UGNazi attack 4chan, CloudFlare

Visitors to 4chan have recently been automatically redirected to the Twitter account of hacker group UGNazi, and an investigation into the matter revealed that the attack has been executed through a change of 4chan’s DNS records by the hands of the hackers.

The group has managed to effect this change by executing a successful attack against CloudFare, a distributed Domain Name Server service that offers security, enhanced performance and speed to the websites held by its customers.

“The attack was the result a compromise of Google’s account security procedures that allowed the hacker to eventually access to my CloudFlare.com email addresses, which runs on Google Apps,” CloudFare’s CEO Matthew Prince shared.

At the beginning, it was unclear how the hackers were able to do so since Prince’s account was additionally secured through the use of 2-factor authentication, but a subsequent investigation on Google’s part revealed that a “subtle flaw affecting not 2-step verification itself, but the account recovery flow for some accounts” was to blame.

Once the attackers had access to the Prince’s CloudFlare.com email account, they misused it to access the company’s Google Apps administrative panel and to initiate a password reset request for their customer’s CloudFlare.com account. Having come in possession of the password, they simply changed the DNS settings for 4chan.

“We have found no evidence of unauthorized access to CloudFlare’s core systems or other customers accounts,” Prince shared on Saturday. ” In a review of the contents of the email accounts that were compromised, we discovered some customers’ API keys were present. In order to ensure they could not be used as an attack vector, we reset all customer API keys and disabled the process that would previously email them in certain cases to CloudFlare administrator accounts.”

He reassured CloudFare’s customers that no credit card numbers were compromised because the credit card data is sent directly to a secure payment processor without ever passing through the company’s servers.

Alleged UGNazi leader “Cosmo” disputed the claim, saying that it’s not possible to social engineer a Google App. “I don’t know what he was talking about,” he commented, but confirmed that they managed to get access to Prince’s business and private email accounts, to the company’s main server, and to all the customers’ account information, and that they mean to sell all this information on the Darkode online forum.

Prince today returned to add that it appears that an AT&T breach was the initial cause of the 2-factor authentication failure that cause the compromise.