The US Federal Bureau of Investigation (FBI) just released a public service announcement (PSA) to the public about a large number of websites being exploited and compromised through WordPress plugin vulnerabilities:
Continuous Web site defacements are being perpetrated by individuals sympathetic to the Islamic State in the Levant (ISIL) a.k.a. Islamic State of Iraq and al-Shams (ISIS). The defacements have affected Web site operations and the communication platforms of news organizations, commercial entities, religious institutions, federal/state/local governments, foreign governments, and a variety of other domestic and international Web sites. Although the defacements demonstrate low-level hacking sophistication, they are disruptive and often costly in terms of lost business revenue and expenditures on technical services to repair infected computer systems.
The FBI also goes into more detail and explain what happens when a site does get compromised:
Successful exploitation of the vulnerabilities could result in an attacker gaining unauthorized access, bypassing security restrictions, injecting scripts, and stealing cookies from computer systems or network servers. An attacker could install malicious software; manipulate data; or create new accounts with full user privileges for future Web site exploitation.
This is nothing new and we have been warning and educating our users over the years through our blog and other mediums. Political defacements are very common and one of the most used forms of online protest. When a defacement is not practical, we see the same groups leveraging Distributed Denial of Service (DDoS) attacks to try to take the controversial content down.
Plugins Being Exploited
The FBI disclosure doesn’t get into details on what is being exploited and what the attackers are doing. We have however had the opportunity to remediate and respond to many sites defaced by this group (and others); we will try to provide some clarity on these attacks.
First, the top 2 plugins currently being exploited are:
- Outdated RevSlider – Version < 4.2 – Possible Source
- Outdated GravityForms – Version < v1.8.20 – Possible Source
The vulnerabilities being exploited appear to be from older versions of the plugins that have yet to be patched. We are not aware of any new vulnerabilities in either of the plugins.
Specially Revslider, which is the #1 by far compared to the others. After these first two, we are seeing many attack against FancyBox, Wp Symposium, Mailpoet and other popular plugins that had vulnerabilities disclosed recently. This list is not exhaustive at all, as it seems the attackers try to exploit whatever they can get their hands on, but it gives you an idea of what they are looking for.
Second, the FBI report also misses one very important point about the attack vector. It is not just vulnerability exploitation attempts against plugins, we also see vulnerabilities exploited in themes, along with many brute force attacks targeted at the WordPress administration panel. They are all used by these political defacement groups once they can get in.
Third, their recommendations to secure WordPress are missing some important points. They link to the WordPress hardening page that provides almost no real security to the end user.
It is not just about keeping it updated anymore. You have to have security in depth, you have to have monitoring, you have to leverage low-privileged users for most of your actions, you have to monitor your logs, you have to use good passwords, you have to audit the plugins and themes you are using.
Note that the Revslider vulnerability was also used in the mass malware campaign called Soaksoak back in December, and is still causing website owners issues today.
If you are looking for a comprehensive security solution for your WordPress websites, try our Website Firewall: https://sucuri.net/website-firewall. We call it a Firewall, but in reality, it is a cloud-based Intrusion Detection and Prevention system (IDS/IPS) for websites; one that can protect your site from the attacks described in this post and that the FBI is now warning us all about.