Treasury shuts down 4 cloud-hosted Web sites after infection

Mailicious code appears to have come from servers in Ukraine

Editor's note: This story has been updated from a previous version.

The Treasury Department has taken offline four public Web sites for the Bureau of Engraving and Printing after the discovery Monday of malicious code on a parent site.

The bureau began using a third-party cloud service provider to host the sites last year, it said Tuesday in a statement about the incident. “The hosting company used by BEP had an intrusion and as a result of that intrusion, numerous websites (BEP and non-BEP) were affected,” the statement said. The Treasury Government Security Operations Center was alerted to the problem and notified the bureau, which responded by taking the sites offline.

The infections first were reported by Roger Thompson, chief research officer for AVG Technologies, who discovered malicious code injected into the affected page Monday morning. He said the code appears to link with two attack servers in Ukraine.


Related stories

Botnet includes thousands of U.S. government computers (April 2009)

 

Massive botnet may have snared some agency systems (February 2010)

 


The Bureau of Engraving and printing has four URLs pointing to one public Web site, which was infected with a malicious iFrame. The URLs are bep.gov, bep.treas.gov, moneyfactory.gov and moneyfactory.com. “BEP has since suspended the Web site,” the bureau said in its statement. “Through discussions with the provider, BEP is aware of the remediation steps required to restore the site and is currently working toward resolution.”

AVG discovered the breach through data compiled from its LinkScanner, an endpoint security tool that protects Web browsers. LinkScanner has 110 million users around the world and scans pages behind links being accessed by the user’s browser and the results of Web searches. The malicious code that redirects visitors to the bureau’s Web sites began appearing about 11 p.m. EDT Sunday and came to Thompson’s attention at 8 a.m. EDT Monday, he said.

Thompson reported the breach to the FBI, which in turn apparently reported it to Treasury officials.

“I would gladly have reported it to Treasury, but it can be hard to find the right person,” he said. “Usually when I talk to a Web administrator they don’t believe me. When the FBI calls, they pay attention.”

He publicly reported the breach Monday in a blog posting but said initially that it appeared to have been cleaned up. He amended that statement five hours later to say that the malicious code in fact had not been cleaned from the sites and warned that the sites should not be visited until they had been cleaned up.

The confusion about whether the sites had been cleaned of the code stemmed from the fact that the attacker apparently was tracking visiting IP addresses and was not serving the malicious iFrame to visitors on subsequent visits to the compromised site.

“I really should have noticed that earlier, and have no excuse except that it was very early,” Thompson wrote in one of his postings. “And pre-caffeine.”

Thompson said the breach was a “subtle injection” that would not be readily apparent on the affected page. The exploit code was hosted on Ukrainian servers. At least one of the servers was using the Eleonore Exploit Pack, a commonly available malicious toolkit that sells for about $700. Earlier versions have contained exploits for Microsoft Internet Explorer and Firefox browsers, as well as vulnerabilities in Adobe Acrobat Reader and other software. Thompson said the current version probably also includes exploits for Java vulnerabilities.

Injecting malicious iFrames into legitimate Web sites is a common technique for hackers or other criminals trying to exploit visitors' browser vulnerabilities. The code does not necessarily take information from the compromised site, but visitors to the legitimate site are redirected to an exploit page where the browser can be scanned for vulnerabilities and malicious code is loaded onto the browser. Often, multiple exploits are available on the attack site. Such attacks commonly are used to compromise computers to steal sensitive information and for recruitment into botnets.

The attacks often track visitors so that the malicious iFrame is not served twice to the same visitor, making it more difficult for researchers to identify and study the code.

Thompson said he noticed the Treasury infections because they are in the .gov domain. “I think there are a jillion other sites being affected, but these were the only government sites, which is what we noticed.”

About the Author

William Jackson is a Maryland-based freelance writer.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.