The DarkLeech attack compromised at least 20,000 legitimate websites around the world last year. It also made its mark as an example of a trend -- attackers targeting Internet infrastructure as a stepping stone to more potent attacks.
In the latest edition of its annual security report, Cisco Systems spotlights this increased focus on gaining access to Web servers, name servers and datacenters with the goal of taking advantage of their processing power and bandwidth.
"Through this approach, exploits can reach many more unsuspecting computer users and have a far greater impact on the organizations targeted, whether the goal is to make a political statement, undermine an adversary, or generate revenue," according to the report. "In essence, this trend in targeting Internet infrastructure means the foundation of the Web itself cannot be trusted."
Hackers use a variety of techniques to gain root access to hosting servers, including placing Trojans on management workstations to steal login credentials and exploiting vulnerabilities on third-party management tools used on the servers.
"CMS plays a huge role in this picture," explained Levi Gundert, Cisco technical lead for threat research, analysis and communications (TRAC). "So many people run content management software, whether it be WordPress or Joomla or what have you ...the vulnerability lists for these types of CMS are very extensive."
One compromised hosting server can infect thousands of websites. In addition, websites hosted on compromised servers may act as both a redirectors and a "malware repository," the report noted. Rather than many compromised sites loading malware from only a few malicious domains, "the relationship has now become many-to-many, hampering takedown efforts."
Once the server is compromised, the attackers can implement SSHD backdoors and install rogue modules into Web server software like Apache, Gundert said.
[Read how distributed denial-of-service attacks are a growing cause of costly data center outages in "DDoS Attacks Wreak Havoc On Data Centers."]
This is essentially what happened in the DarkLeech campaign: Sites were infected with a Secure Shell daemon (SSHD) backdoor that enabled the attackers to remotely upload malicious Apache modules and inject IFrames in real-time on hosted websites. The end result is that users were served exploits via the Blackhole crimeware kit.
"Because the DarkLeech IFrame injections occur only at the moment of a site visit, signs of the infection may not be readily apparent," the report notes.
Domain name servers are prime targets of this breed of attack, and Cisco's research indicates that, in addition to individual websites and hosting servers, nameservers at certain hosting providers are being compromised as well.
"Threat actors -- hacktivists, national state actors and cyber criminals -- will continue to conduct land grabs for high-powered infrastructure and compute power in 2014," said JD Sherry, vice president of technology and solutions at Trend Micro. "Several reasons are in play for this. The first is there is still a tremendous amount of DDoS attacks against banks and other critical infrastructures. Having large amounts of processing power across many geos helps with this."
In addition, high-performance computing is important for brute-force attacks on passwords, and cloud computing infrastructures will be the source of attacks for cybercriminals looking to leverage their horsepower for attacks as well, he said.
"We are advising our partners and customers that creation and orchestration of hybrid clouds -- blending your internal datacenter with public cloud capabilities -- requires a tremendous amount of thought with regard to security architecture," Sherry said.