The Web site of information leak site Cryptome was compromised earlier this month and infected with the Blackhole exploit kit, according to documents posted on the site.
The site, which posts a wide range of open source intelligence and leaked documents, was compromised on February 8 and had its entire contents modified to install the Blackhole exploit kit. This is the second major breach at Cryptome, which was the target of a hack in October, 2010, after the site published documents critical of Wikileaks and its founder, Julian Assange.
The motive for the attack isn’t known. However, Cryptome is a well-known repository for sensitive documents from both the government and private sector, with tens of thousands of documents posted online. The site predates the better known Wikileaks site. Unlike Wikileaks, Cryptome focuses more on open source intelligence and documents in the public domain.
“We generally dig up the documents ourselves, they’re good solid educational information,” Cryptome founder John Young told Threatpost in 2010.
The infection was first identified on Sunday, February 12, but seems to date to February 8th, at least. In a post on Cryptome, Young said that nearly all of the site’s 6,000 Web pages had been altered to include a malicious PHP script that pointed visitors to a third party Web domain that launched the attack. Around 2,900 visitors to the site were believed to have been attacked by the compromised Web site, Young disclosed on Cryptome, citing log information left behind by the malware.
The Blackhole exploit kit is the most common hacking toolkit in use today, less than a year after its authors moved to an open source model, posting the exploit kit source code online for anyone to download and adapt. According to data from the Web security firm M86, around 95 percent of the Web based attacks that firm detected in the second half of 2011 were tied back to the Blackhole kit.
Mass compromises of hosting firms, including Wordrpress.com, have also been linked back to efforts to broaden the reach of Blackhole. In turn, Blackhole is the engine fueling the spread of malicious software such as the Carberp Trojan.