The US Federal Bureau of Investigation (FBI) just released a public service announcement (PSA) to the public about a large number of websites being exploited and compromised through WordPress plugin vulnerabilities:
Continuous Web site defacements are being perpetrated by individuals sympathetic to the Islamic State in the Levant (ISIL) a.k.a. Islamic State of Iraq and al-Shams (ISIS). The defacements have affected Web site operations and the communication platforms of news organizations, commercial entities, religious institutions, federal/state/local governments, foreign governments, and a variety of other domestic and international Web sites. Although the defacements demonstrate low-level hacking sophistication, they are disruptive and often costly in terms of lost business revenue and expenditures on technical services to repair infected computer systems.
The FBI also goes into more detail and explain what happens when a site does get compromised:
Successful exploitation of the vulnerabilities could result in an attacker gaining unauthorized access, bypassing security restrictions, injecting scripts, and stealing cookies from computer systems or network servers. An attacker could install malicious software; manipulate data; or create new accounts with full user privileges for future Web site exploitation.
This is nothing new and we have been warning and educating our users over the years through our blog and other mediums. Political defacements are very common and one of the most used forms of online protest. When a defacement is not practical, we see the same groups leveraging Distributed Denial of Service (DDoS) attacks to try to take the controversial content down.
Plugins Being Exploited
The FBI disclosure doesn’t get into details on what is being exploited and what the attackers are doing. We have however had the opportunity to remediate and respond to many sites defaced by this group (and others); we will try to provide some clarity on these attacks.
First, the top 2 plugins currently being exploited are:
- Outdated RevSlider – Version < 4.2 – Possible Source
- Outdated GravityForms – Version < v1.8.20 – Possible Source
The vulnerabilities being exploited appear to be from older versions of the plugins that have yet to be patched. We are not aware of any new vulnerabilities in either of the plugins.
Specially Revslider, which is the #1 by far compared to the others. After these first two, we are seeing many attack against FancyBox, Wp Symposium, Mailpoet and other popular plugins that had vulnerabilities disclosed recently. This list is not exhaustive at all, as it seems the attackers try to exploit whatever they can get their hands on, but it gives you an idea of what they are looking for.
Second, the FBI report also misses one very important point about the attack vector. It is not just vulnerability exploitation attempts against plugins, we also see vulnerabilities exploited in themes, along with many brute force attacks targeted at the WordPress administration panel. They are all used by these political defacement groups once they can get in.
Third, their recommendations to secure WordPress are missing some important points. They link to the WordPress hardening page that provides almost no real security to the end user.
It is not just about keeping it updated anymore. You have to have security in depth, you have to have monitoring, you have to leverage low-privileged users for most of your actions, you have to monitor your logs, you have to use good passwords, you have to audit the plugins and themes you are using.
Note that the Revslider vulnerability was also used in the mass malware campaign called Soaksoak back in December, and is still causing website owners issues today.
If you are looking for a comprehensive security solution for your WordPress websites, try our Website Firewall: https://sucuri.net/website-firewall. We call it a Firewall, but in reality, it is a cloud-based Intrusion Detection and Prevention system (IDS/IPS) for websites; one that can protect your site from the attacks described in this post and that the FBI is now warning us all about.
Which version of GravityForms?
Okay guys, you seriously need to do a better job of communicating things like this to the public in a more responsible manner when naming products by name. You mention Gravity Forms but provide zero details related to the version, etc.
If you’re referring to a vulnerability in old versions of Gravity Forms then you need to include details like this when publishing information like this. Otherwise all you are doing is causing alarm for our users who see this and think the current version of Gravity Forms is involved, which is not the case.
If you’re aware of a vulnerability in the current version of Gravity Forms then by all means communicate that to us directly and privately via the disclosure practices you’ve published on your own blog before disclosing it publicly. You haven’t done so, therefore i’m going to assume this is in reference to old versions of Gravity Forms being exploited on sites that have not been keeping up to date with plugin updates.
Either way, publishing information like this without providing those types of details is irresponsible and potentially brand damaging. I expect more of you guys.
I agree. I flipped out when I read this, and hence why I asked for the version number (below). More due diligence should be done when making such grandiose claims, especially when it affects literally thousands of users.
As far as I am aware, and I do not believe Sucuri is aware of an unpatched vulnerability, it’s related to a vulnerability that was patched in early December. We’ve also released numerous updates since then. If Sucuri knows something we don’t I would expect them to communicate with us privately prior to any kind of public disclosure. That hasn’t happened any time recently.
We constantly preach keeping WordPress, plugins and themes up to date as a best practice. We have background automatic updates built in with Gravity Forms v1.9+ and suggest users enable it in the settings. Short of beating users over the head and forcing them to click the update button at gun point there’s not much more we can do to get people to keep WordPress up to date. If you manage your own WordPress site there’s personal responsibility related to keeping things up to date that comes along with that.
Had sites kept things up to date this would not have occurred as we didn’t begin to see this particular vulnerability exploited in the wild until after the security disclosure was published publicly in December.
