Cyber Security Awareness Month: Tales from the (not so) secure web

October 10, 2018 - 9 minutes read

October is National Cyber Security Awareness month – so here is a roundup of notable cyber security incidents from around the web from the last two months. Apologies in advance for all the #doomandgloom.

Masters of Malware

A new “malvertising” campaign linked to user “Master134” redirects traffic from over 10,000 hacked WordPress websites and sells it to a well known ad platform AdsTerra, who resells the traffic to other companies, who then resells the traffic to their clients. The ads contain malicious code with the intent of infecting a user with malware. The WP sites were using v4.7.1 which was vulnerable to remote code execution attacks.

 

Stay in your lane

A new browser security risk allowed websites to use execution side-channel attacks to steal passwords from other websites that are open in the browser. Luckily, Chrome released a major security update featuring Site Isolation, ensuring that sites are processed separately, isolated from each other. If you notice your browser slowing down slightly, this could be why – site isolation will increase Chrome’s memory use by approximately 10%.

 

Arrr, matey, did ye get more (crypto) loot?

Cryptominer Crypto-Loot (a CoinHive competitor) injected malware into WordPress and Drupal sites by attacking their files in RawGit CDN, a CDN for Github files.

Crypto-Loot is an in-browser cryptominer that provides website owners with a script that they can run on their sites to mine the cryptocurrency Monero using the site visitors’ CPU power.

 

A Bitter Symfony

Drupal released a security update (8.5.6) because of a serious vulnerability in a component in Symfony, a third-party library. The same vulnerability was found in the Zend Feed and DIactoros libraries.

 

Crumbled Cookies

Websites in a pinch to launch a cookie consent popup on their site may have unknowingly used a a malicious script that redirects users to a website selling anti-virus software which is likely to have malware.

 

Finnish Anarchy

A DDoS attack shut down many government websites in Finland for several hours including the Finnish National Insurance Institution (Kela), the Population Register Centre, the police, and more.

 

Faking a Cyber Attack

Well, this is a first – a false claim of a DDoS attack. Congress is set to grill the FCC’s chairman for falsely claiming his agency was hit with a cyberattack — and how it could affect the war over net neutrality.

 

The all-mighty padlock

Starting October 23, 2018, Chrome and Firefox are set to distrust all certificates issued by Symantec or partner companies (before June 1, 2016) and there are still over 800,000 website with old security certificates.

If you visit a site with an older certificate, you may see security warnings, no longer see the green padlock, or the site may be blocked entirely.

You can use this tool to check out information about your site’s SSL status: http://sslchecker.com/

 

Well, that escalated quickly

Last September, Wordfence exposed the person responsible for purchasing and distributing several WordPress plugins (Display Widgets plugin among them) and injecting shady SEO spam into hundreds of thousands of websites.

Now, BBC and The Times reported that the same individual was also responsible for an extremely profitable website called “UK Meds” (it paid for his Lamborghini and fancy watch) where you could purchase prescription meds without a prescription.

 

Soblaugh

An 11 year old hacked a replica of the Florida state website and change the election results. In 10 minutes. Oh boy.

 

Mage…r file hack

More than 7,000 Magento sites have been infected with malware in the past six months through brute-force attacks that steal customer’s credit cards and identities.

 

Noooooo! Not The Oatmeal!

The Oatmeal was hit with a DDoS Attack. The chutzpah! Don’t worry, they’re online again. Though we’re still waiting for a comic about the incident.

 

¡Que terrible!

The Central Bank of Spain was offline for a week (a week!!) due to a DDoS attack which was claimed by the hacktivist group Anonymous Catalonia.

 

Update and delete leftovers

The Duplicator plugin patched a critical remote code execution (RCE) vulnerability in the latest version. If you’ve used Duplicator, make sure to upgrade immediately and delete any leftover files from the migration process.

 

Smells phishy

New phishing email targets WordPress users to update their database. The email is designed to look like an official WordPress message. If you’re thinking “What kind of idiot gets phished”, boy do I have a podcast for you.

 

Howzit?

Welp, that’s ironic. A South African government website specializing in cybersecurity was taken down by a DDoS attack.

 

HTTPS comics

How HTTPS works. In comic form. In case you were interested. Compugters and Certificats. A must-see.

 

99 Problems and a DDoS is probably one of them

DDoS Attack Volume Rose 50% in Q2 2018. That’s a whole lot of attacks. Chances are pretty good that you or a site you use has been attacked.

 

Ugh! Get me out of here

Massive WordPress Malware Redirect Campaign Targets Vulnerable tagDiv Themes and Ultimate Member Plugins. Update your plugins!!!

 

$6,000,000,000,000 (6 trillllion dollars)

Cybercrime expected to hit $6 trillion in damage annually by 2021. That cost is double the $3 trillion in damages that occurred in 2017, according to a Cybersecurity Ventures report.

 

Risky Business

New study find that almost half of the world’s most popular websites are risky to web users.

 

Evil Cursors

Thousands of WordPress sites with outdated and vulnerable themes and plugins were hacked with malicious code that redirects users to tech support scams, some of which use new “evil cursor” Chrome bug.

 

Mine… It’s all miiiiine

Indian government websites ‘hacked’ to mine crypto currencies. In addition to this incident an estimated 119 prominent Indian websites still run the Coinhive mining script which has been widely used to fraudulently mine the anonymous crypto Monero.

 

Formjacked

Internet security group warns against rise of formjacking hack. Know what can help prevent this? Content Security Policies (CSP). You know what service offers CSPs to all websites? Strattic 🙂

 

UN-doing of the UN

United Nations WordPress Site exposes thousands of resumes. Aaaand then it got worse when they accidentally published passwords, internal documents, and technical details about websites when it misconfigured Trello, Jira, and Google Docs.

 

Fearful Leaders

46% of enterprise brands fear website data breach. Worse yet is that 67% of respondents freely conceded that they had implemented no marketing security for their website.

 

Angry Students?

190 UK Universities were targeted with hundreds of DDoS attacks and it looks like the culprit might be staff or students.

 

Can I get a C. S. P. ?

British Airways data theft demonstrates need for cross-site scripting restrictions. Content Security Policy, people!

 

Strattic is a solution that was created to optimize WordPress websites for speed and security by making them static and serving them on serverless architecture. 

Feel free to contact us at info@strattic.com or sign up for our newsletter below.

 

Posted in: Website security
Tags: , , ,