VietNamNet Bridge - The 1937cn, a group of Chinese hackers who attacked 1,000 websites in Vietnam on May 30-31, exploited vulnerabilities on websites, including simple holes such as SQL Injection, an old version of FCKeditor plugin and the WebDAV service.


{keywords}

The hackers said on 1937cn.net that 1,200 websites in Vietnam and the Philippines were attacked. These included 1,000 websites in Vietnam, of which 15 are “.gov.vn” websites run by government agencies. At least 50 are “.edu.vn” run by education establishments.

According to Securitydaily.net, the attack on 1,200 websites in Vietnam and the Philippines in late May was deployed in response to the k campaign called “OpChina” targeting Chinese sites launched by hackers from Vietnam and the Philippines.

The Vietnamese and Filipino hackers conducted defacement attacks, hijacked, made DDOS attacks and threatened many Chinese websites. Meanwhile, 1937cn, in retaliation, hijacked and changed the interface of nearly 1,000 Vietnamese websites, including government agencies’ and education establishments’ websites which contain important information.

Securitydaily.net said that 1937cn often launched large-scale attack campaigns targeting Vietnamese systems after political events relating to Vietnam-China relations.

In August 2013, for example, 1937cn hacked the DNS (domain name system) of Facebook.com.vn and thegioididong.com, re-directing thegioididong.com and facebook.com.vn domain names to its website.

In May 2014, when China illegally deployed an oil rig in the Vietnamese territorial waters, 1937cn attacked a series of Vietnamese websites. Later, it attacked 700 Vietnamese websites on Vietnamese National Day on September 2, 2014.

According to Tran Quang Chien, director of VNIST Corp, the poorly managed operations by Vietnamese administrators and the use of inappropriate services could be the vulnerabilities the hackers exploited to conduct attacks.

Chien believes that the Chinese hackers might exploit holes existing in FCKeditor, a WYSIWYG web text editing tool designed to simplify website content creation.

The tool can be integrated into websites with no need to install. FCKeditor is compatible with nearly all internet browsers and has been used widely.

The problem was that the hacked websites were using the old versions of FCKeditor while the default uploaded test forms had not been deleted. When the websites’ administrators began using FCKeditor, they did not set up a dynamic access control in the Web Server’s uploaded folders. The hackers might exploit the errors to upload the files with bad content or upload webshell to hijack the websites.

Chien also pointed out that vulnerabilities exist on the WebDAV (HTTP Extensions for Web Distributed Authoring and Versioning) service. In order to protect their websites, administrators need to disable PUT method on WebDAV. If they need to post files on the website, they should use another plugin or use the protocols FTP and sFTP.

Buu Dien