Cyberattacks last weekend by hackers claiming to be associated with ISIS may be related to a plugin vulnerability on the WordPress platform.
Over a dozen sites were taken over last weekend and defaced by hackers claiming to be associated with ISIS. The attack was similar to attack by Cyber Caliphate at US Central Command and US news outlets in January. The FBI, Department of Homeland Security and the Canadian Royal Mounted Police are investigating but don’t believe the hackers are actually associated with ISIS. The perpetrators may simply be using the name for more attention.
So far the similarity between the diverse sites breached is that they are built on the open source WordPress platform. However, nuxmin verified that the source of at least two of the hacks were related to the FancyBox WordPress plugin. It is unclear if the hackers used this particular vulnerability on all sites hacked or if there are multiple security doors that were used.
NBC reported that several of the hacked sites, including the Dublin Rape Crisis Center (DRCC), were told that the problem was with a vulnerable WordPress plugin.
Hi all just to say drcc website wasn’t hacked specifically it was a wordpress hack. Thankfully we’ve now been able to remove the banner!
Dublin Rape Crisis (@DublinRCC) March 9, 2015
“We contacted Blacknight when this happened last Sunday and they were quick to respond with support,”
The DRCC IT volunteer said the jQuery FancyBox plugin was used to breach the DRCC site. Once he knew it was a WordPress issue, he examined the code and saw where the malicious code was being injected.
One of the other hacked sites, a credit union in Montana, told the Credit Union Journalthat the hackers ability to breach the site “was caused by a weakness in FancyBox.” There are a few WordPress plugins that use the FancyBox jQuery extension.
“The Eldora Speedway site and two other sites using WordPress were “hacked” by ISIS,and all three sites were using the Fancybox plug-in. The Fancybox plug-in (unless updated or removed) has a huge security vulnerability which is fixable by updating the software,” said Area43.net. “Both eldoraspeedway.com and montgomeryinn.com have removed the Fancybox plug-in, while moerleinlagerhouse.com opted instead to take their site down.”
“Bank or credit union websites may have 20 or 30 plug-ins in use, all written by different authors and all adding different functionalities,” according to the report. But those plugins aren’t necessarily created by designers focused on security, and they aren’t always updated to protect against security threats. Worse, they can easily be created and then abandoned, “but they’re still out there full of security holes and vulnerabilities,” Jason Sherrill, CEO at Inet Solution, a web design and consulting firm near Detroit told the Credit Union Journal.
This week a vulnerability was found in the popular WordPress plugin Yoast, putting millions of WordPress installations at risk of a blind SQL injection.
“There are something in the range of 60 million WordPress installations worldwide. Almost all of them would be using some kind of hosting service, however only a small percentage are on managed WordPress hosting. Ordinarily, hosting providers don’t get involved in managing clients’ applications. Like most other software, content management systems like WordPress are regularly updated to add features and remove vulnerabilities when they are discovered. This, combined with the fact that users can introduce new vulnerabilities to their sites through third-party plugins, means that user-deployed WordPress instances can be vulnerable to attack, unless those users are careful to update their WordPress installs and remove vulnerable plugins” . “The basic security value of managed updating and patching, and the removal of bad plugins, is a core piece of the value proposition for managed WordPress hosting, and one of the reasons for that market’s growth over the last several years.”
Whether the hackers were actually associated with ISIS remains to be seen. Investigators said they are too early in the process to know where the attack originated, though there is no indication that the individuals behind the hacks have any “real connection to ISIS,” Evan Kohlmann of Flashpoint Intelligence, a global security firm and NBC News consultant, told NBC.
Last Friday a WordPress plugin that checks the list of installed plugins on a website against a list of known plugin vulnerabilities was updated.