Industry News

Year-old vulnerability allowed pro-ISIS hackers to hack US Government websites

As Hot for Security reported yesterday, a number of US government websites were defaced over the weekend by a group known as Team System DZ, who posted disturbing pro-ISIS messages.

Visitors to hacked websites were greeted with messages saying US President Donald Trump would be held accountable for “every drop of blood flowing in Muslim countries”, as the Islamic Call to Prayer was played through their computer’s speakers.

Affected websites reportedly included (amongst others) the Department of Health for the state of Washington, the Rhode Island Department of Education, the official websites of Ohio Governor John Kasich and his wife, as well as the Ohio Department of Rehabilitation and Corrections.

Tom Hoyt, chief communications officer for Ohio’s Department of Administrative Services, issued a statement saying that the affected servers had been taken offline, and that it was working with law enforcement agencies to determine how the hackers managed to gain access to systems that should have been under tight control.

Well, now we have an idea of just how the websites were defaced.

As Ars Technica explains, all of the compromised websites were running the same content management system – DotNetNuke (better known as DNN).

There’s nothing inherently wrong with running DNN to power your website, but what is a very bad idea is not keeping your content management system up-to-date. Because the version of DNN that was being run on the defaced websites was version 7.0, released way back in 2015. The latest edition of DNN is version 9.01.

Last May, 13 months ago, DNN released a security update that they described as “critical”, fixing a vulnerability that could allow unauthorised users to create new “SuperUser” accounts. With that level of access a hacker could potentially access sensitive information, or add, remove and modify content.

In addition, DNN users were warned that hackers could exploit the vulnerability in phishing campaigns to redirect unsuspecting users to malicious sites.

Clearly the websites should have had their content management systems updated back in March 2016 to address the critical security issue. And they should have been updated the numerous times DNN has issued security updates since.

I think most of us understand today the importance of keeping our computers patched with the latest operating system updates, and security fixes to commonly used programs like Microsoft Office, Adobe Flash, and Adobe PDF Reader. But running a tight ship goes further than that.

Websites are no longer simple brochures advertising what your company does. They are normally sophisticated pieces of code, interacting with your visitors to deliver information or gather data from them. That makes every company with a non-rudimentary website effectively a software publisher, and behoves them to take security seriously.

If you make the mistake of building a website, and then walk away from it, leaving it to fester… don’t be surprised if it ends up being exploited by hackers.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

1 Comment

Click here to post a comment