Hackers launched a failed cyber-attack on Saturday in an attempt to infect millions of Israeli users with ransomware.
The attack is believed to have been carried out by hackers operating out of Palestine, based on current evidence.
The incident took place on Saturday, March 2, when hackers successfully poisoned DNS records for Nagich, a web service that provides an accessibility (a11y) widget that's embedded on thousands of Israeli websites to provide access for persons with reading disabilities.
According to reports from Israeli cyber-security experts, hackers used the Nagich widget to automatically embed malicious code on thousands of Israeli websites.
The code would first and foremost deface the site with a message that read "#OpJerusalem, Jerusalem is the capital of Palestine," and then would initiate an automatic download for a Windows file named "flashplayer_install.exe," a file tainted with ransomware.
A large third-party accessibility script is currently under an active DNS poisoning attack, served by @cloudflare's Israeli endpoint:
— Yuval يوڤال Adam (@yuvadm) March 2, 2019
$ dig +short @1.1.1.1 https://t.co/c2ZLDNM0oY
172.81.182.63
Malicious host is serving a message supporting #OpJerusalem pic.twitter.com/gdHJGwfV7n
Haha Israeli propaganda site @ynetnews has been hacked #OpJerusalem pic.twitter.com/LbVI7cgwUU
— Irfan Chowdhury (@irfan_c98) March 2, 2019
However, things didn't go as planned for the hackers. While the defacement message showed on thousands of web pages, including some of the biggest news sites in Israel, the file download did not start at all.
Researchers only spotted the code that was meant to trigger the file download while analyzing the defacement messages.
They said that a coding mistake prevented the auto-download operation from ever taking place. The mistake was that the malicious code would stop after the defacement, and not trigger the ransomware download if the OS version would be a string different from "Windows."
The error came from the fact that there is no user-agent string of "Windows" alone, as browser user-agent strings also include the Windows version number, such as "Windows XP" or "Windows 10."
This meant that the "if" statement always returned true, regardless of operating system, and the malicious code performed the defacement and then stopped, aborting the download on purpose.
Well, they maybe wanted to add #Ransomware ability, but they had error in their code. Only #defacement here.
— Idan Cohen (@_IdanCohen) March 3, 2019
Funny mistake.
OS = ParseOS()
if (OS != "Windows") // Do only defacement
OS can never be Windows exactly.
Here is the code in action. applause to newbie hackers! pic.twitter.com/YBhZMHnOGg
— Ido Naor (@IdoNaor1) March 3, 2019
According to an analysis by CyberArk, the file that was meant to download on users' systems was a non-descript ransomware strain that would have encrypted files if users ever ran it.
The Nagich attack lasted only a few hours on Saturday and the service regained access to its DNS records and stopped delivering the malicious code by the end of the day.
Cybercrime and malware, 2019 predictions
More ransomware coverage:
- New ransomware strain is locking up Bitcoin mining rigs in China
- Ransomware: An executive guide to one of the biggest menaces on the web
- Ransomware warning: This phishing campaign delivers new malware variants
- Bitdefender releases third GandCrab ransomware free decrypter in the past year
- Ransomware warning: That romantic message may hide a nasty surprise
- Matrix has slowly evolved into a 'Swiss Army knife' of the ransomware world
- Ransomware attack hits Port of San Diego CNET
- Ransomware: A cheat sheet for professionals TechRepublic