity Malaysia website under MyCERT for information on the latest patches, service packs and upgrades by referring to our advisories (see Appendix below).