Treasury shuts down 4 cloud-hosted Web sites after infection

Mailicious code appears to have come from servers in Ukraine

Editor's note: This story has been updated from a previous version.

The Treasury Department has taken offline four public Web sites for the Bureau of Engraving and Printing after the discovery Monday of malicious code on a parent site.

The bureau began using a third-party cloud service provider to host the sites last year, it said Tuesday in a statement about the incident. “The hosting company used by BEP had an intrusion and as a result of that intrusion, numerous websites (BEP and non-BEP) were affected,” the statement said. The Treasury Government Security Operations Center was alerted to the problem and notified the bureau, which responded by taking the sites offline.

The infections first were reported by Roger Thompson, chief research officer for AVG Technologies, who discovered malicious code injected into the affected page Monday morning. He said the code appears to link with two attack servers in Ukraine.


Related stories

Botnet includes thousands of U.S. government computers (April 2009)

 

Massive botnet may have snared some agency systems (February 2010)

 


The Bureau of Engraving and printing has four URLs pointing to one public Web site, which was infected with a malicious iFrame. The URLs are bep.gov, bep.treas.gov, moneyfactory.gov and moneyfactory.com. “BEP has since suspended the Web site,” the bureau said in its statement. “Through discussions with the provider, BEP is aware of the remediation steps required to restore the site and is currently working toward resolution.”

AVG discovered the breach through data compiled from its LinkScanner, an endpoint security tool that protects Web browsers. LinkScanner has 110 million users around the world and scans pages behind links being accessed by the user’s browser and the results of Web searches. The malicious code that redirects visitors to the bureau’s Web sites began appearing about 11 p.m. EDT Sunday and came to Thompson’s attention at 8 a.m. EDT Monday, he said.

Thompson reported the breach to the FBI, which in turn apparently reported it to Treasury officials.

“I would gladly have reported it to Treasury, but it can be hard to find the right person,” he said. “Usually when I talk to a Web administrator they don’t believe me. When the FBI calls, they pay attention.”

He publicly reported the breach Monday in a blog posting but said initially that it appeared to have been cleaned up. He amended that statement five hours later to say that the malicious code in fact had not been cleaned from the sites and warned that the sites should not be visited until they had been cleaned up.

The confusion about whether the sites had been cleaned of the code stemmed from the fact that the attacker apparently was tracking visiting IP addresses and was not serving the malicious iFrame to visitors on subsequent visits to the compromised site.

“I really should have noticed that earlier, and have no excuse except that it was very early,” Thompson wrote in one of his postings. “And pre-caffeine.”

Thompson said the breach was a “subtle injection” that would not be readily apparent on the affected page. The exploit code was hosted on Ukrainian servers. At least one of the servers was using the Eleonore Exploit Pack, a commonly available malicious toolkit that sells for about $700. Earlier versions have contained exploits for Microsoft Internet Explorer and Firefox browsers, as well as vulnerabilities in Adobe Acrobat Reader and other software. Thompson said the current version probably also includes exploits for Java vulnerabilities.

Injecting malicious iFrames into legitimate Web sites is a common technique for hackers or other criminals trying to exploit visitors' browser vulnerabilities. The code does not necessarily take information from the compromised site, but visitors to the legitimate site are redirected to an exploit page where the browser can be scanned for vulnerabilities and malicious code is loaded onto the browser. Often, multiple exploits are available on the attack site. Such attacks commonly are used to compromise computers to steal sensitive information and for recruitment into botnets.

The attacks often track visitors so that the malicious iFrame is not served twice to the same visitor, making it more difficult for researchers to identify and study the code.

Thompson said he noticed the Treasury infections because they are in the .gov domain. “I think there are a jillion other sites being affected, but these were the only government sites, which is what we noticed.”

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Thu, Jun 3, 2010 weaselspleen

"So now commercial Web hosting is "cloud computing?"" Cloud computing is just hosting. Always has been, always will be. Fancy terminology for ancient technology=marketing bonanza.

Mon, May 10, 2010 Eirik Iverson Chantilly Virginia

This incident makes an important point that any legitimate website can become a malware attack site to its visitors who may never know their computer was compromised from the visit. Such sites routinely generate unique attack code such that no virus definition exists to detect it. At best, such sites reuse code, attacking with day-old attack code. Either way, your anti-virus/spyware stands less than a 25% chance of detecting the attack. Something non-traditional can stop these attacks cold. However, ease of use is key. The large AV vendors offer 'advanced' features that could stop such attacks. But, they're so complex and disruptive, these features are underutilized at best, totally disabled at worst. Google for: enterprise zero day malware protection. In all the candidates you evaluate, check out first hand how easy it is to deploy, maintain, and how disruptive it might be to users. After all, what good is a tool if its too difficult to use?

Fri, May 7, 2010 JimT

So now commercial Web hosting is "cloud computing?" That doesn't really fit with any of the NIST definitions of cloud (e.g., SaaS, PaaS, IaaS). Web hosting is web hosting, and it adds only fear, uncertainty and doubt to report this as somehow a "cloud" problem. I.e., if I use AWS to host a Web application that is inherently insecure, and that Web application gets compromised, it is not due to any particular weakness or problem with "cloud" computing. That is what happened here .. the Web host provider did not provide adequate protections over the Web servers. The same problem could have occurred if the Web sites were self-hosted by Treasury on dedicated, non-"cloud" servers.

Thu, May 6, 2010 Keith Rhodes(QinetiQ North America) Fairfax, VA

This underscores the need for migration analysis in order to transition from a fixed asset environment to a “cloud.” It further outlines the need for cloud providers to collaborate their security stance with their tenants and for cloud tenants to manage the ongoing security risks of their cloud hosted applications. The analysis has to take into account many things, including data integrity and security trust models. Many benefits are being touted for moving to the cloud, not the least of which is cost savings. However, unless one does an analysis of what can, what should and what should not be moved to the cloud, one runs the risk of having all these presumed cost savings go out the window. This analysis does not end when the migration ends but continues throughout the cloud hosting lifecycle. Additionally, we should apply lessons learned in outsourced manufacturing to the third-party cloud provider model. Government cloud providers must address the integrity of policies, processes, resources and equipment introduced by the outsourcing partner.

Thu, May 6, 2010 Dan Pitton Washington DC

There are multiple parties at fault here. iFrame vulnerabilities are part of the CODE that BEP deployed. The only fault that the Cloud Provider can be accused of is failure to detect, block and notify Treasury of the intrusion. The key to a successful CC deployment is already found in NIST 800-37rev1 - which is Continuous Monitoring. Federal Security Shops need to be able to monitor Cloud Environments independent of what ever security services are offered by the Cloud Vendor. Think of it as a form of IV&V that is always on.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above