Recently, one of Komosion’s not-for-profit clients received an alarming email from The Australian Signals Directorate, subject line:
“Notification of potential domain compromise”.
Not a great feeling.
The email went on to report “Clear Fake malware”. Komosion, which hosts the site on our AWS private cloud, was engaged to investigate.
The site had been compromised by the release of an administrative password.
On our side, we manage client administration passwords via the secure Bitwarden system but many organisations are much looser with their storage of user names and passwords.
We don’t know the source of the password leak, but were able to quickly identify the unathourised installation of a plugin via an IP address located in Europe.
That was then followed by what’s called a Distributed Denial of Service (DDoS) attack – a malicious attempt to disrupt the site (targeted server, service, or network – or its surrounding infrastructure) with a flood of traffic.
In the first instance, we saw 135 attacks in 10 minutes being defended by our client’s Wordfence plugin.
We then blocked the attacking IP addresses at a Server level. Although the attack was unsuccessful, our client’s website was then blocked – “black listed” – from government servers by the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC).
Our client could not even send or receive emails to their many government stakeholders – and this was in the run up to the end of the financial year.
In order to get the site unblocked – “white listed” – ACSC required us to pull together a comprehensive report and provide evidence as to how we responded to the incident, including security scan results, showing the website was now categorised as low risk.
It’s a pretty instructive case study as to how easily a site can be compromised and the serious inconvenience (at least) that this can cause.
For more tips on how to bolster your cyber security, read Five Ways to Protect Yourself from Cyber Attacks.