To preface, through some various info sharing lists, I get to see the constantly evolving exploit kit landing pages. Quite often the link structures change, and even more frequently the referring sites change. The scary part? Every last one of those referring pages were exploited in some fashion. Many of them likely in an automated fashion through some kind of scripted scanner/exploit module.
The event that prompted me to write this, was an AV hit off of a JS/Redir from a page that shall remain unnamed. I kind of figured it was an EK (exploit kit, ie Nuclear or Angler), but I almost never see these in my cyber-travels, so I just had to go poking around. So, I fire up Wireshark, ZAP, Virtualbox, and start going for a stroll down malware lane. Two things immediately catch my attention: there's a comment in the page response about "This site is optimized with the Yoast WordPress SEO plugin v2.2.1", and a nasty little iframe referencing hxxp://recoltentadelphiamcld2.discounthillsdalefurniture.com/civis/viewtopic.php?t=31w&f=lwmxs.o70b8&. For those in the know, viewtopic.php is a super common URI for the Angler exploit kit. A correspondent, when presented with the above link (but not the information about Yoast,) his first statement included an assumption that the site was running WordPress or Joomla. Why? Because they're notoriously insecure, particularly when it comes to plugins.
WordPress is nice because it's open source, and is actually supported well enough that WordPress in and of itself isn't TOO dangerous to run, if you keep it up to date, but the myriad of plugins make for a pretty diverse attack footprint. The more you throw on there to make managing a website easier, the more potential holes you open up, and since this tends to be web-facing, rather than a private network, the entire world can see/scan/poke around your site. I would highly suggest making your employee's lives difficult, and make them go through the web developer for content updates. Or maybe hire someone specifically who is half way between web developer and business unit to handle content updates. Lastly, if you DO insist on using WordPress (believe me, I am sympathetic to resource restrictions,) get your site tested properly. Hire a firm to do a vulnerability assessment. It'll serve you better than having to deal with the mess of infecting your clients/visitors, getting your webpage blocked as a malware site, and potentially having to rebuild your website to make sure it doesn't happen again in the future.
The site www.wordpressexploit.com has a pretty significant list of WordPress exploits (including a couple stored XSS vulns in SEO, which is probably how the above iframe was injected). This site is a good reference to check against your versions of WordPress and plugins to see if there are any known vulnerabilities.
Don't just surf safe, build safe, for those of you who are builders. The internet being cobbled together with duct tape and bubble gum (from a coding standpoint) does not help the current state of information security affairs.
No comments:
Post a Comment