What is the issue - Attackers attempted ransomware attack against Israeli webpages on March 2, 2019, which failed miserably due to a coding error.
Why it matters - The attackers managed to deface multiple web pages with the words ‘Jerusalem is the capital of Palestine’.
The big picture
Hackers gained access to Nagich’s DNS records and altered the number denoting the domain name in order to redirect traffic from Nagich website to their malicious server. The attackers used the Nagich widget to embed malicious code on Israeli webpages by redirecting them to the malicious server.
The malicious code was designed to first deface the web pages with the words ‘#OpJerusalem, Jerusalem is the capital of Palestine’ and then initiate an automatic download for a malicious Adobe flash player installation file.
Things didn't go as planned for the hackers. While it defaced multiple web pages, the malicious code failed to auto download the file.
What went wrong?
A coding error prevented the auto-download operation from ever taking place. The mistake was that the malicious code would check the browser’s user agent to determine if the visitor was running Windows. If the OS was ‘Windows’, the site would trigger the ransomware download, otherwise it would stop after defacement and would not initiate the ransomware download.
What went wrong was that the variable was set only to ‘Windows’ but the browser user agent strings also include Windows version number such as ‘Windows 10’, and ‘Windows 7’.