Treasury shuts down 4 cloud-hosted Web sites after infection
Mailicious code appears to have come from servers in Ukraine
Editor's note: This story has been updated from a previous version.
The Treasury Department has taken offline four public Web sites for the Bureau of Engraving and Printing after the discovery Monday of malicious code on a parent site.
The bureau began using a third-party cloud service provider to host the sites last year, it said Tuesday in a statement about the incident. “The hosting company used by BEP had an intrusion and as a result of that intrusion, numerous websites (BEP and non-BEP) were affected,” the statement said. The Treasury Government Security Operations Center was alerted to the problem and notified the bureau, which responded by taking the sites offline.
The infections first were reported by Roger Thompson, chief research officer for AVG Technologies, who discovered malicious code injected into the affected page Monday morning. He said the code appears to link with two attack servers in Ukraine.
Botnet includes thousands of U.S. government computers (April 2009)
Massive botnet may have snared some agency systems (February 2010)
The Bureau of Engraving and printing has four URLs pointing to one public Web site, which was infected with a malicious iFrame. The URLs are bep.gov, bep.treas.gov, moneyfactory.gov and moneyfactory.com. “BEP has since suspended the Web site,” the bureau said in its statement. “Through discussions with the provider, BEP is aware of the remediation steps required to restore the site and is currently working toward resolution.”
AVG discovered the breach through data compiled from its LinkScanner, an endpoint security tool that protects Web browsers. LinkScanner has 110 million users around the world and scans pages behind links being accessed by the user’s browser and the results of Web searches. The malicious code that redirects visitors to the bureau’s Web sites began appearing about 11 p.m. EDT Sunday and came to Thompson’s attention at 8 a.m. EDT Monday, he said.
Thompson reported the breach to the FBI, which in turn apparently reported it to Treasury officials.
“I would gladly have reported it to Treasury, but it can be hard to find the right person,” he said. “Usually when I talk to a Web administrator they don’t believe me. When the FBI calls, they pay attention.”
He publicly reported the breach Monday in a blog posting but said initially that it appeared to have been cleaned up. He amended that statement five hours later to say that the malicious code in fact had not been cleaned from the sites and warned that the sites should not be visited until they had been cleaned up.
The confusion about whether the sites had been cleaned of the code stemmed from the fact that the attacker apparently was tracking visiting IP addresses and was not serving the malicious iFrame to visitors on subsequent visits to the compromised site.
“I really should have noticed that earlier, and have no excuse except that it was very early,” Thompson wrote in one of his postings. “And pre-caffeine.”
Thompson said the breach was a “subtle injection” that would not be readily apparent on the affected page. The exploit code was hosted on Ukrainian servers. At least one of the servers was using the Eleonore Exploit Pack, a commonly available malicious toolkit that sells for about $700. Earlier versions have contained exploits for Microsoft Internet Explorer and Firefox browsers, as well as vulnerabilities in Adobe Acrobat Reader and other software. Thompson said the current version probably also includes exploits for Java vulnerabilities.
Injecting malicious iFrames into legitimate Web sites is a common technique for hackers or other criminals trying to exploit visitors' browser vulnerabilities. The code does not necessarily take information from the compromised site, but visitors to the legitimate site are redirected to an exploit page where the browser can be scanned for vulnerabilities and malicious code is loaded onto the browser. Often, multiple exploits are available on the attack site. Such attacks commonly are used to compromise computers to steal sensitive information and for recruitment into botnets.
The attacks often track visitors so that the malicious iFrame is not served twice to the same visitor, making it more difficult for researchers to identify and study the code.
Thompson said he noticed the Treasury infections because they are in the .gov domain. “I think there are a jillion other sites being affected, but these were the only government sites, which is what we noticed.”