Reuters is one of the most trusted names in news. When it posts an interview with Riad al-Assad, the leader of the Free Syrian Army, saying the FSA will pull out of Aleppo following the bombardment from the Syrian army, the initial response is to believe the story rather than think Reuters has been hacked. But the story was false and quickly denied by the FSA. The report "was fabricated by the regime, as it seems the news agency was hacked", the FSA said in a statement.
Two days later, one of the Reuters Twitter accounts rapidly sent 22 similarly false pro-government messages, and a few anti-American messages for good measure (such as “Obama signs executive order banning any further investigation of 9/11”) These have now been removed from Twitter but can still be found on Topsy.com.
“Thomson Reuters had no immediate information on who was behind the hacking,” said the company on Sunday. However, the attack method is becoming clear. The Reuters blog apparently used an outdated and long-since patched version of Wordpress: version 3.1.1 instead of the current version 3.4.1. “If organizations ignore those notifications and stay on an outdated version, then they put themselves at risk of these sorts of breaches,” Mark Jaquith, one of the lead developers of the WordPress core, told CIO Journal in an e-mail.
“It looks like there are twenty different vulnerabilities that have been reported for the older version that Reuters is using,” explained Marcus Carey, a security researcher at pen-testing Rapid7. “Wordpress and its plug-ins are often targeted by attackers as the wide proliferation of the software makes it a target that provides a lot of bang for the buck for exploit developers.
“It’s plausible,” he added, “the attackers gained access through one of the known vulnerabilities associated with version 3.1.1 of Wordpress, and then reused the credentials they gained to hack Reuters’ Twitter account. We see so many breaches resulting from poor patching practices, and organizations really need to take this seriously. Updating the software you use is a basic step in improving your security posture, yet too often we see evidence of a lack of execution in this area.”