The Federal Bureau of Investigation (FBI) issued a warning today about an ongoing spree of website defacements allegedly perpetrated by hackers sympathetic to the Islamic Islamic State of Iraq and Syria (ISIS). The attacks have affected a variety of websites, including news organizations, commercial entities, religious institutions, U.S. federal/state/local governments, foreign governments, and a variety of other domestic and international websites. Targets appear to be random: They are not linked by name or business type.
There is a common thread between these sites, though: They all use WordPress, a free and open-source content management system. The attackers are leveraging existing WordPress plugin vulnerabilities in commonly available hacking tools, meaning they aren’t actually doing much hard work themselves; these are low-level hacks that merely use already discovered security holes.
The FBI believes the perpetrators are not members of ISIS; they are just using “relatively unsophisticated methods” to exploit technical vulnerabilities and utilizing the ISIS name “to gain more notoriety than the underlying attack would have otherwise garnered.” Nonetheless, the bureau warns the defacements “are disruptive and often costly in terms of lost business revenue and expenditures on technical services to repair infected computer systems.”
These vulnerabilities, most of which are discovered by researchers who are seeking to improve WordPress security, allow attackers to gain unauthorized access, bypass security restrictions, inject scripts, and steal cookies from computer systems or network servers. An attacker could thus install malicious software, manipulate data, or create new accounts with full user privileges for website exploitation at a later time.
The good news is that software patches are available for these identified vulnerabilities — avoiding an attack can be as simple as updating your WordPress installation and its plugins. More specifically, the FBI recommends the following:
In other words, pretty standard security practices. If you are using an old WordPress version and/or outdated plugins, you have work to do.
The FBI today also warned that it has been receiving complaints about criminals hosting fraudulent government services websites in order to acquire personally identifiable information (including name, address, phone number, email address, Social Security number, date of birth, and mother’s maiden name). This is nothing new, though the bureau specifically pointed to a campaign that ran from May 2012 to March 2015.
The advice for such scenarios is simple: Make sure the government website you’re accessing really is a government site. Just because a website is listed at the top of your search engine’s results page doesn’t necessarily mean it is the real deal.
Powered by VBProfiles