Romanian Google, Yahoo Users Redirected to Defacement Page
Earlier today, visitors of web pages associated with Google and Yahoo search were instead being redirected to a defacement page.
Preliminary investigation reveals that neither Google, nor Yahoo servers have been hacked or otherwise compromised. Instead, the attackers have somehow changed the authoritative DNS records for the affected domains (which are maintained by registrar RoTLD) to point the domain names to a web server in the Netherlands that also probably got hacked.
This appears to be the same MO as that of the hackers who have poisoned the Pakistani registrar’s database a couple of days ago. However, while the motivation was strictly political – based on the message they left on the defaced page – in Pakistan, the attackers did not provide any clue about the reason they attacked the Romanian services. The troubled state of society in the Middle East has given birth to a number of responses from digital activist groups, that end up attacking popular websites and exposing innocent users as collateral damage
If you have visited the affected websites while they were compromised you are strongly advised to flush your DNS cache by typing ‘ipconfig /flushdns’ in Windows, ‘rndc flushname google.ro’ in Linux or Unix and ‘dscacheutil –flushcache’ in Mac OS X.
It appears that The Algerian Hacker Group, an organization made of almost 200 different teams of hackers is also targeting DNS systems of other national TLDs, as the Romanian hack is the fourth incident after Ireland, Pakistan and Israel – all incidents that took place in just one month.
Today’s attack managed to poison DNS cache servers of all internet service providers, including the Google DNS (220.127.116.11 and 18.104.22.168) as these ISPs cache the DNS resolution sent by RoTLD to speed up the resolution process when other similar requests are made .
Some ISPs have already flushed their caches, others are still serving rogue resolutions. We are continuously scanning the DNS zones for the Romanian internet and contacting ISPs individually for mitigating the crisis in the shortest time.
2-nd update : RoTLD confirms breach.
LuminousMoth – PlugX, File Exfiltration and Persistence Revisited
July 21, 2021
How We Tracked a Threat Group Running an Active Cryptojacking Campaign
July 14, 2021
A Note from the Bitdefender Labs Team on Ransomware and Decryptors
May 26, 2021
New Nebulae Backdoor Linked with the NAIKON Group
April 28, 2021
Good riddance, GandCrab! We’re still fixing the mess you left behind.
June 17, 2019