Skip links

FBI Public Service Annoucement: Defacements Exploiting WordPress Vulnerabilities

The US Federal Bureau of Investigation (FBI) just released a public service announcement (PSA) to the public about a large number of websites being exploited and compromised through WordPress plugin vulnerabilities:

Continuous Web site defacements are being perpetrated by individuals sympathetic to the Islamic State in the Levant (ISIL) a.k.a. Islamic State of Iraq and al-Shams (ISIS). The defacements have affected Web site operations and the communication platforms of news organizations, commercial entities, religious institutions, federal/state/local governments, foreign governments, and a variety of other domestic and international Web sites. Although the defacements demonstrate low-level hacking sophistication, they are disruptive and often costly in terms of lost business revenue and expenditures on technical services to repair infected computer systems.


The FBI also goes into more detail and explain what happens when a site does get compromised:

Successful exploitation of the vulnerabilities could result in an attacker gaining unauthorized access, bypassing security restrictions, injecting scripts, and stealing cookies from computer systems or network servers. An attacker could install malicious software; manipulate data; or create new accounts with full user privileges for future Web site exploitation.

This is nothing new and we have been warning and educating our users over the years through our blog and other mediums. Political defacements are very common and one of the most used forms of online protest. When a defacement is not practical, we see the same groups leveraging Distributed Denial of Service (DDoS) attacks to try to take the controversial content down.

Plugins Being Exploited

The FBI disclosure doesn’t get into details on what is being exploited and what the attackers are doing. We have however had the opportunity to remediate and respond to many sites defaced by this group (and others); we will try to provide some clarity on these attacks.

First, the top 2 plugins currently being exploited are:

The vulnerabilities being exploited appear to be from older versions of the plugins that have yet to be patched. We are not aware of any new vulnerabilities in either of the plugins.

Specially Revslider, which is the #1 by far compared to the others. After these first two, we are seeing many attack against FancyBox, Wp Symposium, Mailpoet and other popular plugins that had vulnerabilities disclosed recently. This list is not exhaustive at all, as it seems the attackers try to exploit whatever they can get their hands on, but it gives you an idea of what they are looking for.

Second, the FBI report also misses one very important point about the attack vector. It is not just vulnerability exploitation attempts against plugins, we also see vulnerabilities exploited in themes, along with many brute force attacks targeted at the WordPress administration panel. They are all used by these political defacement groups once they can get in.

Third, their recommendations to secure WordPress are missing some important points. They link to the WordPress hardening page that provides almost no real security to the end user.

It is not just about keeping it updated anymore. You have to have security in depth, you have to have monitoring, you have to leverage low-privileged users for most of your actions, you have to monitor your logs, you have to use good passwords, you have to audit the plugins and themes you are using.

Note that the Revslider vulnerability was also used in the mass malware campaign called Soaksoak back in December, and is still causing website owners issues today.

If you are looking for a comprehensive security solution for your WordPress websites, try our Website Firewall: https://sucuri.net/website-firewall. We call it a Firewall, but in reality, it is a cloud-based Intrusion Detection and Prevention system (IDS/IPS) for websites; one that can protect your site from the attacks described in this post and that the FBI is now warning us all about.

  • Chris

    Which version of GravityForms?

  • carlhancock

    Okay guys, you seriously need to do a better job of communicating things like this to the public in a more responsible manner when naming products by name. You mention Gravity Forms but provide zero details related to the version, etc.

    If you’re referring to a vulnerability in old versions of Gravity Forms then you need to include details like this when publishing information like this. Otherwise all you are doing is causing alarm for our users who see this and think the current version of Gravity Forms is involved, which is not the case.

    If you’re aware of a vulnerability in the current version of Gravity Forms then by all means communicate that to us directly and privately via the disclosure practices you’ve published on your own blog before disclosing it publicly. You haven’t done so, therefore i’m going to assume this is in reference to old versions of Gravity Forms being exploited on sites that have not been keeping up to date with plugin updates.

    Either way, publishing information like this without providing those types of details is irresponsible and potentially brand damaging. I expect more of you guys.

    • Chris

      I agree. I flipped out when I read this, and hence why I asked for the version number (below). More due diligence should be done when making such grandiose claims, especially when it affects literally thousands of users.

      • carlhancock

        As far as I am aware, and I do not believe Sucuri is aware of an unpatched vulnerability, it’s related to a vulnerability that was patched in early December. We’ve also released numerous updates since then. If Sucuri knows something we don’t I would expect them to communicate with us privately prior to any kind of public disclosure. That hasn’t happened any time recently.

        We constantly preach keeping WordPress, plugins and themes up to date as a best practice. We have background automatic updates built in with Gravity Forms v1.9+ and suggest users enable it in the settings. Short of beating users over the head and forcing them to click the update button at gun point there’s not much more we can do to get people to keep WordPress up to date. If you manage your own WordPress site there’s personal responsibility related to keeping things up to date that comes along with that.

        Had sites kept things up to date this would not have occurred as we didn’t begin to see this particular vulnerability exploited in the wild until after the security disclosure was published publicly in December.

        I wrote about the issue of updates as it relates to WordPress and users here: http://carlhancock.com/wordpress-has-an-update-problem/

        WordPress as a project and a community needs to do more as it relates to updates. If users are going to be lazy about updating, WordPress needs to do more to force updates on users. Updates aren’t really a choice, they are a necessity when it comes to keeping your WordPress site secure.

      • I disagree. This was an article about the FBI, not a post about a new security vulnerability. Not sure how you guys are confusing the two. As far as versions… https://wpvulndb.com/search?text=gravity

    • @carlhancock:disqus

      If this was related to a new vulnerability we would have disclosed it as such. This post has nothing to do with any brand or new vulnerability, its related to the PSA recently released by the FBI.

