Attackers Use SSL Exploit to Target Australian Banks

Attackers appear to be actively scanning for Windows servers running Secure Sockets Layer (SSL) that remain unpatched against the PCT security hole, with the most active efforts apparently targeting Australian banks.

Scanning of port 443 increased late last week, according to the SANS Institute, which urged administrators running Windows servers to install the patch issued by Microsoft. Port 443 is used by SSL, which encrypts sensitive information for e-commerce transactions. Several published exploits allow attackers to gain control of unpatched Windows SSL servers and any customer data stored on them.

"Internet hackers based in Brazil, Germany and the Netherlands have launched attacks against some of Australia’s largest financial institutions over the Anzac Day long weekend," Internet Security Systems said in a press statement, saying the activity became pronounced Thursday evening. "By Friday 8 am the attacks had escalated significantly and by lunch time we became aware that hackers were trying to infiltrate many of Australia’s largest financial institutions," said ISS (Australia) Managing Director Kim Duffy. "Hackers have now developed and published three attack ‘tools’ and, as these tools become more widely available, it is expected that the target base will grow and include government and commercial."

Last week's release of code exploiting the PCT flaw renewed a long-standing debate over the publication of exploits. A coder from The Hacker's Choice web site published a working binary program in addition to source code. That prompted criticism from security professionals who see value in the release of exploits. By today, the coder was expressing misgivings.

"This is an anouncement that I personally have no more intention to publish any further exploits to the public," the THC member known as Johnny Cyberpunk wrote to the Full Disclosure e-mail list. "Too many risks that kiddies around the world use it for bad purposes. I saw that the original intention, to publish exploits for (penetration testing) or patch verifying purposes, didn't work." But he added: "Remember that I speak just for me, not for the rest of the group."