Attacker are using legitimate image files to hide backdoors in order to maintain access to compromised servers, according to Web security firm Securi Security.

More than a dozen sites have been impacted by this known but not normally used method of attack, according to Daniel Cid, chief technology officer of Securi, who said his company continues the investigate the incidents.

A backdoor in a computer system is a means by which attackers can bypass normal security authentication and allow an attack to go unnoticed.


Canadian firms, vulnerable to cyber attacks: Federal agency
WordPress hit by botnet

Cid said Securi discovered the suspect image files on a previously Webservers. The Web sites were running outdated versions of content management system platform WordPress or outdated versions of Joomla, another CMS platform.

He said the images they found still loaded and worked properly.

“On this compromised sites, the attackers modified legit, pre-existing images from the sites,” he said in his blog. “This is a curious steganographic way to hide the malware.”

Once the server is compromised, the attackers can modify the image’s EXIF headers and re-load the image. The image renders normally and most Web masters will not notice any changes.

Should the exploit be discovered and security is tightened the image gives the attackers an access point which they can later on use again.

Read the whole story here

Related Download
Creating Efficiencies In Vendor Risk Management Sponsor: BitSight
Creating Efficiencies In Vendor Risk Management
In this eBook, we'll explore how vendor risk management (VRM) has traditionally been handled, why traditional strategies alone are inadequate, and advices for vendor risk managers on how to effectively and efficiently mitigate cyber risk.
Register Now