EC-Council you never fail to disappoint... website infected with Angler exploit kit

iBrokeITiBrokeIT Member Posts: 1,318 ■■■■■■■■■□
Their website was discovered to be infected with the Angler exploit kit.

https://twitter.com/ydklijnsma/status/712623731319943168

You would think they could put some of those yearly fees into keeping their website secure icon_lol.gif
2019: GPEN | GCFE | GXPN | GICSP | CySA+ 
2020: GCIP | GCIA 
2021: GRID | GDSA | Pentest+ 
2022: GMON | GDAT
2023: GREM  | GSE | GCFA

WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security | SANS Grad Cert: Cyber Defense Ops SANS Grad Cert: Incident Response
«1

Comments

  • danny069danny069 Member Posts: 1,025 ■■■■□□□□□□
    Hmm...seems like they need a CEH icon_wink.gif
    I am a Jack of all trades, Master of None
  • cyberguyprcyberguypr Mod Posts: 6,928 Mod
    Paging Colemic...
  • TechGuru80TechGuru80 Member Posts: 1,539 ■■■■■■□□□□
  • renacidorenacido Member Posts: 387 ■■■■□□□□□□
    I'm sure they outsource hosting of their public website. But this is no excuse.

    A lot of companies don't hold service providers accountable - require SOC-2 reports, audits, etc. EC-Council should know better. Could be the hosting provider aren't on top of their game.

    One of the downsides of outsourcing - the provider never cares as much about your stuff as you do (or should).
  • iBrokeITiBrokeIT Member Posts: 1,318 ■■■■■■■■■□
    This isn't the first time they've been pwned, or second time....
    2019: GPEN | GCFE | GXPN | GICSP | CySA+ 
    2020: GCIP | GCIA 
    2021: GRID | GDSA | Pentest+ 
    2022: GMON | GDAT
    2023: GREM  | GSE | GCFA

    WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security | SANS Grad Cert: Cyber Defense Ops SANS Grad Cert: Incident Response
  • OctalDumpOctalDump Member Posts: 1,722
    I imagine they would be a popular target. I guess I'll wait for a notification that my PII has been compromised.
    2017 Goals - Something Cisco, Something Linux, Agile PM
  • gespensterngespenstern Member Posts: 1,243 ■■■■■■■■□□
    Well, it's not that bad, considering that Angler EK delivered TeslaCrypt as of recently through advertisement on major websites including forbes.com and the likes.
  • JockVSJockJockVSJock Member Posts: 1,118
    renacido wrote: »
    I'm sure they outsource hosting of their public website. But this is no excuse.

    The SLA should state that all employees must have C|EH...oh wait, that would probably increase EC-Council's cost.

    renacido wrote: »
    EC-Council should know better.

    From what others have said on this site and my interactions with them, EC-Council and professionalism doesn't go hand-in-hand.
    ***Freedom of Speech, Just Watch What You Say*** Example, Beware of CompTIA Certs (Deleted From Google Cached)

    "Its easier to deceive the masses then to convince the masses that they have been deceived."
    -unknown
  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    Well, it's not that bad, considering that Angler EK delivered TeslaCrypt as of recently through advertisement on major websites including forbes.com and the likes.

    Did you actually look at the tweet the OP linked to? This wasn't some ad-rotator - the Wordpress instance eccouncil hosts their web content on was compromised.
  • Mike7Mike7 Member Posts: 1,112 ■■■■□□□□□□
    Yup. WordPress 4.2.2 on Windows Server 2012 R2 (IIS 8.5) and PHP 7.0.
    Info can be seen from any browser built-in developer tool or via https://sitecheck.sucuri.net/results/iclass.eccouncil.org

    Probably infected via either WordPress or plugin vulnerability.
    EC Council should update their WordPress and related plugins. Version 4.2.2 was released May last year, the latest version is 4.4.2 (with 4.5 coming soon), and there were a couple of critical security patches since 4.2.2. icon_rolleyes.gif

    FWIW, WordPress versions since 3.7 will automatically update to newer versions. Guess the web design company or whoever maintain the site disabled the auto update feature. icon_redface.gif
  • IristheangelIristheangel Mod Posts: 4,133 Mod
    Ouch.

