UGNazi attack 4chan, CloudFlare
Posted on 04 June 2012.
Visitors to 4chan have recently been automatically redirected to the Twitter account of hacker group UGNazi, and an investigation into the matter revealed that the attack has been executed through a change of 4chan's DNS records by the hands of the hackers.

The group has managed to effect this change by executing a successful attack against CloudFare, a distributed Domain Name Server service that offers security, enhanced performance and speed to the websites held by its customers.

"The attack was the result a compromise of Google's account security procedures that allowed the hacker to eventually access to my email addresses, which runs on Google Apps," CloudFare's CEO Matthew Prince shared.

At the beginning, it was unclear how the hackers were able to do so since Prince's account was additionally secured through the use of 2-factor authentication, but a subsequent investigation on Google's part revealed that a "subtle flaw affecting not 2-step verification itself, but the account recovery flow for some accounts" was to blame.

Once the attackers had access to the Prince's email account, they misused it to access the company's Google Apps administrative panel and to initiate a password reset request for their customer's account. Having come in possession of the password, they simply changed the DNS settings for 4chan.

"We have found no evidence of unauthorized access to CloudFlare's core systems or other customers accounts," Prince shared on Saturday. " In a review of the contents of the email accounts that were compromised, we discovered some customers' API keys were present. In order to ensure they could not be used as an attack vector, we reset all customer API keys and disabled the process that would previously email them in certain cases to CloudFlare administrator accounts."

He reassured CloudFare's customers that no credit card numbers were compromised because the credit card data is sent directly to a secure payment processor without ever passing through the company's servers.

Alleged UGNazi leader "Cosmo" disputed the claim, saying that it's not possible to social engineer a Google App. "I don’t know what he was talking about," he commented, but confirmed that they managed to get access to Prince's business and private email accounts, to the company's main server, and to all the customers' account information, and that they mean to sell all this information on the Darkode online forum.

Prince today returned to add that it appears that an AT&T breach was the initial cause of the 2-factor authentication failure that cause the compromise.


Applying machine learning techniques on contextual data for threat detection

The question is on every CIO's and security officer's mind: What are the most efficient techniques to detect threats to cloud services?

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Wed, Oct 7th