Sophos Cloud Optix
Attackers posting pro-Syrian government messages took over the website for the Reuters news service on Friday, then struck again on Sunday to take over one of the Reuters Twitter accounts.
During the first attack, the intruder posted fake news stories on the Reuters site, including an alleged interview with a Syrian rebel leader.
On Sunday, attackers next seized control of the @ReutersTech Twitter account, which has about 17,000 followers.
Topsy.com has published the 22 posts that the attackers quickly spit out after changing the name of the Twitter feed to @ReutersMe.
The posts included a false statement about an imminent rebel exodus from Aleppo, as well as a bogus item about US President Barack Obama banning further investigation of 9/11.
A sample of the posts:
- Reality Check: Is Al-Qaeda An Enemy Or Not? FOX news asks, #Americans left wondering: Is #AlQaeda An Enemy Or Not
- White house spokesperson says financial and technical support given to #AlQaeda operatives in #Syria.
- Why Is the U.S. Government Funding Islamic Terrorists Who Are Killing Christians?
- Obama signs executive order banning any further investigation of 9/11.
- FSA commander Riyad Al Asaad states a tactical withdrawal from Aleppo imminent
Reuters’s main Twitter feed, @Reuters, tweeted on Sunday that the @ReutersTech account had been suspended and “is currently under investigation.”
@Reuters also tweeted that the fake post about the interview with a rebel leader was posted to a Reuters journalist’s blog page:
"A false blog posting, purporting to carry an interview with the head of the Free Syrian Army Riad al-Asaad ... was illegally posted on a Reuters journalist's blog page"
According to news accounts, the fake interview was on a Reuters webpage for about six hours.
The Wall Street Journal subsequently checked with a WordPress developer who said that Reuters had been running on a version with known security issues.
Mark Jaquith, whom the WSJ identified as one of the lead developers of the WordPress core and a member of the WordPress security team, said in an email exchange that Reuters was using version 3.1.1 instead of the current version, 3.4.1.
Jaquith noted that the WordPress platform includes update notifications and a self-updating feature to help customers stay up-to-date with security patches.
If organisations such as Reuters are running on an outdated, insecure version, they’ve got nobody to blame but themselves.
As Jaquith said:
"If organisations ignore those notifications and stay on an outdated version, then they put themselves at risk of these sorts of breaches."
It’s a hard lesson to learn, but if Jaquith was right and Reuters was in fact guilty of running on an outdated version, I’ll bet they’ll pay a lot more attention to staying on top of updates in the future.
As Sophos’s Chester Wisniewski has noted, unpatched WordPress versions are “rife with malware.”
Don’t wait to be pwned to learn that lesson.
Many people subscribe to the "if it ain't broke, don't fix it" philosophy – especially for critical pieces of the infrastructure where a bad patch can do a lot of damage. Sadly it is much easier to simply not do a patch then do all the labor-intensive due diligence of testing, backups and backout procedures.
Unfortunately it tends to snowball and before long things are hopelessly behind and the labor/time to bring it back up to spec are not usually approved unless something catastrophic occurs. It can be a self-defeating cycle.