Trend #1:  Government Malware Goes Commercial

Trend #5:  Hacktivism Gets  Process Driven
In 2012, we witnessed changes in the way that Hacktivism operated. In early 2011, Hacktivist groups were focusing their efforts at specific organizations by methodically analyzing and attacking a targets front end—applications and web pages—and breaking them.   In 2012, Hacktivism was down, but not out.

For example, some “hacking incidents” proved to be hoaxes, or, more precisely, PR stunts.  Case in point:  Anonymous claiming to have hacked an FBI laptop hack.

To be effective, Hacktivists need to focus on divulging content or data that can damage their targets.  In our February report on Hacktivism, we detailed the process for stealing data from web applications.  We think this process will continue, but a new variation will emerge.  Specifically, Hacktivists will focus efforts on discovering CMS that are used in public websites via well-established techniques, such as error grabbing and Google dork searches, mapping them to vulnerabilities. Then use automated hacking tools to pull out the database contents as well as sensitive files for public disclosure. This approach, though simple and methodical, will focus on quantity over quality.

For example, the focus of Hacktivist group GhostShellTeam, in the course of 2012, have focused on CMS hacks with automated tools to expose files and data. When looking at the disclosed data, it was very clear that most of the data was captured from a CMS system, and that the extraction method was SQL Injection. How do such attacks work?

1. Identify and collect vulnerabilities in CMS systems via different sources such as exploit-db.com and other exploit databases, some on hacker forums and pastebin.com publications.
2. Using different techniques to map sites that use these CMS systems and versions via error message grabbing, Google dork searches and other techniques.
3. Once identified, the targets may or may not be branched into different Hacktivism campaigns depending on the current agenda of the hacktivist group.
4. An automated tool, such as SQLmap or Havij, is then used to grab the data out of the vulnerable website.
5. Data is disclosed via social networks, usually alongside a long public letter from the group naming and blaming whoever the campaign targets.