Towards a safer cyber space without incidents

JPCERT Coordination Center

Powered by Yahoo! JAPAN

  • Search this site
  • Search the web

Alert regarding compromised websites

last update: 2013-06-07 
                                                   JPCERT-AT-2013-0027
                                                             JPCERT/CC
                                                            2013-06-07


                  <<< JPCERT/CC Alert 2013-06-07 >>>

                  Alert regarding compromised websites

          https://www.jpcert.or.jp/english/at/2013/at130027.html


I. Overview

  JPCERT/CC has been receiving a large number of incident reports
regarding compromised websites (About 1000 reports since April, 2013)
According to the reports, most of the compromised websites contain
embedded iframes or obfuscated JavaScript that redirects users to an 
attack site. When a user visits a compromised website, the PC may be
infected by malware.

  Most of the attacks sites to where users are redirected contain an
attack tool called, "Exploit kits."  These kits attempt to leverage
vulnerabilities in Oracle Java, Adobe Acrobat/Reader or Adobe Flash
installed on the PC that visits the attack site. If the software
contains vulnerabilities, then the PC may be infected with
malware. JPCERT/CC has observed that some of the targeted
vulnerabilities are known, so by updating the OS and software on the
PC to the latest versions, the infection by malware may be reduced.

  Malware being used in some of the attacks contain a function to
obtain account information stored in FTP/SSH clients or web
browsers. Account information used to update Web contents may be
obtained by malware as well.  Administrators of websites should
consider the information in "II. Solution" to verify that the contents
of the website being administered are not compromised and to ensure 
that proper measures are in place.

II. Solution

[For website administrators] 
 Please consider the following checkpoints, countermeasures to protect
against these attacks and to prevent user PC's from being infected by
malware.

  (Checkpoints)
  - Verify that the OS and software being used on the website are the
    latest versions available.
  - Check the web server FTP/SSH logs and make sure that the IP addresses
    that accessed the server and access times do not contain anything 
    suspicious.
  - Verify that the contents on the website do not contain any malicious
    programs, and that the contents have not been compromised.
  - Verify that the PC being used to update the website contents is not
    infected by malware. If website administration is being outsourced,
    make sure that they are verifying that the PC's being used are not
    infected by malware.

  (Countermeasures)
  - Update the OS and software being used on the website to latest versions.
  - Restrict the locations (IP addresses, etc.) and PC's that can update
    the website contents.
  - Change the password for the FTP/SSH account for updating the website
    contents, so that it is less susceptible to brute force or dictionary
    attacks. 
    (It is recommended that passwords are unpredictable stings that are 
     more than 8 characters long and contain alphanumeric and symbol
     characters)

[Users]
  At the attack sites to where users are redirected, known
vulnerabilities are used to install malware. Using the URL's below,
update the software to the latest versions.

  [Microsoft]
    Microsoft Update
    https://www.update.microsoft.com/

    Windows Update
    http://windowsupdate.microsoft.com/

  [Adobe]
    Adobe - Install Adobe Flash Player
    https://get.adobe.com/flashplayer/

    Adobe - Latest Product Updates (Adobe Acrobat、Adobe Reader)
    https://www.adobe.com/downloads/updates/

  [Oracle Java]
    Free Java Download (JRE 7、English)
    https://java.com/download/


III. References

    IPA:INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (Japanese)
    Call for June 2013
    https://www.ipa.go.jp/security/txt/2013/06outline.html

    @Police
    Alert regarding the increasing number of compromised website (Japanese)
    https://www.npa.go.jp/cyberpolice/detect/pdf/20130524_1.pdf

    Adobe Systems
    Security updates available for Adobe Reader and Acrobat
    https://www.adobe.com/support/security/bulletins/apsb13-15.html

    Adobe Systems
    Security updates available for Adobe Flash Player
    http://www.adobe.com/support/security/bulletins/apsb13-14.html

    Oracle
    Java SE Development Kit 7, Update 21 (JDK 7u21)
    http://www.oracle.com/technetwork/java/javase/7u21-relnotes-1932873.html

    Alert regarding the usage of old versions of Parallels Plesk Panel (Japanese)
    https://www.jpcert.or.jp/english/at/2013/at130018.html

Top

Alerts&Advisories

What's new