WordPress sites under ISIS attack

Written by on March 16, 2015 in News with 0 Comments

Geared wordpressPolice and FBI are investigating defacement attacks on numerous North American websites in which attackers placed an ISIS flag banner on website home pages and played an Arabic song in the background, as reported by NBC News.

The sites appear to have one thing in common: they are all built on the WordPress content management platform.

WordPress is by far the most popular CMS. As of February 2015 over 23 percent of the websites in the world are built on WordPress. WordPress is an Open Source platform that offers thousands of third-party plugins, causing it to be extremely vulnerable, with hundreds of thousands of web-based attacks executed every year.

In 2014 a bug in MailPoet, a WordPress mail plugin, resulted in 50,000 sites being hacked by injecting a PHP backdoor.  SoakSoak, one of the most publicized WordPress attacks in 2014, took advantage of a bug in a popular slider plugin and as a result over 100,000 sites were hacked. More recently, Slimstat, an analytics plugin, was found to be vulnerable to attacks exposing over 1M WordPress websites.

According to NBC, the alleged ISIS attacks were made by mainstream hackers who used the ISIS names to gain attention. They executed a defacement attack, in which hackers change the appearance of a web page. Defacement is executed via a Web-based attack such as a SQL injection, which introduces malware to change the site’s its appearance or by malware introduced from inside the network; for example:  an employee distributing it from a flash drive. The malware then scans the internal network for Web servers and once found, it changes their IP to the attacker’s server IP, directing visitors to the attacker’s servers.

Eliminating Defacement in WordPress sites

Eliminating defacement attacks on a WordPress site is extremely difficult because of the vulnerable nature of the platform. Administrators should continuously check for the appearance of unknown files and directories and monitor them for changes.

The most conventional and straightforward approach is patching. WordPress and its plugin providers issue patches that fix security bugs once they’re discovered. Security administrators and website administrators should keep WordPress and its plugins always updated to the latest versions.

However, patching does not guarantee security because it cannot protect against zero-day attacks. Both SoakSoak and the MailPoet attacks are undocumented, zero-day exploits. These vulnerabilities were unknown prior to the event, and the plugin providers were obviously not prepared with a patch. Once a zero-day vulnerability is discovered, security managers and website owners are exposed to attacks until a patch is, hopefully, provided.

Web administrators can reduce the risk of defacement by limiting the web server account to read-only permissions.

Using Security Solutions

Using best practices may eliminate SQL injections, but they will not prevent other exploits such as unhardened web servers allowing hackers to access WordPress administrator permissions.

Security solutions offer the most comprehensive and advanced options for eliminating zero-day defacement attack. They monitor web pages for changes and generate alerts at any sign of potential defacement. Some of their features are:

Color Persistence Monitoring:  the security solution would generate a color stamp for the page and monitor it. Unexpected changes may be a sign of defacement and will be alerted. However, the color test is unlikely to detect banner insertion, as in the defacement of the DRCC site hack.

DOM Inspection: inspecting the document object model (DOM) before serving a page to a user will reveal changes to page structure indicating defacement.

Digital Signing and Monitoring of Web Pages: Advanced Web Application security solutions scan the site and generate a comprehensive digital signature based on multiple properties such as resource structure, amount external resource count, number of scripts on the page and additional information combined to validate page authenticity. Any unplanned changes will immediately be alerted.

Auto-protection: advanced defacement protection will not only alert but revert to a valid version of the site or, even better, will serve a secure, cloud-based version of the site that cannot be altered at all and completely eliminates defacement.

Avoiding False Positives: avoiding false positives is a key consideration when evaluating defacement mitigation solutions as valid changes to the website may trigger alerts or can be blocked. To avoid false positives, solutions must combine multiple measure of defacement identification and mitigation out of the list above.

By Nimrod Luria, co-founder and CTO at Sentrix.

Tags: ,

About the Author

About the Author: From our press centre we select the top industry news stories from the leading online publications and wire services and bring them straight to you. .


If you enjoyed this article, subscribe now to receive more just like it.

Subscribe via RSS Feed

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.