      It just so happens, that GravityForms is on the list because it is being used as a vector via old vulnerabilities. If you have concerns, please engage us, you have our direct contact information. The point of the post had nothing to do with any brand, but more to place focus on what today’s threats look like. Sorry that your brand was caught in the mix.

      It’s unfortunate you see it as irresponsible, we’ll have to agree to disagree in the approach.

      Thanks

      Tony

      • carlhancock

        My issue isn’t with the overall message, it’s the lack of detail that is included.

        Nowhere in this post does it mention this is related to old versions of Gravity Forms and if you’ve been keeping your WordPress install up to date you should be just fine. It simply says Gravity Forms is being exploited.

        We’ve had multiple users ask us about it, they saw this post and panicked when it wasn’t necessary as they were running up to date versions and so they were not vulnerable. The distinction isn’t clear to users the way it is presented.

        The version information and the fact that the issue in question has been patched for some time is an important piece of information to include. Otherwise people will make the false assumption that the version of Gravity Forms that is currently available is vulnerable. Causing users to panic and people to publicly claim the current version is vulnerable based on what they read here alone. Some have already done so.

        I’d appreciate if you guys would update the post to include that additional information.

        • Good point. Updated to clarify that it is only outdated versions.

          As Tony mentioned, the goal was just to explain what is causing these compromises and not to put any specific plugin in the spot. Because, in reality, the plugin itself does not matter. It is the lack of care and good security posture that lead to bad decisions, like leaving plugins outdated for months or using bad passwords.

          thanks,

        • It’s not the first time this complaint has been put on Sucuri. Any time you write about security you have to be sure to dot your I’s and cross your Q’s because otherwise you see panic. I don’t believe Sucuri would try to exploit that panic for traffic, but they could do a bit of a better job with their details and disclosure methods. I’m wary if this would ever happen to us. Regardless, the information published here is valuable for all WordPress users and I’m thankful for it.

        • Hi

          I have further updated this post with an additional disclaimer, and I’ve added some links to source of information to help address some of the confusion.

          Thanks

          Tony

          • carlhancock

            I appreciate it @Tony and @Daniel. Thanks for taking care of it. Just didn’t want additional people misunderstanding the current situation.

            I agree, the plugin itself does not matter. Software has bugs, it has security vulnerabilities. Be it the OS itself like Windows, OSX, iOS, etc. or web software like WordPress core, plugins and themes.

            All of them require being diligent with software updates and it’s something that is a major issue in the WordPress install base. Users simply aren’t keeping their WordPress sites updated.

            This issue is something that WordPress as a project is going to need to tackle and improve upon. Core background automatic updates were a great first step. But it’s still only maintenance releases, not major version releases and doesn’t truly help much when it isn’t automatically extended to plugins and themes by default.

            Because the barrier to entry is so low to create a WordPress site we have a very large user base of people who simply don’t realize it isn’t “set it and forget it”. You HAVE to maintain your site and install updates on a regular basis as standard practice or you are leaving your front door unlocked. Reaching those people and convincing them of the importance of software updates is critical and it’s something we we’re currently failing at as a community.

            We have users who say they haven’t updated because it works and they don’t need the new features so why bother? That makes me cringe. I think background automatic updates for plugins as the default (but with hook to disable or customize) is a must and something WordPress needs to move towards. Currently it’s possible but a hook is used to enable, not disable this functionality.

            It’ll be painful. But I think it’s the only real solution for driving home the importance and giving users no excuse for not keeping things updated.

    • Chris

      I panicked too. I knew about RevSlider, but not about GravityForms. A simple link to some relevant disclosures (or even blogposts from your own site) would have been enough.

      There was a GF vulnerability in December 2014, so I’m guessing it’s versions below 1.8.20 which should be considered insecure:
      http://www.gravityhelp.com/gravity-forms-v1-8-20-released/

  • Hi

    We’re not aware of any new vulnerabilities that are attributing to this issue.

    Thanks

  • It would be nice if you could change the rev slider one to “Version < 4.2" instead of "Version Too Many To Assess". May as well provide that detail…

  • Denis Sinegubko

    I can confirm that some ISIS defacements exploit the “Fancybox for WordPress” vulnerability (version 3.0.2 and older). http://blog.sucuri.net/2015/02/analysis-of-the-fancybox-for-wordpress-vulnerability.html

    It’s the simplest way, since only one requests is needed to inject extra content to web pages.

    The hacks I saw injected a script changing title to “Hacked by Islamic State” and then an HTML code with a base64-ecoded inline image of the ISIS banner and an embedded YouTube video.

  • Luke

    To the people complaining about the lack of info about Gravity forms: https://blog.sucuri.net/2015/02/malware-cleanup-to-arbitrary-file-upload-in-gravity-forms.html

    “It is not just about keeping it updated anymore. You have to have
    security in depth, you have to have monitoring, you have to leverage
    low-privileged users for most of your actions, you have to monitor your
    logs, you have to use good passwords, you have to audit the plugins and
    themes you are using.”

    I want to engrave that on a hammer and hit some people with it. So many people come to me saying, “But I had a good password!” Sure, but did you do everything else?

  • Arifur Rahman

    I really agree with carlhancock before publish a article in publicly you need to be more specify the module version no , when it released. Not only mentioned the module name. This create confusion to the customer. It is not developer’s responsibility to check where there customer are using 1 year old module. Theme and module developer all time update there product for better security and stability. Customer have to update there item when update released.
    Hope i can give a clear idea 🙂