AMD suffered a breach when a group known as R00tbeer targeted their WordPress installation and managed to deface the domain as well as walk away with the SQL file used to manage the content management system (CMS).
The attackers replaced the website with the “True Story” meme image, and a simple message to follow @r00tbeer_ on Twitter. In addition, the group published an SQL file with 185 accounts, complete with username, hashed password, and email. One of the accounts looked as if it belonged to Checkib Akrout, who is AMD’s technology group’s general manager.
Prior to attacking AMD, R00tbeer also targeted an advertising scam forum, The Bot Net. Nothing of value was lost in that incident.
By Monday, AMD replaced the page at blogs.amd.com with a maintenance message, telling visitors that the domain will be “back online as soon as possible.”
The website had an outdated version of WordPress installed, version 3.0, as well as a number of additional plug-ins. Any one of them could have been the attack vector, but it is likely that R00tbeer simply targeted the main installation.
In 2010 WordPress 3.0 was vulnerable to a SQL Injection vulnerability that allows an attacker to disclose information stored in the database by targeting author permissions. Later the same year, version 3.0.4 released, addressing Cross-Site Scripting (XSS) vulnerabilities in the KSES HTML sanitation library.
At the time WordPress urged all users to update, as the XSS issue impacted “all versions of WordPress prior to 3.0.4.”
AMD has made no official statement, other than the promise to return the site soon.