Australian Human Resources Institute (AHRI)

Summary

On 1-2 February 2024, the Australian Human Resources Institute (AHRI) website was compromised when an unauthorized person gained access via AHRI's website provider and installed malicious code. The malware prompted visitors to download a fake web browser update, potentially infecting devices of those who visited the site during the two-day window. AHRI uses the Marketing Resource Management (MRM) platform Agend, built on WordPress, to host its website and member services.

What Happened

An unidentified threat actor exploited vulnerabilities in AHRI's website infrastructure to install a malicious script and malware that remained active between 1-2 February 2024. The attack vector involved gaining unauthorized access through AHRI's website provider, Agend, which hosts the organization's digital presence using WordPress CMS combined with third-party and Agend-specific plugins.

The malware deployed a social engineering technique common in web-based attacks: presenting website visitors with a fake browser update prompt. Users who clicked the prompt would unknowingly download malware to their devices instead of a legitimate browser update.

The compromised website served as a distribution platform for the malware during the 48-hour period when the malicious code was active. AHRI did not disclose the specific vulnerabilities exploited or whether the breach occurred through the WordPress CMS itself, third-party plugins, or Agend's custom infrastructure.

No hacking group has publicly claimed responsibility for the attack, and AHRI has not attributed the incident to any known threat actor.

Impact on Individuals

The breach primarily affected individuals who visited the AHRI website between 1-2 February 2024. The exact number of impacted visitors remains undisclosed.

Individuals who clicked on the fake browser update prompt faced potential risks including:

• Device infection: Malware installation on computers or mobile devices
• Credential theft: Potential capture of usernames, passwords, and other login information
• Data exfiltration: Risk of personal files or information being accessed
• Further malware propagation: Infected devices could become vectors for spreading malware to other systems or networks

While no evidence suggests that AHRI's member database or stored customer information was directly accessed, visitors to the website during the active malware period faced significant cybersecurity risks. Those who downloaded the fake update would need to undertake malware removal procedures and potentially monitor their accounts for unauthorized access.

The incident particularly impacted human resources professionals and AHRI members who regularly access the site for professional development resources and member services.

Organisational Response

AHRI publicly warned customers of the cyber attack and advised anyone who visited the website between 1-2 February 2024 to take immediate action to check their devices for potential malware infections.

The organization worked with its website provider, Agend, to remove the malicious code and restore website security. AHRI did not publicly disclose whether affected visitors received individual notification, the specific malware removal guidance provided, or whether the organization offered complimentary security services to those potentially impacted.

The breach highlighted vulnerabilities in third-party website hosting platforms, particularly those using WordPress and associated plugins, which remain common targets for web-based attacks.