    I definitely don't regret letting those EC-Council certs expire in February. I would have never gotten them in the first place if it wasn't part of my degree at WGU. What a trainwreck...
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
  • 636-555-3226636-555-3226 Member Posts: 975 ■■■■■□□□□□
    Wordpress compromised... Who would of thought.....
  • JockVSJockJockVSJock Member Posts: 1,118

    I definitely don't regret letting those EC-Council certs expire in February. I would have never gotten them in the first place if it wasn't part of my degree at WGU. What a trainwreck...

    Wow...With this much brouhaha surrounding C|EH and EC-Council and their professionalism, I'm beginning to doubt my endeavor and allocation of time and energy towards this cert.
    ***Freedom of Speech, Just Watch What You Say*** Example, Beware of CompTIA Certs (Deleted From Google Cached)

    "Its easier to deceive the masses then to convince the masses that they have been deceived."
    -unknown
  • Danielm7Danielm7 Member Posts: 2,310 ■■■■■■■■□□
    Ugh, wordpress, come on! And they wonder why they get such a bad rap.
  • LinuxRacrLinuxRacr Member Posts: 653 ■■■■□□□□□□
    And I actually have been considering getting the C|EH en route to getting the OSPC and the CISSP.....
    My WGU B.S. IT - Security Progress : Transferred In|Remaining|In Progress|Completed
    AGC1, CLC1, GAC1, INC1, CTV1, INT1, BVC1, TBP1, TCP1, QLT1, HHT1, QBT1, BBC1 (39 CUs), (0 CUs) (0 CUs)
    WFV1, BNC1, EAV1, EBV1, COV1 | MGC1, IWC1 | CQV1, CNV1, IWT1, RIT1 | DRV1, DSV1, TPV1, CVV1 | EUP1, EUC1, DHV1| CUV1, C173 | BOV1, CJV1, TXP1, TXC1 | TYP1, TYC1, SBT1, RGT1 (84 CUs) DONE!
  • EngRobEngRob Member Posts: 247 ■■■□□□□□□□
    Wordpress compromised... Who would of thought.....

    That's never happened before....
  • cyberguyprcyberguypr Mod Posts: 6,928 Mod
    The way I see the problem is not the mere fact that they have been compromised. To me the issue is the sum of all the little things here and there that have gone wrong with them: security, over-priced product, spelling, lousy support, pushing AMFs just because they can, etc.

    Great to go past the HR goon in an organization that doesn't know better, but that's it.
  • dustervoicedustervoice Member Posts: 877 ■■■■□□□□□□
    I'm sure the hacker was just practicing for CEH with some old tools.
  • Mike7Mike7 Member Posts: 1,112 ■■■■□□□□□□
    Danielm7 wrote: »
    Ugh, wordpress, come on! And they wonder why they get such a bad rap.
    To be fair, quite a number of web sites are on WordPress and we do not read about their sites being compromised. Examples include Walt Disney, LinkedIn blog, Time.com. The key is to update regularly and use security measures such as WAF and NGFW.
    Not dissimilar to how most of us on Windows apply patches regularly and have anti-virus software installed.

    This is something else....
  • tpatt100tpatt100 Member Posts: 2,991 ■■■■■■■■■□
    Stuff happens but the lack of response when an issue is reported is a big problem in my eyes.
  • chopstickschopsticks Member Posts: 389
    Major security certification group ignored private warnings for more than 3 days

    For the past four days, including during the hour that this post was being prepared on Thursday morning, a major security certification organization has been spreading TeslaCrypt malware—despite repeated warnings from outside researchers.


