Cyber Incident Victim: Flashpoint
Date:
Apr 2019
Location:
United States of America
Summary
A cybersecurity firm faced allegations that its public website was distributing malware, which it firmly denied, clarifying that a vulnerable WordPress plugin had been exploited to temporarily redirect some visitors with JavaScript enabled to an external site delivering malicious pop-ups. The automated attack exploited a zero-day flaw in the plugin, causing no breach of customer data or PII as the affected site was isolated from internal systems. After detecting the issue, the company took the site offline and resolved the vulnerability within hours, emphasizing that the incident was not a targeted attack against their organization.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 12-13, 2019, independent researcher Dancho Danchev reported that Flashpoint’s public-facing website was serving malware through an embedded malicious script, potentially exposing visitors to malicious software. Flashpoint issued a rebuttal, denying that its site ever delivered malware but acknowledging a vulnerability in the WordPress Yuzo Related Posts plugin used on the site. The company confirmed the plugin was susceptible to a zero-day exploit during this period, which attackers leveraged to temporarily redirect some visitors with JavaScript enabled to an external site. This external site displayed malware-distributing pop-ups. Flashpoint emphasized the attack was not targeted but part of an automated campaign that identified and exploited the plugin vulnerability. The compromise window occurred between April 12 at 23:44 EDT and April 13 at 01:24 EDT, though the issue was not immediately detected.
Flashpoint detected the exploit and initiated mitigation on April 14 at 13:42 EDT by taking the website offline. The remediation was completed by 13:58 EDT the same day. The company stated no customer information, personally identifiable data (PII), or internal systems were compromised, noting its public website was segregated from other production environments. While disputing Danchev’s characterization of malware being served directly from its domain, Flashpoint conceded the redirect mechanism exposed some visitors to third-party malware. SC Media reached out to Danchev for comment on Flashpoint’s clarification but received no response. The incident highlighted risks associated with third-party plugin vulnerabilities but resulted in no reported data breaches or operational disruptions beyond the temporary website takedown.