I wrote about the issue of updates as it relates to WordPress and users here: http://carlhancock.com/wordpress-has-an-update-problem/
WordPress as a project and a community needs to do more as it relates to updates. If users are going to be lazy about updating, WordPress needs to do more to force updates on users. Updates aren’t really a choice, they are a necessity when it comes to keeping your WordPress site secure.
I disagree. This was an article about the FBI, not a post about a new security vulnerability. Not sure how you guys are confusing the two. As far as versions… https://wpvulndb.com/search?text=gravity
If this was related to a new vulnerability we would have disclosed it as such. This post has nothing to do with any brand or new vulnerability, its related to the PSA recently released by the FBI.
It just so happens, that GravityForms is on the list because it is being used as a vector via old vulnerabilities. If you have concerns, please engage us, you have our direct contact information. The point of the post had nothing to do with any brand, but more to place focus on what today’s threats look like. Sorry that your brand was caught in the mix.
It’s unfortunate you see it as irresponsible, we’ll have to agree to disagree in the approach.
My issue isn’t with the overall message, it’s the lack of detail that is included.
Nowhere in this post does it mention this is related to old versions of Gravity Forms and if you’ve been keeping your WordPress install up to date you should be just fine. It simply says Gravity Forms is being exploited.
We’ve had multiple users ask us about it, they saw this post and panicked when it wasn’t necessary as they were running up to date versions and so they were not vulnerable. The distinction isn’t clear to users the way it is presented.
The version information and the fact that the issue in question has been patched for some time is an important piece of information to include. Otherwise people will make the false assumption that the version of Gravity Forms that is currently available is vulnerable. Causing users to panic and people to publicly claim the current version is vulnerable based on what they read here alone. Some have already done so.
I’d appreciate if you guys would update the post to include that additional information.
Good point. Updated to clarify that it is only outdated versions.
As Tony mentioned, the goal was just to explain what is causing these compromises and not to put any specific plugin in the spot. Because, in reality, the plugin itself does not matter. It is the lack of care and good security posture that lead to bad decisions, like leaving plugins outdated for months or using bad passwords.
It’s not the first time this complaint has been put on Sucuri. Any time you write about security you have to be sure to dot your I’s and cross your Q’s because otherwise you see panic. I don’t believe Sucuri would try to exploit that panic for traffic, but they could do a bit of a better job with their details and disclosure methods. I’m wary if this would ever happen to us. Regardless, the information published here is valuable for all WordPress users and I’m thankful for it.
I have further updated this post with an additional disclaimer, and I’ve added some links to source of information to help address some of the confusion.
I appreciate it @Tony and @Daniel. Thanks for taking care of it. Just didn’t want additional people misunderstanding the current situation.
I agree, the plugin itself does not matter. Software has bugs, it has security vulnerabilities. Be it the OS itself like Windows, OSX, iOS, etc. or web software like WordPress core, plugins and themes.
All of them require being diligent with software updates and it’s something that is a major issue in the WordPress install base. Users simply aren’t keeping their WordPress sites updated.
This issue is something that WordPress as a project is going to need to tackle and improve upon. Core background automatic updates were a great first step. But it’s still only maintenance releases, not major version releases and doesn’t truly help much when it isn’t automatically extended to plugins and themes by default.
Because the barrier to entry is so low to create a WordPress site we have a very large user base of people who simply don’t realize it isn’t “set it and forget it”. You HAVE to maintain your site and install updates on a regular basis as standard practice or you are leaving your front door unlocked. Reaching those people and convincing them of the importance of software updates is critical and it’s something we we’re currently failing at as a community.
We have users who say they haven’t updated because it works and they don’t need the new features so why bother? That makes me cringe. I think background automatic updates for plugins as the default (but with hook to disable or customize) is a must and something WordPress needs to move towards. Currently it’s possible but a hook is used to enable, not disable this functionality.
It’ll be painful. But I think it’s the only real solution for driving home the importance and giving users no excuse for not keeping things updated.
I panicked too. I knew about RevSlider, but not about GravityForms. A simple link to some relevant disclosures (or even blogposts from your own site) would have been enough.
There was a GF vulnerability in December 2014, so I’m guessing it’s versions below 1.8.20 which should be considered insecure:
We’re not aware of any new vulnerabilities that are attributing to this issue.
It would be nice if you could change the rev slider one to “Version < 4.2" instead of "Version Too Many To Assess". May as well provide that detail…
No problem, done.
Thanks Tony, much appreciated.
I can confirm that some ISIS defacements exploit the “Fancybox for WordPress” vulnerability (version 3.0.2 and older). https://blog.sucuri.net/2015/02/analysis-of-the-fancybox-for-wordpress-vulnerability.html
It’s the simplest way, since only one requests is needed to inject extra content to web pages.
The hacks I saw injected a script changing title to “Hacked by Islamic State” and then an HTML code with a base64-ecoded inline image of the ISIS banner and an embedded YouTube video.
