​FBI: Expect ISIS hacks if you don't patch WordPress plugins

FBI warns WordPress users to patch their plugins to put a stop to website hacks by ISIS sympathisers.
Written by Liam Tung, Contributing Writer

The US Federal Bureau of Investigations is urging WordPress users to patch plugins for the popular content management system following a spate of ISIS-branded website attacks.

The warning from the FBI follows a number of website defacements in March that affected US and European organisations, ranging from government to community websites, which saw them plastered with images and claims the attackers were linked to the extremist group known as ISIS or ISIL.

According to the FBI, the attackers are sympathisers of ISIS but otherwise are not members of the terrorist organisation.

"These individuals are hackers using relatively unsophisticated methods to exploit technical vulnerabilities and are utilizing the ISIL name to gain more notoriety than the underlying attack would have otherwise garnered," the FBI said in its public service notice.

"Methods being utilized by hackers for the defacements indicate that individual websites are not being directly targeted by name or business type."

The one common link between all victims of the defacements was that their websites harboured WordPress plugin vulnerabilities that, according to the agency, are "easily exploited by commonly available hacking tools".

The vulnerabilities, it added, could allow an attacker to take control of the system.

The FBI doesn't say which vulnerable plugins were used in the attacks, but said that patches were available for identified vulnerabilities.

Outdated third-party WordPress plug-ins are a popular method used by hackers looking to attack websites.

According to security firm Securi, plugins that are commonly exploited include outdated versions of RevSlider, GravityForms, FancyBox, Wp Symposium, and Mailpoet. Outdated versions of the RevSlider plugin were the main cause of an attack on 100,000 WordPress sites last year dubbed 'SoakSoak', which resulted in Google blacklisting over 11,000 domains.

"The vulnerabilities being exploited appear to be from older versions of the plugins that have yet to be patched. We are not aware of any new vulnerabilities in either of the plugins," Securi founder Daniel Cid said of ISIS-related attacks. In other words, there are patches available for the listed plugins; users just need to install them.

WordPress sites were also targeted in a recent campaign that directed users to a cloned version of The Pirate Bay that was pushing an exploit kit and banking malware to its visitors.

The FBI noted that the ISIS-branded attacks have affected news organizations, commercial entities, religious institutions, federal, state, and local government institutions, foreign governments, and a variety of other domestic and international websites.

While the attacks may be more of a nuisance than a real threat from the terrorists, they're still costly to remediate and may cause lost revenue through downtime, the agency added.

Read more on WordPress security

Editorial standards