Avatar

The Syrian Electronic Army continues to hammer away at media organizations.  This afternoon the Syrian Electronic Army appears to have compromised the registrar Melbourne IT which hosts the domains of notable media organizations like Twitter, The New York Times, and The Huffington Post.

Syrian Electronic Army cracks Melbourne IT Registrar

Just as with the ShareThis attack from last week, the Syrian Electronic Army chose to host the domains on their main IP address 141.105.64.37.

Passive DNS data for SEA IP

Several users reported issues with The New York Times website, however Twitter seemed largely unaffected.  Perhaps one reason for this is Twitter’s preference for using HTTPS.  When a Transport Layer Security (TLS) tunnel is established with a site, then the rest of the communication with that site flows over the established, encrypted tunnel.  Users already logged in would have never experienced a problem.  On the other hand, the Syrian Electronic Army also took credit for the attack using Twitter, so perhaps this is why they left the nameservers for the twitter.com domain untouched.

Cisco TRAC is continuing to monitor the situation as it develops.

 



Authors

Jaeson Schultz

Technical Leader

Cisco Talos Security Intelligence & Research