To the people complaining about the lack of info about Gravity forms: https://blog.sucuri.net/2015/02/malware-cleanup-to-arbitrary-file-upload-in-gravity-forms.html
“It is not just about keeping it updated anymore. You have to have
security in depth, you have to have monitoring, you have to leverage
low-privileged users for most of your actions, you have to monitor your
logs, you have to use good passwords, you have to audit the plugins and
themes you are using.”
I want to engrave that on a hammer and hit some people with it. So many people come to me saying, “But I had a good password!” Sure, but did you do everything else?
I really agree with carlhancock before publish a article in publicly you need to be more specify the module version no , when it released. Not only mentioned the module name. This create confusion to the customer. It is not developer’s responsibility to check where there customer are using 1 year old module. Theme and module developer all time update there product for better security and stability. Customer have to update there item when update released.
Hope i can give a clear idea 🙂
Oaks Park CEO Joe Norling and general manager Mary Beth Coffey brought in a police/sheriff sting operation in to the park after the city of Portland took control of the park from Funtastic company to sabotage the rides at the park so the city could justify shutting down the park so they could use the property for more profitable purposes!
The city managers filled all the key positions in the park with their henchmen and they waited for the at the time general manager Dick Conner’s to retire, and right after Dick Conners retired the CEO Joe Norling ordered the maintenance team to move the Monster Mouse ride to a new location within the park!
The maintenance team deliberately sabotaged the Monster Mouse ride by NOT BALANCING the ride after they took the ride down and they assembled it in it’s new location in the park!
The maintenance team did not remove any of the boards at the bottom of the posts they left all of them in place when they took the ride down, and as they assembled the ride in it’s new location all the boards were still in place on all the posts, after they assembled the ride the ride appeared to be balanced because all the boards were in place on the posts, so to the untrained eye the ride appeared balanced when in fact it was not balanced at all!
Every time the Monster Mouse is torn down and set up in a new location each and every time you MUST REMOVE THE BOARDS ON THE POSTS because the ride needs to be RE-BALANCED from scratch!
After the maintenance team sabotaged the Monster Mouse the city managers running the park arraigned for their henchmen on the ride team to to keep control of the back-breaks on the Monster Mouse so that they can over time develop cracks on the tracks, and the rest of the henchmen were given by managers the key lead foreman positions so that they can keep the normal ride operators off the back-breaks of the Monster Mouse and to cover up complaints and to get rid of ride operators that complain
These city of Portland sabotage artists spent well over a year developing the cracks on the Monster Mouse tracks and to keep normal ride operators off the back-breaks of that ride, and after one of the henchmen developed a full crack on the track he quit his job without warning or notice, and the following morning the maintenance team slagged the crack with wielding slag to hide the crack from the normal operators and from the assistant ride foremen, and then the maintenance team and the city managers just sat back and waited for the big bloodbath they wanted to happen!
A couple weeks after the maintenance team slagged the crack with wielding slag to hide it the slag broke off the track and fell to the ground under the track where the crack was, and none of the ride operators running the ride caught it!
I was a assistant ride foreman in the park at the time, and I went to the Monster Mouse to give the ride operators their fifteen minute break and I took control of the front-breaks on the ride!
I immediately noticed a noise that did not belong and I stopped sending cars and tried to ascertain where this noise was coming from!
By the time the one and only car I sent reached the cracked section of the track I found it and shut the ride down, in the nick of time!
I was berated by the maintenance team for shutting it down they were not happy I shut that ride down and the CEO of the park was grinning in a evil manner while the maintenance supervisor berated me for shutting down the ride,,,, until I told them what is wrong with the ride!
The maintenance supervisor as well as the CEO of the park was scared after I told them the track was cracked and that the track was separating as the cars went over the track!
The maintenance supervisor in an attempt to cover himself immediately began blaming his men for this, and then he stupidly admitted they “Slagged it!” and he was referring to his men!
The Maintenance supervisor TC imediately destroyed the hunk of slag that was hiding the crack because that ghunk of slag proves the maintenance teams guilt in deliberate sabotage, and Joe Norling the CEO of the park just stood there and watched him do it and said and did nothing about it!
I saved probably a dozen or so kids lives as well as a ride operators life, and what did the CEO do?
Why he did not want to get the ride fixed, he wanted to buy a Mad Mouse ride so they could use it for parts to replace the sabotaged sections of the Monster Mouse and he spent fifty thousand dollars for that Mad Mouse to use as parts!
The maintenance team was NOT fired nor prosecuted, but I was gang-stalked and harassed and terrorized by police./sheriff sting operatives ever since!
The Oaks Park maintenance team tried to kill me off the next season they sabotaged the Squirel Cage ride and one of those cars came right off the ride and crashed right next to me almost killing me!
Nobody cares the city of Portland took control of Oaks Park and installed a murderous kid-killing sting operation hell-bent on sabotaging rides in the park so the city could use that water-front property for condo’s!
No badge carrier cares and will not take complaints on police/sheriff sting operations no matter what crimes their guilty of!