Anonymous Sri Lanka Attacks Apple & Others, Reveals Name Server Records

[WARNING: This article includes quoted profanity. - Editor]

 

The Bad Guys

A hacker group calling itself Anonymous Sri Lanka announced this week that it had successfully launched a DNS Cache Snoop Poisoning attack against Apple, Facebook, and other high-profile tech companies. In a post to hacker hangout and repository Pastebin, the group released the primary DNS name server records associated with those companies, listing hundreds of entries, some of which these companies may not have intended to make public.

Anonymous Sri Lanka (ignoring the irony of the lack of anonymity such specifics impart) posted lists of all of the name server records with names like, “APPLE.COM - World’s Largest Consumer Electronics Leader DNSi,” and “FACEBOOK.COM - The World’s Social Media Giant - DNS R00T3D, Fuck3D and Leaked.”

To that effect, the group offered a (vaguely literate) mini-manifesto to explain its attack against Facebook, writing:

Yo Facebook Assholes - If you want to run a Social Network - do it as it is as a real guys. Don’t try be smart asses. You are the most stupid and notorious fuckheads ever. The way you control and treat to your members are not acceptable under any circumstances.

But we don’t care who you are and what you do. Do not BLOCK the people and do not CONTROL them. Where is your fucking FREEDOM or the SOCIALISM. Censorship = Freedom (Don’t try to change the meaning of the wordings). Let the people have their own freedom on the social networks. This is hack against your fuckhead censorship.

The group offered no such commentary on Apple.

In the headers of their post, they claimed that, “Primary DNS Server Hacked with DNS Cache Snoop Poisoning.” They offered no proof of the cache poisoning, but did provide proof of the snooping in the form of listing Apple’s DNS name servers.

For most of us mortals, there’s not a whole lot in the information in that list. The group found the company’s DNS name servers, showed that it tried to perform a zone transfer on those servers (it failed), and then listed hundreds of individual servers such as:

  • 17.254.3.16 gidget16.apple.com
  • 17.254.3.65 customer.apple.com
  • 17.254.2.108 testswupdate.apple.com

As we said, that doesn’t seem all that interesting. What it does, however, is provide a starting point for others to probe these individual servers for vulnerabilities. Even that may not seem like a big deal, especially for a domain like customer.apple.com, which was already known to exist.

For the rest, servers like jobsws2.apple.com, the starting point could be seen as valuable to the bad guys and a nuisance to Apple and its cyber security team. Plus, it’s fun to conclude that that stands for “Jobs Work Station #2.”

Then there are listings such as icloudstatus.apple.com, which could suggest that Apple is working on a monitoring tool for iCloud status. The company provided such tools for .Mac and MobileMe, and doing so for the much larger iCloud is logical.

Similarly, webcast.apple.com does resolve to a page with the image below. ZOMG! Is that an unannounced product? Our guess is that it’s an internal tool for meetings, but it’s another example of the bad guys having a new starting point.

Webcast Studio Off Air

Webcast Studio Off Air

Dave Hamilton contributed (greatly) to this article.