Anyone who has ever visited blog posts on the Forbes website has properly been irritated from time-to-time by its practice of displaying a “Thought of the Day” for a few seconds before it passes you onto the article that you actually wish to read.
We all understand that Forbes has to make money like any other web publisher, but the “thought” (which is usually accompanied by an ad) somehow grates because it gets in the way of often genuinely-interesting content.
What’s worse, however, is that it turns out that annoyance might be the least of your troubles with Forbes’s “Thought of the Day” interstitial. It has been revealed that for a while in November last year, web visitors were also running the risk of having malware infecting their computer because of it.
Researchers at iSIGHT and Invincea released details this week of a malware campaign that they claim saw Chinese hackers targeting workers in the defense industry and financial sectors – via the much-visited Forbes website.
That in itself is a peculiar claim.
Normally, a site such as Forbes – which is one of the most-visited websites in the world – would be considered an attractive target for financially-motivated criminals attempting to infect a large number of computers, but not for those who might be interested in surreptitiously stealing information from specific targeted organisations or industries.
And yet security researchers believe this was a targeted watering hole attack, which chained together zero-day exploits in Adobe Flash and Internet Explorer in an attempt to gain access to the internal networks of US defense and financial firms.
Normally a watering hole attack would be more niche than this and not hit such a mainstream site as Forbes. Instead, why not target sites focused on specialist financial news, or sites serving the defense industry?
In fact, you would have hoped that hitting such a big target as Forbes would have increased the likelihood that a hacker attack would either have been intercepted in the first place, or quickly shut down.
Instead, though, the plugin used by Forbes to display its “Thought of the Day” – a message seen by tens of millions of visitors each week – was the vector of choice for the attackers.
The Flash zero-day exploited in the attack was patched by Adobe in December last year, but the Internet Explorer part of the malware campaign – which allowed attackers to bypass ASLR protection in IE 9 and later – was only patched by Microsoft this week.
Fortunately, the researchers chose to wait until the Internet Explorer flaw was fixed before going public with details, although those IE users still using Windows XP (sadly, there are still some out there!) remain at risk.
So, what can other businesses learn from this incident?
Firstly, Forbes blogs run on the WordPress platform. They’re far from alone in that. In fact, an estimated 23% of all websites – including the Tripwire State of Security blog – on the net have WordPress running behind the scenes.
WordPress is a terrific platform for building websites, but its popularity also makes it a prime target for exploitation. Businesses relying upon WordPress need to not only ensure that they keep their installations updated, hardened and protected, but also be wary of third-party plugins that may contain vulnerabilities.
If a hacker manages to compromise a vulnerability in a poorly-coded plugin that might enable them to inject malicious code into your site, or gain control of your CMS.
So, don’t just keep your WordPress installation up-to-date, also ensure that your plugins are up-to-date. And consider using a service that notifies you of any differences between the plugin code running on your server and the ones that reside on the official WordPress.org repository. If anomalies are found, it might indicate that the plugin you are running has been meddled with.
Finally, businesses and home users alike need to keep on top of the latest security patches, and reduce their attack surface. There have been a barrage of Adobe zero-day vulnerabilities since the start of the year which are a worrying throwback to the bad old days of Adobe. Computer users should seriously consider enabling “Click to play” in their browser to have tighter control of when Flash code is allowed to run.
Furthermore, the latest Patch Tuesday saw Microsoft issue a staggering 41 patches to fix vulnerabilities in Internet Explorer.
If you don’t keep on top of security patches, you are playing a very dangerous game. Because, as we found out this week, even some of the world’s most famous websites might be harbouring malicious code.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. If you are interesting in contributing to The State of Security, contact us here.