Fast Company, the business-news publication, has taken its website offline after cyberattackers compromised its content management system (CMS). They used the access to send out two obscene and racist push notifications to its Apple News subscribers.
The incident follows a similar defacement attack on the FastCompany.com homepage on Sunday, where the attackers posted similar language. The outlet replaced its website with a statement overnight on Tuesday, which remains in place at press time.
“The messages are vile and are not in line with the content and ethos of Fast Company,” the company said in the notice. “Fast Company regrets that such abhorrent language appeared on our platforms and in Apple News, and we apologize to anyone who saw it before it was taken down.”
The company is investigating the situation and working to clean the site, it said. While no details of the attack are yet available, James McQuiggan, security awareness advocate at KnowBe4, noted that the goal was clearly brand assassination, perhaps with a side of flexing.
“While cybercriminals always go for the money, from time to time, they like to demonstrate their boldness by showing they have access to sensitive or publicly viewable systems by posting something outside of the normal scope of information shared,” he said in an emailed statement.
Highlighting the Need for Better Security
Christopher Budd, senior manager of threat research at Sophos, tells Dark Reading that this is just latest example of an attack against PR and news infrastructure to deliver false information, with another recent example being a fake press release claiming Walmart was to begin accepting bitcoin.
The attack “highlights the fragility of PR and news infrastructure, and showcases how attacks like these could potentially be carried out for more malicious purposes that result in more dire consequences,” he says. “Ultimately, this attack shows how news channels form a critical information infrastructure, and that this infrastructure should be secured in ways that match its criticality.”
On a broader level, Jason Kent, hacker in residence at Cequence Security, suspects a credential-stuffing attack could be in play, indicating that the “credentials weren’t terribly sophisticated and not backed up by multifactor auth or VPN requirements,” he says.
“Credential-stuffing attacks are some of the most pervasive attacks we see on a daily basis,” he adds. “Attackers attempt to guess passwords for valid accounts, and if they are successful the attacker will utilize the full permission of those credentials. Privileged access should be closely monitored as once the attacker has those, they will perform all manner of havoc.”