Should administrators discover the attack and tighten security, the compromised image file provides attackers an access point they use later on
Attacker are using legitimate image files to hide backdoors in order to maintain access to compromised servers, according to Web security firm Securi Security.
More than a dozen sites have been impacted by this known but not normally used method of attack, according to Daniel Cid, chief technology officer of Securi, who said his company continues the investigate the incidents.
A backdoor in a computer system is a means by which attackers can bypass normal security authentication and allow an attack to go unnoticed.
Cid said Securi discovered the suspect image files on a previously Webservers. The Web sites were running outdated versions of content management system platform WordPress or outdated versions of Joomla, another CMS platform.
He said the images they found still loaded and worked properly.
“On this compromised sites, the attackers modified legit, pre-existing images from the sites,” he said in his blog. “This is a curious steganographic way to hide the malware.”
Once the server is compromised, the attackers can modify the image’s EXIF headers and re-load the image. The image renders normally and most Web masters will not notice any changes.
Should the exploit be discovered and security is tightened the image gives the attackers an access point which they can later on use again.
Cisco Secure Mobility Knowledge Hub
This Knowledge Hub provides an end-to-end look at what it takes to discover, plan, and implement a successful Secure Mobility strategy.