• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Bad Sites   »   More Details Regarding the Gizmodo Brazil Compromise

More Details Regarding the Gizmodo Brazil Compromise

  • Posted on:August 7, 2014 at 10:25 pm
  • Posted in:Bad Sites, Exploits, Vulnerabilities
  • Author:
    Fernando Mercês (Senior Threat Researcher)
0

At the tail end of July, we wrote about Gizmodo Brazil being compromised by cybercriminals in order to lead visitors into downloading backdoor malware into their machine. This is of course a very big deal, since it is a rather large and noteworthy website being hacked into – but it’s par for the course for the region, seeing as the modus operandi of criminals that target Brazilian users typically resort to compromised websites and hosts in order to host malware and phishing pages.

Knowing this, we dug deeper into this incident, and as such, we discovered a bit more about the attack itself and how website administrators may be able to help prevent their own websites from falling victim.

So, what did we find out? First, we discovered that the attacker used a WordPress vulnerability to access the second compromised website’s Swedish server (the website that Gizmodo Brazil would lead to) and upload a webshell file known as WSO. This file is a single PHP file that sports many functions that could be used maliciously (such as uploading files, running commands, executing post-exploitation features and so on).

The attackers using a WordPress vulnerability should come as no surprise to anyone by now, seeing as it is currently the most popular CMS in circulation globally (used by 22% of the top 10 million websites, according to w3tech). Therefore it is easy enough to see how the parties responsible used the attack method they did here.

We also found a publicly-available text file named “contador” – Portuguese for “counter” – indicating the current number of users that had downloaded BKDR_QULKONWI.GHR, the backdoor related to the Gizmodo Brazil attack. As of this writing, the text file states that approximately 7000 users have downloaded the backdoor malware.

Do note that we have already notified Gizmodo Brazil about the vulnerable WordPress plugins that the attackers may have used in order to compromise their main website and place a malicious script code in its index.php file.

In light of this ruinous attack, we announce that all malware, URLs and IP domains used and/or related to this attack have been blocked. Trend Micro security offerings protect our customers and their websites from this threat.

Additionally, we advise web portal administrators to always keep their WordPress installations current and updated! Paying attention especially to the new releases of plugins that they utilize for their web portals (and the vulnerabilities that go with those new versions) can help make cybercriminals’ lives difficult.

We also recommend the following:

  • Use strong passwords for your WordPress users as usernames can easily be guessed or stolen by attackers.
  • Pick your theme source codes carefully as attackers usually put webshells there.
  • Consider disabling PHP functions that are not being used, or will not be in the future.
  • Watch out for recently created files, especially the ones created by the same user as the webserver is running (normally www-data in LAMP stacks). This could be a sign of an attack-in-progress.

We also found another hash involved in this attack:

  • 7d8875aeecf47b959ebd611ddc10076453d4f552
Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: compromised sites

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.