I spent a few days last week in Washington DC chatting to new and old friends in aerospace, many well known cybersecurity vendors and folks in the intelligence community. The level of sophistication of attacks we’re seeing is rising at an incredible rate. It’s tough to watch as an industry insider because I don’t think it bodes well for an open Internet. But that’s a different conversation.
What I want to share with you today is a report released this morning on the Forbes.com attack. This was a “watering hole” attack where Forbes.com was hacked so that the attackers could install malware which then targeted visitors to the site – specifically the real target of the attack which was employees at defense contractors and banks. The hope was that the malware on the site would install itself on site visitor workstations, giving the attackers access to bank and defense contractor internal networks.
There are two sources you can get details from and they have very different tones which I’ll clarify in a moment. Forbes themselves covered the attack on their site yesterday evening.
Invincea who were involved in detecting the zero day exploits used in the attacks have also released a report (along with iSight Partners) within the last few hours which you can find here.
First a note on the differences in the reports and then what this attack means for WordPress publishers. [Edit: To clarify – WordPress as far as I’m aware was not targeted in this attack. Watering hole attacks are relevant to WordPress publishers which is why the comparison.]
Invincea and iSight partners were the two research firms involved in detecting and attributing the attack to the Chinese (aka APT or Advanced Persistent Threat if you’re outside the industry). They describe the attack as using multiple zero day vulnerabilities which is very impressive. It’s rare that zero day exploits are used in an attack because they’re the kind of weapon you can only use once. As evidenced by this attack, once the zero days were used they were patched by Adobe and Microsoft within days. So among hackers, zero days are very precious commodities and are only used when a hacker is very motivated to attack a target.
In this case multiple chained zero days were used which is extremely rare, or as Invincea describes it, a Unicorn in cybersecurity.
Invincea and iSight have attributed the attack to a Chinese espionage group called Codoso. Attribution in our industry is very controversial and there is a debate raging right now among researchers, vendors and the intelligence community about whether it’s even possible to reliably attribute attacks this way. The Forbes article casts doubt on attribution in the first paragraph. Vendors love attributing attacks and their sources and methods are usually kept secret so it becomes difficult to refute the attribution.
Forbes were the victim in this case and they’re trying to downplay the attack without being inaccurate. They are casting doubt on the attribution and describe the attack as: “Anyone who was running on any Windows OS above XP and using browsers other than Internet Explorer should have been safe, though targets using other systems could have been affected.”
Invincea on the other hand describe the attack as targeting defense and financial services firms using multiple chained zero day vulnerabilities.
If Forbes is to be believed, we don’t know who did the attack and if you were running new software you were safe. If Invincea are to be believed, Chinese spy’s just targeted our banks and military by hacking on of the busiest websites in the world and using previously unknown exploits. I think you see the tension within the infosec community that I mentioned.
So how does this affect WordPress publishers?
You’ve probably connected the dots already. WordPress site owners are publishers just like Forbes and we all use one of the most popular publishing platforms in the World. Many of our readers work at banks and for defense contractors and other interesting targets. We are the prime target for watering hole attacks like this. All an attacker needs is a wide-spread zero day vulnerability in a plugin which would allow them to exploit your site and install malware which would infect your visitors. The attacker can then go after their true target which is the internal networks of your site visitors.
Take a moment to think about who visits your site and how much protecting their network matters to you as a WordPress site owner. This is why it’s critically important that you keep your WordPress site secure. As a vendor, we recommend installing Wordfence Premium as your first step, doing a full scan and enabling two factor authentication and regular scans to verify your site is clean. As someone who cares about the WordPress community and their site visitors, I would recommend taking a deep interest in your site security as a general approach to helping protect your site visitors and your investment.
I’d like to hear more about who visits your site and whether you think they may be a target of these kinds of attacks, so please feel free to post in the comments. Note that I have comment approval enabled but I usually have most comments approved within an hour of posting at the latest.
Please share this to help create an awareness of our responsibilities as publishers and that it’s not just ourselves we’re protecting when keeping our WordPress sites secure.
~Mark Maunder @mmaunder