Several weeks prior their client-facing website/application had been “hijacked” and was redirecting clients from certain geographic regions to an overseas site. … Best guess would be a drive-by malware site, although the geographic discrimination is an unusual twist that would have been interesting to understand. In order to ensure that any traces of the compromise were eradicated, the client rebuilt the site at a different hoisting provider on a fresh Content Management System (CMS) install with updated modules/templates. That being said, we had several good data points: an overseas IP address attempting to hit the admin page of the app and the fact that the hacker had signed his website defacement.
One thing many people don’t know about TOR is that it can also be used to connect to “hidden services” on the internet – sometimes referred to as the “darknet”. … It’s not for the faint of heart – and despite the “anonymity” that is provided by TOR, you still find yourself looking over your shoulder when you’re on it.
Part of our client’s continuous improvement process is adding TOR/darknet knowledge to their Computer Security Incident Response Team (CSIRT). Hopefully, they won’t have to exercise the plan anytime soon – but if they have a security incident to respond to their Incident Response Plan now includes a trip to the dark side.
Link: http://www.pivotpointsecurity.com/risky-business/does-your-incident-response-plan-include-the-dark-side-of-the-internet