Login

l0st · 06-16-2024, 12:13 PM

(06-15-2024, 06:33 PM)FlyingClayDisk Wrote: BTW...I am not suggesting the NK's have ATS, but given how what the NK's did has been widely published, someone else could, using similar tactics and tools.

This was all my point was.

I dunno actually think you might be on to something thinking back on the history of NK attacking anyone that slights them.

**ArMaP** · 06-16-2024, 01:13 PM

(06-15-2024, 04:13 AM)FlyingClayDisk Wrote: One of the other interesting things I stumbled into was what the NK's did to these lower tier websites when they took them over. One of the first things they did was to lock out all the administrator staff to prevent people from seeing what was going on 'under the hood'. Sound familiar?

That doesn't make much sense, as that would alert the sites' administrators and it would be easy for the hosting companies to block any outgoing emails.

Also, if they only needed to send emails, why do all that? They could just send the emails from compromised sites without the admins know. In fact, it would be easier for the hackers to use compromised personal computers to send those emails.

FlyingClayDisk · 06-16-2024, 01:25 PM

(06-16-2024, 01:13 PM)ArMaP Wrote: That doesn't make much sense, as that would alert the sites' administrators and it would be easy for the hosting companies to block any outgoing emails.

Also, if they only needed to send emails, why do all that? They could just send the emails from compromised sites without the admins know. In fact, it would be easier for the hackers to use compromised personal computers to send those emails.

No idea. Disguise maybe? Dunno.

The way I understood it was they were sending semi-questionable links and/or files from websites and/or domains which weren't typically blocked by most of the virus tracking apps. It was a psychological thing, sort of like a twisted 'trust' game. Sure, they could have just spoofed them, but it sounds like there was more to it than just that. Beyond that, I don't know.

No proof of that anyway (with ATS), just a theory. But that IS what happened with Sony, so I didn't dream it up.

**ArMaP** · 06-16-2024, 01:46 PM

(06-16-2024, 01:25 PM)FlyingClayDisk Wrote: The way I understood it was they were sending semi-questionable links and/or files from websites and/or domains which weren't typically blocked by most of the virus tracking apps. It was a psychological thing, sort of like a twisted 'trust' game. Sure, they could have just spoofed them, but it sounds like there was more to it than just that. Beyond that, I don't know.

They used the email for "phishing", so they only needed the victims to click the links in the emails. Do you have any source I can read regarding the use of those websites? I couldn't find any reference to it.

Thanks in advance.

FlyingClayDisk · This post was last modified 06-16-2024, 03:04 PM by FlyingClayDisk.

(06-16-2024, 01:46 PM)ArMaP Wrote: They used the email for "phishing", so they only needed the victims to click the links in the emails. Do you have any source I can read regarding the use of those websites? I couldn't find any reference to it.

Thanks in advance.

Sure. The source is..."SPY FAIL: Foreign Spies, Moles, Saboteurs and the Collapse of America's Counter-Intelligence", by James Bamford (2023), Chapters 8 thru 15 (pages 99 to 171).

For those unfamiliar, Bamford is also the author of the best selling book "The Puzzle Palace" in 1982 which basically exposed the 'No Such Agency' (NSA) to the World, along with the infamous $600 hammer, the $7000 coffee maker and the $650 toilet seat. The book was such a spectacular expose of NSA that it is now considered "required reading" for NSA personnel. (The NSA and FBI initially tried to charge Bamford with Espionage and Treason for the book.)

edit - I did a bunch of collateral research while reading the book, but I'm pretty sure the noted source (above) covers most all of it.

l0st · 06-17-2024, 06:12 AM

(06-16-2024, 01:13 PM)ArMaP Wrote: That doesn't make much sense, as that would alert the sites' administrators and it would be easy for the hosting companies to block any outgoing emails.

Also, if they only needed to send emails, why do all that? They could just send the emails from compromised sites without the admins know. In fact, it would be easier for the hackers to use compromised personal computers to send those emails.

