2 min read

Year-old vulnerability allowed pro-ISIS hackers to hack US Government websites

Graham CLULEY

June 28, 2017

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Year-old vulnerability allowed pro-ISIS hackers to hack US Government websites

As Hot for Security reported yesterday, a number of US government websites were defaced over the weekend by a group known as Team System DZ, who posted disturbing pro-ISIS messages.

Visitors to hacked websites were greeted with messages saying US President Donald Trump would be held accountable for “every drop of blood flowing in Muslim countries”, as the Islamic Call to Prayer was played through their computer’s speakers.

Affected websites reportedly included (amongst others) the Department of Health for the state of Washington, the Rhode Island Department of Education, the official websites of Ohio Governor John Kasich and his wife, as well as the Ohio Department of Rehabilitation and Corrections.

Tom Hoyt, chief communications officer for Ohio”s Department of Administrative Services, issued a statement saying that the affected servers had been taken offline, and that it was working with law enforcement agencies to determine how the hackers managed to gain access to systems that should have been under tight control.

Well, now we have an idea of just how the websites were defaced.

As Ars Technica explains, all of the compromised websites were running the same content management system – DotNetNuke (better known as DNN).

There’s nothing inherently wrong with running DNN to power your website, but what is a very bad idea is not keeping your content management system up-to-date. Because the version of DNN that was being run on the defaced websites was version 7.0, released way back in 2015. The latest edition of DNN is version 9.01.

Last May, 13 months ago, DNN released a security update that they described as “critical”, fixing a vulnerability that could allow unauthorised users to create new “SuperUser” accounts. With that level of access a hacker could potentially access sensitive information, or add, remove and modify content.

In addition, DNN users were warned that hackers could exploit the vulnerability in phishing campaigns to redirect unsuspecting users to malicious sites.

Clearly the websites should have had their content management systems updated back in March 2016 to address the critical security issue. And they should have been updated the numerous times DNN has issued security updates since.

I think most of us understand today the importance of keeping our computers patched with the latest operating system updates, and security fixes to commonly used programs like Microsoft Office, Adobe Flash, and Adobe PDF Reader. But running a tight ship goes further than that.

Websites are no longer simple brochures advertising what your company does. They are normally sophisticated pieces of code, interacting with your visitors to deliver information or gather data from them. That makes every company with a non-rudimentary website effectively a software publisher, and behoves them to take security seriously.

If you make the mistake of building a website, and then walk away from it, leaving it to fester… don’t be surprised if it ends up being exploited by hackers.

tags


Author



Right now

Top posts

Abode IoT Security Camera Vulnerabilities Would Let Attackers Insert Images, Bitdefender Finds

Abode IoT Security Camera Vulnerabilities Would Let Attackers Insert Images, Bitdefender Finds

December 21, 2021

2 min read
Online Shoppers Beware, Mobile Scams Are on the Rise

Online Shoppers Beware, Mobile Scams Are on the Rise

December 17, 2021

2 min read
The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Unknown Person Zoom-Bombs Meeting in Italian Parliament and Blasts Anime Adult Content Unknown Person Zoom-Bombs Meeting in Italian Parliament and Blasts Anime Adult Content
Silviu STAHIE

January 21, 2022

1 min read
FBI Links Diavol Ransomware to Trickbot, Offers IOCs and Mitigations FBI Links Diavol Ransomware to Trickbot, Offers IOCs and Mitigations
Filip TRUȚĂ

January 21, 2022

2 min read
Data of 500,000 already vulnerable people stolen from Red Cross Data of 500,000 already vulnerable people stolen from Red Cross
Radu CRAHMALIUC

January 20, 2022

1 min read