The Palestinian hacker group KDSM Team has defaced the main website of AVG Technologies, avg.com. It’s uncertain if the incident is a result of a breach of AVG’s systems or if it’s another case of DNS hijacking.
At the time of writing, the site is restored. However, security expert Graham Cluley has captured a screenshot of the defacement page.
“We are here to deliver two messages. First one: we want to tell you that there is a land called Palestine on the earth. This land has been stolen by Zionist. Do you know it? Palestinian people has the right to live in peace. Deserve to liberate their land and release all prisoners from Israeli jails. We want peace. Long live Palestine,” the hackers wrote on the defaced site.
source : 1 & 2
At the time of writing, the site is restored. However, security expert Graham Cluley has captured a screenshot of the defacement page.
“We are here to deliver two messages. First one: we want to tell you that there is a land called Palestine on the earth. This land has been stolen by Zionist. Do you know it? Palestinian people has the right to live in peace. Deserve to liberate their land and release all prisoners from Israeli jails. We want peace. Long live Palestine,” the hackers wrote on the defaced site.
They added, “Second message: There Is No Full Security. We Can Catch You! Hacked by KDMS team. Now We Will Quit Hacking.”
Interestingly, the part about “we will quit hacking” appears to be true since the group has deleted its Facebook page.
It’s uncertain how the hackers pulled this off. We’ve reached out to AVG in hopes that they can provide some clarifications. This article will be updated in case we hear from them, or if they publish a statement.
KDMS Team is the same group that claimed to have hacked LeaseWeb over the weekend. The hackers say they’ve stolen data from the web hosting company’s systems, but they haven’t provided any evidence to back their allegations.
LeaseWeb representatives said the attack was the result of a DNS hijack. It’s possible that a DNS poisoning attack is behind the AVG website defacement as well, but we’ll probably find out for sure once AVG comes forward with a statement.
Update. Experts have confirmed that this is a case of DNS hijacking. It appears that avg.com is not the only domain affected. Avira and WhatsApp websites have also been defaced in the same manner.
The visitors of these sites see the real site or the defacement page depending on what DNS they're using.
Also, the hackers have clarified that their Facebook page was actually deleted by Facebook.
Update 2. All of the impacted domains are registered through Network Solutions. It's possible that the hackers breached the systems of Network Solutions.
Kaspersky's Aleks Gostev says Avira's email is also affected. We can confirm this since the emails we've attempted to send to Avira have bounced back.
Interestingly, the part about “we will quit hacking” appears to be true since the group has deleted its Facebook page.
It’s uncertain how the hackers pulled this off. We’ve reached out to AVG in hopes that they can provide some clarifications. This article will be updated in case we hear from them, or if they publish a statement.
KDMS Team is the same group that claimed to have hacked LeaseWeb over the weekend. The hackers say they’ve stolen data from the web hosting company’s systems, but they haven’t provided any evidence to back their allegations.
LeaseWeb representatives said the attack was the result of a DNS hijack. It’s possible that a DNS poisoning attack is behind the AVG website defacement as well, but we’ll probably find out for sure once AVG comes forward with a statement.
Update. Experts have confirmed that this is a case of DNS hijacking. It appears that avg.com is not the only domain affected. Avira and WhatsApp websites have also been defaced in the same manner.
The visitors of these sites see the real site or the defacement page depending on what DNS they're using.
Also, the hackers have clarified that their Facebook page was actually deleted by Facebook.
Update 2. All of the impacted domains are registered through Network Solutions. It's possible that the hackers breached the systems of Network Solutions.
Kaspersky's Aleks Gostev says Avira's email is also affected. We can confirm this since the emails we've attempted to send to Avira have bounced back.
The hackers' aim seems to be to simply bring attention to the plight of Palestinians and, as has been confirmed, the Avira defacement was not a result of website hacking but that of the company's ISP Network Solutions.
Chances are good that the other defacements have been executed in the same way.
“It appears that our account used to manage the DNS records registered at Network Solutions has received a fake password-reset request not being initiated by anyone at Avira,” shared Avira's security expert Sorin Mustaca. “Network Solutions appears to have honored this request and allowed a 3rd party to assume control of our DNS. Using the new credentials the cybercriminals have been able to change the entries to point to their DNS servers.”
"Once an attacker has control of the NS records, they may also change MX records and redirect e-mail, or in the case of an antivirus company like Avira change the addresses used to download signature updates," pointed out ISC handler Johannes Ullrich. The good news is that the defaced sites do / did not include or point to malware.
But Mustaca didn't say whether something like that happened, just that they have shut down all external services until the original DNS entries are restored.
The group is apparently the same one that performed a DNS hijack of the official website of LeaseWeb hosting firm earlier during the weekend and, if the attacker's Twitter account is to be believed, Alexa and Redtube were also targeted earlier this week.
Chances are good that the other defacements have been executed in the same way.
“It appears that our account used to manage the DNS records registered at Network Solutions has received a fake password-reset request not being initiated by anyone at Avira,” shared Avira's security expert Sorin Mustaca. “Network Solutions appears to have honored this request and allowed a 3rd party to assume control of our DNS. Using the new credentials the cybercriminals have been able to change the entries to point to their DNS servers.”
"Once an attacker has control of the NS records, they may also change MX records and redirect e-mail, or in the case of an antivirus company like Avira change the addresses used to download signature updates," pointed out ISC handler Johannes Ullrich. The good news is that the defaced sites do / did not include or point to malware.
But Mustaca didn't say whether something like that happened, just that they have shut down all external services until the original DNS entries are restored.
The group is apparently the same one that performed a DNS hijack of the official website of LeaseWeb hosting firm earlier during the weekend and, if the attacker's Twitter account is to be believed, Alexa and Redtube were also targeted earlier this week.