Arguably, a hacked server is a "compromised personal computer" in most cases. SQL injections are child's play. A single query could lock out the user db (or only the admins, if you like). Windows PCs used to be the platform of choice but it does appear Linux exploits are gaining a lot more traction recently. A potential explanation for this is that nearly all Windows machines forcibly auto-update now, but typically servers are only updated when an admin initiates that process. So, a "zombie' website becomes a better attack surface because it's unlikely to be automatically updating without admin intervention.

I don't think it's just about sending emails, but maybe using the same server as a jump point for further nefarious activities. For example, an attacker could use a compromised system to run a service like BNC to reflect their traffic and anonymize their connections to a third party.

FlyingClayDisk · 06-17-2024, 07:11 AM

(06-17-2024, 06:12 AM)l0st Wrote: Arguably, a hacked server is a "compromised personal computer" in most cases. SQL injections are child's play. A single query could lock out the user db (or only the admins, if you like). Windows PCs used to be the platform of choice but it does appear Linux exploits are gaining a lot more traction recently. A potential explanation for this is that nearly all Windows machines forcibly auto-update now, but typically servers are only updated when an admin initiates that process. So, a "zombie' website becomes a better attack surface because it's unlikely to be automatically updating without admin intervention.

I don't think it's just about sending emails, but maybe using the same server as a jump point for further nefarious activities. For example, an attacker could use a compromised system to run a service like BNC to reflect their traffic and anonymize their connections to a third party.

Good points. That was my thought (i.e. a stepping stone of some sort). That's kind of the way the characterized it.

And speaking of updating servers, that's exactly right; they are only updated with admin intervention. If there's no admins able to access the system at ATS it become more vulnerable as each day passes. Sad to see really. I wish this wasn't the case.

**ArMaP** · This post was last modified 06-17-2024, 10:47 AM by ArMaP.

(06-17-2024, 06:12 AM)l0st Wrote: I don't think it's just about sending emails, but maybe using the same server as a jump point for further nefarious activities. For example, an attacker could use a compromised system to run a service like BNC to reflect their traffic and anonymize their connections to a third party.

That makes more sense, but I still find it strange that they blocked admin access, as that would be a red flag for any active administrator.
Unless they chose sites that weren't updated for a long time, as those were more likely to have been forgotten or abandoned by their administrators. Sites that keep a most recent posts/answers/etc with the date are an easy target for that.

(06-17-2024, 07:11 AM)FlyingClayDisk Wrote: And speaking of updating servers, that's exactly right; they are only updated with admin intervention. If there's no admins able to access the system at ATS it become more vulnerable as each day passes. Sad to see really. I wish this wasn't the case.

I suppose that depends.
I am an administrator for another forum and we never had to do any server updates, as those are done by the hosting company, we only had to keep the forum software updated. As far as I know that's how most cheaper sites, hosted on shared hardware, are updated.
In the case of ATS, if it has specific, unshared servers, it's more likely all the administration falls on the ATS admin's hands.

l0st · 06-17-2024, 01:49 PM

(06-17-2024, 10:41 AM)ArMaP Wrote: That makes more sense, but I still find it strange that they blocked admin access, as that would be a red flag for any active administrator.
Unless they chose sites that weren't updated for a long time, as those were more likely to have been forgotten or abandoned by their administrators. Sites that keep a most recent posts/answers/etc with the date are an easy target for that.

I suppose that depends.
I am an administrator for another forum and we never had to do any server updates, as those are done by the hosting company, we only had to keep the forum software updated. As far as I know that's how most cheaper sites, hosted on shared hardware, are updated.
In the case of ATS, if it has specific, unshared servers, it's more likely all the administration falls on the ATS admin's hands.

Agreed, but maybe they only needed to lock admins out long enough to run whatever exploits they planned to run. Attacks like sql injections can be accomplished in seconds. If they are using the site to exfiltrate data then they could need a lot longer if the volume of data is large.

My basic understanding from what I've gathered during the pre-sale era is that it was all owned equipment but I don't know if that is still true.

**ArMaP** · 06-17-2024, 03:02 PM

(06-17-2024, 01:49 PM)l0st Wrote: My basic understanding from what I've gathered during the pre-sale era is that it was all owned equipment but I don't know if that is still true.

That's my understanding too, that they originally owned their own equipment, but I think that, as things started to get worse, there were some kind of cost cuttings that included some kind of changes in the servers and hosting.