The bloody battle of website defacement: “ISIS” hackers vs. WordPress
By Nimrod Luria
Police and FBI are investigating defacement attacks on numerous North American websites in which attackers placed an ISIS flag banner on website home pages and played an Arabic song in the background, as reported by NBC News.
The sites appear to have one thing in common: they are all built on the WordPress content management platform.
WordPress is by far the most popular CMS. As of February 2015 over 23% of the websites in the world are built on WordPress. WordPress is an Open Source platform that offers thousands of third-party plugins, causing it to be extremely vulnerable, with hundreds of thousands of web-based attacks executed every year.
In 2014 a bug in MailPoet, a WordPress mail plugin, resulted in 50,000 sites being hacked by injecting a PHP backdoor. SoakSoak, one of the most publicized WordPress attacks in 2014, took advantage of a bug in a popular slider plugin and as a result over 100,000 sites were hacked. More recently, Slimstat, an analytics plugin, was found to be vulnerable to attacks exposing over 1M WordPress websites.
According to NBC, the alleged ISIS attacks were made by mainstream hackers who used the ISIS names to gain attention. They executed a defacement attack, in which hackers change the appearance of a web page. Defacement is executed via a Web-based attack such as a SQL injection, which introduces malware to change the site’s its appearance or by malware introduced from inside the network; for example: an employee distributing it from a flash drive. The malware then scans the internal network for Web servers and once found, it changes their IP to the attacker’s server IP, directing visitors to the attacker’s servers.
Eliminating Defacement in WordPress sites
Eliminating defacement attacks on a WordPress site is extremely difficult because of the vulnerable nature of the platform. Administrators should continuously check for the appearance of unknown files and directories and monitor them for changes.
Patching: the most conventional and straightforward approach is patching. WordPress and its plugin providers issue patches that fix security bugs once they’re discovered. Security administrators and website administrators should keep WordPress and its plugins always updated to the latest versions.
However, patching does not guarantee security because it cannot protect against zero-day attacks. Both SoakSoak and the MailPoet attacks are undocumented, zero-day exploits. These vulnerabilities were unknown prior to the event, and the plugin providers were obviously not prepared with a patch. Once a zero-day vulnerability is discovered, security managers and website owners are exposed to attacks until a patch is, hopefully, provided.
Read-only Web Server Account: Web administrators can reduce the risk of defacement by limiting the web server account to read-only permissions.
Using Security Solutions
Using best practices may eliminate SQL injections, but they will not prevent other exploits such as unhardened web servers allowing hackers to access WordPress administrator permissions.
Security solutions offer the most comprehensive and advanced options for eliminating zero-day defacement attack. They monitor web pages for changes and generate alerts at any sign of potential defacement. Some of their features are:
Color Persistence Monitoring: the security solution would generate a color stamp for the page and monitor it. Unexpected changes may be a sign of defacement and will be alerted. However, the color test is unlikely to detect banner insertion, as in the defacement of the DRCC site hack.
DOM Inspection: inspecting the document object model (DOM) before serving a page to a user will reveal changes to page structure indicating defacement.
Digital Signing and Monitoring of Web Pages: Advanced Web Application security solutions scan the site and generate a comprehensive digital signature based on multiple properties such as resource structure, amount external resource count, number of scripts on the page and additional information combined to validate page authenticity. Any unplanned changes will immediately be alerted.
Auto-protection: advanced defacement protection will not only alert but revert to a valid version of the site or, even better, will serve a secure, cloud-based version of the site that cannot be altered at all and completely eliminates defacement.
Avoiding False Positives: avoiding false positives is a key consideration when evaluating defacement mitigation solutions as valid changes to the website may trigger alerts or can be blocked. To avoid false positives, solutions must combine multiple measure of defacement identification and mitigation out of the list above.
Nimrod Luria is Sentrix co-founder and CTO. He is one of Israel’s most respectable visionaries on the topic of Web security. Nimrod led Microsoft Israel’s ACE team, and divisions of the European ACE groups, in charge of defending Microsoft’s core infrastructure, and was named a Microsoft MVP. Nimrod led security divisions across enterprise, government and military sectors and founded several cyber security companies. His most recent security startup, Q.rity, was acquired by Ness, a Citigroup company. Nimrod is an international Web security authority, a frequent speaker and panelist at OWASP forums, infosec, techready, RSA and tech-ed. Nimrod holds an MBA from the University of Derby.