2 min read

Year-old vulnerability allowed pro-ISIS hackers to hack US Government websites

Graham CLULEY

June 28, 2017

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Year-old vulnerability allowed pro-ISIS hackers to hack US Government websites

As Hot for Security reported yesterday, a number of US government websites were defaced over the weekend by a group known as Team System DZ, who posted disturbing pro-ISIS messages.

Visitors to hacked websites were greeted with messages saying US President Donald Trump would be held accountable for “every drop of blood flowing in Muslim countries”, as the Islamic Call to Prayer was played through their computer’s speakers.

Affected websites reportedly included (amongst others) the Department of Health for the state of Washington, the Rhode Island Department of Education, the official websites of Ohio Governor John Kasich and his wife, as well as the Ohio Department of Rehabilitation and Corrections.

Tom Hoyt, chief communications officer for Ohio”s Department of Administrative Services, issued a statement saying that the affected servers had been taken offline, and that it was working with law enforcement agencies to determine how the hackers managed to gain access to systems that should have been under tight control.

Well, now we have an idea of just how the websites were defaced.

As Ars Technica explains, all of the compromised websites were running the same content management system – DotNetNuke (better known as DNN).

There’s nothing inherently wrong with running DNN to power your website, but what is a very bad idea is not keeping your content management system up-to-date. Because the version of DNN that was being run on the defaced websites was version 7.0, released way back in 2015. The latest edition of DNN is version 9.01.

Last May, 13 months ago, DNN released a security update that they described as “critical”, fixing a vulnerability that could allow unauthorised users to create new “SuperUser” accounts. With that level of access a hacker could potentially access sensitive information, or add, remove and modify content.

In addition, DNN users were warned that hackers could exploit the vulnerability in phishing campaigns to redirect unsuspecting users to malicious sites.

Clearly the websites should have had their content management systems updated back in March 2016 to address the critical security issue. And they should have been updated the numerous times DNN has issued security updates since.

I think most of us understand today the importance of keeping our computers patched with the latest operating system updates, and security fixes to commonly used programs like Microsoft Office, Adobe Flash, and Adobe PDF Reader. But running a tight ship goes further than that.

Websites are no longer simple brochures advertising what your company does. They are normally sophisticated pieces of code, interacting with your visitors to deliver information or gather data from them. That makes every company with a non-rudimentary website effectively a software publisher, and behoves them to take security seriously.

If you make the mistake of building a website, and then walk away from it, leaving it to fester… don’t be surprised if it ends up being exploited by hackers.

tags


Author



Right now

Top posts

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

January 26, 2023

2 min read
Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

January 19, 2023

4 min read
Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

More than 50,000 People Affected by US Cellular Data Breach; Leaked Info Hits the Internet More than 50,000 People Affected by US Cellular Data Breach; Leaked Info Hits the Internet
Silviu STAHIE

February 08, 2023

2 min read
Russian Threat Actor Targets Ukraine Ministry and Polish Police in Similar Campaigns Russian Threat Actor Targets Ukraine Ministry and Polish Police in Similar Campaigns
Silviu STAHIE

February 06, 2023

1 min read
U.S. Department of Health and Human Services Hits ‘Banner Health’ with $1.25 Million Fine U.S. Department of Health and Human Services Hits ‘Banner Health’ with $1.25 Million Fine
Silviu STAHIE

February 03, 2023

1 min read