Trend Micro in New Hacktivist Warning

Written by

A new report has warned that traditional lines between hacktivists and cyber-criminals are blurring and could disappear altogether in some cases, fuelling more damaging ransomware and data theft attacks.

Trend Micro analyzed a staggering 13 million website defacements dating back 18 years to compile its latest report, A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks.

The data – collected from various third-party sources including Hack Mirror, Zone-H and MyDeface – revealed over 104,000 defacers responsible for more than 9.9 million compromised domains.

However, the techniques they use to achieve their goals of defacing websites for political or religious reasons could also be used for more malicious purposes.

SQL Injection attacks are among the top tactics used, for example.

However, despite 99.9% of the attacks analyzed by Trend Micro are said to be “harmless,” this could change, the firm warned:

“Hackers are now increasingly involved in developing web shells (backdoors to maintain access to compromised web servers), and also delving into doxing and leaking stolen data. After defacing websites, the next step would seem to be capitalizing on the available information on compromised sites.

“A troubling scenario is if these defacement groups decide to monetize their successful hacks by, for example, installing malicious redirections or exploit code in the defacement pages that would then install ransomware.”

This is no longer a theoretical threat. Trend Micro claimed there have already been reports of Indian ‘hacktivists’ targeting Pakistani servers and users to install ransomware for ‘patriotic’ purposes.

“The reason why it’s only a small step to take to switch from simple defacement of a website to digital cybercrime or extortion is that the time, energy and motivation of breaching or compromising the digital has already been done,” principal security strategist, Bharat Mistry, told Infosecurity.

“Once you have gained unauthorized access and created a point of presence it’s simply then using the asset as a lever to explore data either locally stored or remotely connected to the machine. More often than not even public facing machines have trusted access to application and database servers.”

What’s hot on Infosecurity Magazine?