The CyberRisk Summit is back: Join us on Dec 6. as we recap the cyber risk landscape in 2022 | Get free ticket >> 

Live webinar, Oct 13: Attend to learn how you can deduplicate vulnerability and deliver a smarter approach to cyber risk management  | Register  >>

New report: Mapping MITRE ATT&CK framework to CVEs |  Read more  >>

Perspectives

Malicious plugins, media industry at risk: first officer's log - week 16

Malicious plugins (a lot), a new APT group, and the news making news. Here's the latest in the world of cyber risk.

Mike Parkin | September 12, 2022

First Officer’s log, Terrestrial date, 20220912. Officer of the Deck reporting.  

The mission team to [REDACTED] beamed down successfully and immediately got to work. Led by Lieutenant [REDACTED] and her specialist team, they contacted the local authorities and their planetary Coordinated Response Team then established a communications link with the ship so we could follow their mission and offer remote support as required. 

Their first order of business, after a press conference, was to meet the planetary government liaisons. It went well enough. While the Ministers were getting their media opportunities with another Federation crew, our team managed to stay professional without any major faux pas. Apparently, someone neglected to pass the information, from our communications team to the ministers, that we were sending engineers and not diplomats. 

Fortunately, our team managed to work their way down the food chain from Those In Charge to the people who work for a living without further incident. Engineers tend to speak more or less the same language. It’ll just be a matter of finding the right dialects to get everyone on the same page and bring the planet’s defenses up to muster.

Wait. What? How many malicious plugins was that? 

What happened 

Research by the Georgia Institute of Technology (GIT) found nearly 50 thousand malicious plugins spread across almost 25 thousand unique WordPress sites. That’s an average of roughly two malicious plugins per site, spread out over a study that covered 8 years. 

Why it matters 

There was a time in the not-so-distant past (“Before the dark times. Before . . . the Empire.”) when a webmaster edited pages directly in vi and knew what every line of code did. Now, it’s a content management system (CMS) where much of the work is done by 3rd party plugins. The webmaster, if they even review the code, is rarely also a security specialist and not really the one to do the code review. That means they must trust the CMS marketplace to offer plugins that not only do the job but are also secure. And that’s the part that often doesn’t happen. 

Ultimately, marketplace or not, a site’s security falls to the owner. Not the hosting provider. Not the CMS vendor. Not the 3rd party marketplace.  The site owner. Which means they need to either bring the tools or the talent, that can keep them safe. 

What they said  

malicious plugins

WordPress is used by millions around the world, so it's no surprise this story's making waves.

Oh look, another APT has entered the field. 

What happened 

Researchers have identified a newer Advanced Persistent Threat (APT) group they have named Worok, which appears to have been active since at least 2020. While they appear to have characteristics in common with a group known as TA428, itself thought to be based in China, they use a somewhat different toolset. Currently, they have been seen targeting governments and some high-profile companies in Asia. 

Why it matters  

It’s always fascinating, if disturbing, to see APT’s deploying new tools. There is a constant back and forth between their attacks and our defenses as they try and get in and we try and keep them out. Threat actors have developed their own ecosystems including criminals, State, and State Sponsored groups, many of which appear to share tools and techniques. 

While this group doesn’t appear to be going after targets in Europe or the Americas, there’s no reason to believe they won’t, or won’t spin off another APT group that does. It all depends on their agenda, and that’s something that’s not publicly known. 

What they said  

worok

Any group targeting governments or large organizations is sure to get the media's attention. See what people are saying.

Do you want to become your own news story? 

What happened 

A recent survey has shown that the media industry overall is at high risk from cybersecurity threats, with up to 30% of them having vulnerabilities in the face the public sees on the internet. This is roughly twice the average for the other industries surveyed. 

Why it matters  

Media companies often have a very complex and dynamic environment, between their own assets, cloud assets, and supporting ecosystem. That makes securing it a real challenge, especially when cybersecurity isn’t always the highest priority. It doesn’t help when there is a heavy reliance on 3rd party vendors, and many of those vendors aren’t being held to a high standard by their clients. 

What they said 

When the news makes the news, it's bound to get people talking.

___________________________________________________________________________________________________________________________

Want to get ahead of the stories? Join the conversations as they happen with the Vulcan Cyber community Slack channel