The US Federal Bureau of Investigation (FBI) just released a public service announcement (PSA) to the public about a large number of websites being exploited and compromised through WordPress plugin vulnerabilities:
Continuous Web site defacements are being perpetrated by individuals sympathetic to the Islamic State in the Levant (ISIL) a.k.a. Islamic State of Iraq and al-Shams (ISIS). The defacements have affected Web site operations and the communication platforms of news organizations, commercial entities, religious institutions, federal/state/local governments, foreign governments, and a variety of other domestic and international Web sites. Although the defacements demonstrate low-level hacking sophistication, they are disruptive and often costly in terms of lost business revenue and expenditures on technical services to repair infected computer systems.
The FBI also goes into more detail and explain what happens when a site does get compromised:
Successful exploitation of the vulnerabilities could result in an attacker gaining unauthorized access, bypassing security restrictions, injecting scripts, and stealing cookies from computer systems or network servers. An attacker could install malicious software; manipulate data; or create new accounts with full user privileges for future Web site exploitation.
This is nothing new and we have been warning and educating our users through the years from our blog and other mediums. Political defacement is very common and one of the most used forms of online protest. And when a defacement is not practical, we see the same groups leveraging DDoS attacks to try to take the controversial content down.
Plugins being Exploited
The FBI disclosure doesn’t go into much details on what is being exploited and what the attackers are doing. We had a chance to remediate and respond to many sites defaced by this group (and others) and we will try to provide some clarity on these attacks.
First, the top 2 plugins being currently exploited are:
Specially Revslider, which is the #1 by far compared to the others. After these first two, we are seeing many attack against FancyBox, Wp Symposium, Mailpoet and other popular plugins that had vulnerabilities disclosed recently. This list is not exhaustive at all, as it seems the attackers try to exploit whatever they can get their hands on, but it gives you an idea of what they are looking for.
Second, the FBI report also misses one very important point. It is not just vulnerability attempts against plugins, but we also see vulnerability on themes being misused, along with many brute force attacks targeted at WordPress administration panel. They are all used by these political defacements once they can get in.
Third, their recommendations to secure WordPress are missing many important points. They link to the WordPress hardening page that provides almost no real security to the end user.
It is not just about keeping it updated anymore. You have to have security in depth, you have to have monitoring, you have to leverage low-privileged users for most of your actions, you have to monitor your logs, you have to use good passwords, you have to audit the plugins and themes you are using.
*Note that the Revslider vulnerability was also used in the mass malware campaign called Soaksoak back in December, and is still causing website owners issues today.
If you are looking for a comprehensive security solution for your WordPress websites, try our Website Firewall: https://sucuri.net/website-firewall. We call it a Firewall, but in reality, it is a cloud-based Intrusion Detection and Prevention system (IDS/IPS) for websites; one that can protect your site from the attacks described in this post and that the FBI is now warning us all about.