A high-profile attack on PBS, the U.S. Public Broadcasting System, was made possible by a previously unknown hole in the MoveableType content management software, according to the hacking group that claimed responsibility for the hack. However, security experts say that the hole may have been derived from studying a recent MoveableType patch.
The group calling itself Lulzsec on Sunday defaced a Web page for PBS’s Newshour program and made off with the account credentials of thousand of PBS employees and affiliates. The hack was in retaliation for the depiction of Wikileaks by PBS’s Frontline documentary program. In a post believed to be from the group said that it used a previously unknown hole in the MoveableType publishing platform to gain access to PBS’s Servers.
Lulzsec, or The Lulz Boat, posted a fictitious story on the claiming that slain rapper Tupac Shakur was alive and living in New Zealand. The group also posted stolen PBS information online, including account credentials for SQL databases hosted by PBS and the credentials of PBS staffers and affiliate stations. The attack and defacement hinged on the exploitation of a previously unknown hole in MoveableType 4, a popular content management system used by PBS, according to a document explaining the hack that is believed to have been posted by members of the group.
PBS acknowledged the attack in a Twitter post on Monday. “If you missed it: our site has been accessed by hackers. Thanks for staying with us ^TG.” The network did not immediately respond to a request for comment from Threatpost.
In a detailed explanation of the hack, Lulzsec said that after it compromised PBS’s MoveableType installation, it was able to upload a PHP shell script to the servers. Known vulnerabilities in Older, vulnerable versions of Linux allowed the hackers to obtain administrative (or root) access to the servers hosting PBS’s many Web sites. Reuse of administrative passwords by PBS IT staff allowed the hackers to further compromise other parts of the broadcaster’s network.
MoveableType.org published a security update on May 24, and the zero day vulnerability may have been the focus of that update, said Chris Wysopal, CTO and Co-Founder of Veracode, an application testing firm. “It would have been easy enough to take the update and (compare it) against an older version of the code to find the changes and the vulnerability,” Wysopal said.
Vulnerabilities in Web publishing platforms like MoveableType are “endemic,” Wysopal said. However, PBS’s decision to run versions of RedHat Linux allowed the LulzSec hackers to turn a possible Website defacement into something much lager. And that kind of security lapse is harder to excuse. Most organizations implement kernel updates within a few days of their release, but PBS was running one Linux version that was more than six years old.
“There are multiple privilege escalation holes in those versions of Linux,” Wysopal said. “That allowed them to compromise the whole machine,” he said. From there, the hackers could crack the passwords of users with administrative access to the servers they controlled, then scan the PBS network for other, connected systems and try the same account logins on those, Wysopal said.
This isn’t the first time that PBS – a political football on Capitol Hill — has been kicked around by hackers, as well. In September, 2009, Web security firm Purewire (now part of Barracuda Networks) discovered PBS.org Web sites that were serving up malicious code.
The latest hack seems to have political motives. PBS’s investigative news program Frontline recently aired an episode dubbed “Wikisecrets” that explored the evolution of Wikileaks and the case against PFC Bradley Manning, the U.S. Army intelligence analyst alleged to have leaked hundreds of thousands of classified documents and video to Julian Assange. As with earlier reporting on the case, Frontline’s producers and reporters create a multi faceted picture of Assange and, especially, of Manning, who is described as a loner, alienated from the U.S. military by his homosexuality and buffeted by break-ups and personal failures.
The Twitter account for LulzSec on Tuesday included messages directed to both Manning and Wikileaks.”@WikiLeaks We hope our hacking gave Bradley Manning a smile. That man deserves something nice,” LulzSec tweeted at one point. And “@WikiLeaks Glad you liked our Tupac story. You keep [expletive] [expletive] up and so will we.”