News of the incident broke on Twitter on Tuesday evening after a hacker calling himself ‘w0rm' posted a purported screenshot of a Wall Street Journal database. ‘W0rm' – also known as ‘Rev0lver' on the darknet – subsequently tried to sell access to this data for 1 bitcoin, or about £363.
US security firm IntelCrawler alerted WSJ to the breach and advised the media giant that the access was genuine and would give would-be buyers the ability to “modify articles, add new content, insert malicious content in any page, and add new users.”
"We confirmed there is the opportunity to get access to any database on the wsj.com server, a list of more than 20 databases hosted on this server," said the firm.
The newspaper, which saw its Facebook page compromised earlier in the week with fake messages of an Air Force One plane being taken down over Ukrainian airspace, has since reported on the issue and said that computer systems housing news graphics were “hacked by outside parties”. The article reads that these systems were taken offline in a bid to isolate the attacks, and stressed that the intrusion did not affect Dow Jones customers or customer data.
W0rm – who runs an online marketplace (w0rm.in), where hackers sell information about security flaws - is also believed to have been behind attacks against other media organisations this week, including Vice Media this week and CNET last week. He also allegedly attempted to sell FTP credentials to a server belonging to the BBC at the end of last year.
Responding to the news, Tripwire director of security and risk Tim Erlin said that the hack shows that hackers are exploiting a widening attack surface.
“As the demands on web-based applications increase, so do the systems that support the user experience through the browser,” said Erlin in an email to journalists.
“An increasingly complex ecosystem of supporting technology allows for far richer interaction, but the cost is often a much larger attack surface. SQL injection, and other web-based attacks, are often difficult to identify consistently and require changes to custom code to fix them.”
He added: “This isn't a case where WSJ simply failed to apply a patch. Testing for these kinds of vulnerabilities can be done directly on the code itself or through interaction with the application, but both approaches have their limitations. The most effective means of preventing these kinds of attacks is to build security into the software development lifecycle and avoid introducing the vulnerabilities in the first place.”
In related news, researchers at web security firm Websense have discovered that another newspaper – Metro US – was recently compromised and serving up malicious code.
In a new blog post, the firm described how visitors to metro.us were redirected to metro.us/newyork, a page which is injected with a malicious iFrame that directs users to websites serving exploit code. This code subsequently drops malicious files on the victim's computer.
Websense Security Labs say that it has informed the Metro US IT team, which is now investigating the issue.
“A compromised website courtesy of malicious actors, as is the case with Metro US, is a disaster in every organisation's book. It is therefore vital that businesses formulate a tried and trusted disaster recovery plan,” said Carl Leonard, senior manager of security research at Websense.
In an email to SC, Leonard added that cyber-criminals often look to obtain log-in credentials used by administrators for FTP or CMS software, or by exploiting SQL injection or XSS vulnerabilities in web servers, and urged companies to apply patches, keep browsers up-to-date and employ security solution that scans for threats. He also urges looking for more secure alternative to FTP which adds encryption.
“If a breach does occur, it is crucial to establish the root cause of the compromise and clean it up. If it is suspected that the corporate login credentials may have gotten into the hands of the attackers then these should be changed, but it is worth remembering that the cyber-criminal may well be able to simply retrieve the new credentials.
“The rising prevalence of cyber-criminals targeting news and media sites, such as the Metro US and MSNBC compromises this week alone, highlights that businesses cannot afford to continue to put web security on the back burner – ignorance absolutely is not bliss when it comes to cyber-security.”