    EC-Council, the Albuquerque, New Mexico-based professional organization that administers the Certified Ethical Hacker program, started spreading the scourge on Monday. Shortly afterward, researchers from security firm Fox IT notified EC-Council officials that one of their subdomains—which just happens to provide online training for computer security students—had come under the spell of Angler, a toolkit sold online that provides powerful Web drive-by exploits. On Thursday, after receiving no reply and still detecting that the site was infected, Fox IT published this blog post, apparently under the reasonable belief that when attempts to privately inform the company fail, it's reasonable to go public.


    Like so many drive-by attack campaigns, the one hitting the EC-Council is designed to be vexingly hard for researchers to replicate. It targets only visitors using Internet Explorer and then only when they come to the site from Google, Bing, or another search engine. Even when these conditions are met, people from certain IP addresses—say those in certain geographic locales—are also spared. The EC-Council pages of those who aren't spared then receive embedded code that redirects the browser to a chain of malicious domains that host the Angler exploits.


    More details and reading -->

    Certified Ethical Hacker website caught spreading crypto ransomware | Ars Technica
  • thomas_thomas_ Member Posts: 1,012 ■■■■■■■■□□
    Kind of reminds me of the time when I was searching for Mike Meyers' website in google, to see that his website's meta tags had been maliciously changed. I sent them an email about it. Apparently their site had been hacked recently.
  • bigdogzbigdogz Member Posts: 881 ■■■■■■■■□□
    Thanks for not disappointing, EC Council. Just when we thought you might have your act together we are proven wrong again and again.

    There should be a certification to find all of the exploits in their infrastructure. It might be a better certification path.
  • markulousmarkulous Member Posts: 2,394 ■■■■■■■■□□
    cyberguypr wrote: »
    The way I see the problem is not the mere fact that they have been compromised. To me the issue is the sum of all the little things here and there that have gone wrong with them: security, over-priced product, spelling, lousy support, pushing AMFs just because they can, etc.

    Great to go past the HR goon in an organization that doesn't know better, but that's it.

    Agreed. If it weren't for the fact that I get away from Taskstream, I wouldn't be quite as thrilled about taking the CEH and CHFI. Even with all these issues, EC Council is still the lesser of those two evils IMO. :D
  • TechGromitTechGromit Member Posts: 2,156 ■■■■■■■■■□
    Mike7 wrote: »
    To be fair, quite a number of web sites are on WordPress and we do not read about their sites being compromised.

    Yes, but this is a cyber security related company, you would think they be on top of there game, everyone get compromised time to time, but usually it's caught within hours, and doesn't drag on for days. It's kinda like the fire department house buring to the ground or the police station getting robbed.
    Still searching for the corner in a round room.
  • cyberguyprcyberguypr Mod Posts: 6,928 Mod
    Back to my point about the sum of all parts. This is not an isolated event.

    Errata: Charlatan - EC-Council (ECC)
  • [Deleted User][Deleted User] Senior Member Posts: 0 ■■□□□□□□□□
    Remember though, nobody can detect 100% of anything. Even if you look at the vulnerability database https://nvd.nist.gov/ it would be impossible to stop it all as things are updated every minute with new vulnerabilities. Not all threats can be stopped. If there was a 100% security protection solution then there would be no need for security professionals and most of us here wouldn't have jobs. I'm even willing to bet that this site is vulnerable to some form of XSS or CSRF and this is a forum for IT pros and IT certifications. Even look at OSCP certification they even offer a bounty program for finding vulnerabilities on their site and they are top of the line for pen testing certs: https://www.offensive-security.com/bug-bounty-program/ That is my 2 cents on this at least.
  • tpatt100tpatt100 Member Posts: 2,991 ■■■■■■■■■□
    I think how a company reacts to a security incident is the most important thing. My opinion of EC dropped a lot initially because a few years ago their website was full of broken links. If it wasn't for WGU I wouldn't of ever taken any of their tests because it's a bad sign when you are trying to sell me on taking a cert of yours and your links to more information are all broken.
  • wayne_wonderwayne_wonder Member Posts: 215 ■■■□□□□□□□
    You can bash them but they kee getting people to take their exams regardless and job postings around the world want Ceh or chfi so they can't be doing too bad.
Sign In or Register to comment.