Wordpress, Apple targeted: first officer's blog - week 47

Wordpress and Apple targeted by threat actors, and other major stories from the world of cyber risk. Learn more.

Mike Parkin | April 17, 2023

The ongoing voyages of the Federation Support Ship USS [REDACTED] 

First Officer’s log, Terrestrial date, 20230417 Officer of the Deck reporting.  

The Engineering team was rapidly bringing systems back online as the [REDACTED] ship awkwardly maneuvered out of the debris field. While the ship itself looked like a collection of spare parts flying in tight formation, held together with duct tape, sealant, and hope, it was still bristling with weapons that would be quite destructive at close range. 

At the communications console, Comms was doing their best to get the other ship to open a data channel we could use to access the other ship. 

Comms: “[REDACTED] ship, hi, look, we need to open a couple of communications channels if you want us to surrender. Do you have a common access protocol we can use to send you our data?” 

First voice: “We don’t want your data, we want your ship.” 

Second voice: “I think they want to give us their ship.” 

First voice: “Yes. They will give us their ship. You will give us your ship.” 

Comms: “We’re working on that, yes. Look, maybe we can try this. Can you use the standard [REDACTED] shield control codes? 

There was a pause as the voices conferred with each other before responding in the negative, and Comms went on to ask them about a code for drive control, or a protocol for communication between the sensors and fire control array. 

All the while, Helm was consulting with one of the crew on the integration team, frantically going through what we could determine to find an avenue of ingress. 

The captain watched with interest as Communications worked their magic and calmly asked Helm exactly how they knew how to do this. 

I worked in the technical department of Federation Security before becoming a Bridge officer, Sir, as something of an auditor. Our team would go in to make sure protocols were in place, especially when we were working with other species. We both did,” Helm explained, acknowledging the colleague they were working with down in Engineering. “We kind of had a knack for it.” 

Comms was continuing through their list of possible protocols we could use, with the [REDACTED] voices acknowledging some, denying others, complaining they didn’t understand some, and sounding more annoyed by the minute, when Helm and the Engineer brightened to something Comms got in response. 

Sir? We’ve got it. We’re in. Default access codes on the fire control backplane. Give us 30 more seconds, and we’ll have it.” 

Then captain nodded, let Comms go for another minute to allow a bit more time, then muttered a quiet “I am trusting you on this one.” 

[REDACTED] Ship. About that surrender. We’ve decided not to,” the captain said calmly, glancing at Helm with just a twinge of ‘you better be right’ on his face. 

First voice: “Then we will destroy you.” 

Second voice: “Yes, destroy you. 

The first voice gave an order, followed a moment later by their weapons charging, and a moment after that a series of large arcs bouncing across their hull and weapons arrays followed by the ship itself coming to a sudden and unceremonious halt. 

The captain smiled faintly, saying a quiet “good job,” then a louder “[REDACTED] Ship. You seem to be in distress. 

After a pause, the first voice returned “Our ship is broken. Can you help us?” 

Screenshot, or it didn’t happen 

What happened 

Pro-Russia threat actors, Zarya, claimed to Russia’s security service, the FSB, that they had breached a Canadian pipeline operator’s infrastructure. The claim was revealed in the recently leaked Pentagon documents. Canadian cybersecurity experts have stated that there is no evidence of the breach, and that the claims are likely part of a disinformation campaign. 

Why it matters 

While it’s certainly not impossible that Russian threat actors have compromised Canadian pipeline infrastructure, as they managed to compromise US infrastructure before, it’s equally likely that the Canadian experts are correct in this being a disinformation ploy. As the gamer saying goes, “screenshots, or it didn’t happen.” 

That said, it’s certain that pro-Russian non-state threat actors as well as state-sponsored assets are actively working to compromise Western targets. We’ve been seeing direct and indirect fallout from the conflict in Ukraine since the start. While they are probably being careful not to escalate it to the “act of war” level, we can expect these incidents, or non-incidents, to continue. 

What they said 


There may not be evidence to back up this claim, but that hasn’t stopped people talking about it.

A couple more bites from the Apple 

What happened 

Apple recently patched two vulnerabilities, CVE-2023-28205 and CVE-2023-28206, that were being actively exploited in the wild. While the Cybersecurity and Infrastructure Security Agency (CISA) added them to its known exploited vulnerability (KEV) list on April 10th, 2023. These vulnerabilities affect macOS, iOS, and iPadOS, with one of them allowing code injection from a malicious website and the other allowing a malicious application to execute code with kernel privileges. 

Why it matters 

If Apple tells you to patch, and CISA tells you to patch, and I tell you to patch, then maybe you should patch? But seriously. Patch. Fortunately, most Apple devices have automatic updates that will patch for you if you remember to turn them on. 

Ultimately, this is security 101 and a fundamental part of risk management: keep your systems up to date. With desktop and mobile operating systems, it’s usually as easy as turning on automatic updates. With servers and applications, it can be a bit more complicated. But what’s why we have tools to do exactly these things. 

What they said 

Anything Apple-related is always bound to get attention

That is a lot of compromised WordPress sites . . . 

What happened 

Over a million infected WordPress sites have finally been attributed to a single source, according to one research company that has been tracking these infections since 2017. This long-running campaign has been tracked by multiple security researchers over time, though this is the first time that various disparate attacks have been linked to the same threat actors. 

Why it matters 

By some estimates, WordPress is behind upwards of 60% of the websites out there. It has a massive ecosystem, which has, on various occasions, come under attack from threat actors. The breadth of available templates, plugins, extensions, and other addons, and the wide range of sources has given threat actors myriad opportunities to spread. Add in the fact that many site operators aren’t particularly security savvy, and you have a relative goldmine for infection. Kind of like preschool and the common cold. 

The interesting thing here is the conclusion that the Balada Injector, as it’s been named, is coming up now as a common source when the threat actors have been active for quite a while. It begs the question as to whether this is a single common threat source, multiple sources using the same “attack framework” such as it is, or what have you. Still, the bottom line is that site administrators need to be doing a better job of vetting the plugins they deploy or we’re going to keep seeing this sort of widespread infection.  

What they said 

With so many sites on WordPress, it’s no surprise to see this story making waves


Want to get ahead of the stories?

CVE examples

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy