Police and FBI are investigating defacement attacks on numerous US Web sites, in which attackers placed an ISIS flag banner on Web site home pages and played an Arabic song in the background.
Nimrod Luria, co-founder and chief technology officer of Sentrix, points out that all the affected sites appear to have one thing in common: they are all built on the WordPress content management platform.
WordPress is by far the most popular CMS. As of February 2015, more than 23% of the Web sites in the world were built on the WordPress Open Source platform.
The thousands of third-party plugins available on WordPress, however, cause it to be extremely vulnerable, Luria adds, with hundreds of thousands of Web-based attacks executed every year.
In 2014 a bug in MailPoet, a WordPress mail plugin, resulted in 50 000 sites being hacked by injecting a PHP backdoor. SoakSoak, one of the most publicised WordPress attacks in 2014, took advantage of a bug in a popular slider plugin and as a result more than 100 000 sites were hacked. More recently, Slimstat, an analytics plugin, was found to be vulnerable to attack, exposing more than 1-million WordPress Web sites.
According to NBC, the alleged ISIS attacks were made by mainstream hackers who used the ISIS names to gain attention. They executed a defacement attack, in which hackers change the appearance of a Web page. Defacement is executed via a Web-based attack such as a SQL injection, which introduces malware to change the site’s its appearance or by malware introduced from inside the network; for example: an employee distributing it from a flash drive.
The malware then scans the internal network for Web servers and once found, it changes their IP to the attacker’s server IP, directing visitors to the attacker’s servers.
Luria says that eliminating defacement attacks on a WordPress site is extremely difficult because of the vulnerable nature of the platform. Administrators should continuously check for the appearance of unknown files and directories and monitor them for changes.
The most conventional and straightforward approach is patching. WordPress and its plugin providers issue patches that fix security bugs once they’re discovered. Security administrators and Website administrators should keep WordPress and its plugins always updated to the latest versions.
However, patching does not guarantee security because it cannot protect against zero-day attacks. Both SoakSoak and the MailPoet attacks are undocumented, zero-day exploits. These vulnerabilities were unknown prior to the event, and the plugin providers were obviously not prepared with a patch. Once a zero-day vulnerability is discovered, security managers and Website owners are exposed to attacks until a patch is, hopefully, provided.
Luria says Web administrators can reduce the risk of defacement by limiting the Web server account to read-only permissions.
Using best practices may eliminate SQL injections, but they will not prevent other exploits such as unhardened Web servers allowing hackers to access WordPress administrator permissions.
Administrators should use solutions that include colour persistent monitoring, DOM inspection, digital signing and monitoring of Web pages, auto protection, and avoidance of false negatives.