This is a story about the SoakSoak malware campaign that proved that you can’t underestimate impact of security issues in popular premium software.
These days, the majority of popular content management systems are 100% free: WordPress, Magento, Joomla, Drupal, etc. Moreover, most CMS extensions are also free. In fact, modern webmasters can build any type of site entirely through free software. Most popular software has thousands — or even millions — of installations. Their source code is open, and it’s easy for hackers to search for security bugs. It’s clear that when found, these vulnerabilities have the ability to impact a significant number of websites.
On the other hand, premium software is also readily available and may be popular in certain niches where people are ready to pay money for important features. However, the source code for paid software is not available without buying it, which adds a barrier against bad actors seeking vulnerabilities to exploit. You can hardly expect premium software to be as prevalent as free, so the impact of exploited vulnerabilities should be lower.
At the end of 2014, WordPress community learned that this isn’t always true — the hard way.
What Happened?
Five years ago, on the weekend of December 13-14, 2014, we witnessed the first strike of SoakSoak tsunami.
SoakSoak 1.0
Literally overnight, tens of thousands WordPress sites got infected with malware that loaded a script from “hxxp://soaksoak[.]ru/xteas/code” (which gave SoakSoak the name to the whole wave of related infections).
On Sunday, December 14, 2014, Google had already blacklisted 11,000+ domains for loading SoakSoak (we estimated the real number of affected websites much higher).
SoakSoak 1.1
On Monday, December 15, 2014, we found a new variation of the malware that loaded a Flash object containing an invisible iframe from “hxxp://milaprostaya[.]ru/images/”.
SoakSoak 2
A week later, on December 21, 2014, there was a new massive wave of infections. This time, malware loaded a Flash object (wp-includes/js/swfobjct.swf) and a script from “hxxp://ads .akeemdom .com/db26”.
Several other less prominent malware campaigns using the same infection mechanism were also active at this time.
Record Breaking Month for Sucuri
Beginning December 14, 2014, Sucuri started to receive a lot of malware removal requests from affected websites. Typically a slow month, that December broke historical records for the number of websites we cleaned. The number of malware detections by our SiteCheck scanner doubled during the second part of December.
Everyone who worked at Sucuri at that time, regardless of their title and position, worked in the queue cleaning websites. To cope with the increased volume of tickets, we had to improve our cleanup tools and overall cleanup process, which ultimately helped us scale to the number of clients we have now.
Vulnerable Slider Revolution Plugin
Shortly after we started receiving a massive influx in cleanup requests, we had identified the common component in all these infections along with the vulnerabilities that allowed hackers to compromise so many sites.
Hackers actively exploited two vulnerabilities in a popular premium plugin called Slider Revolution (or RevSlider – the name of the directory it used).
Published: September 1, 2014
Affected versions: < 4.2
Discovered: October 15, 2014
Published: November 26, 2014
Affected Versions: <= 3.0.95 (Revslider) / Version: <= 1.7.1 (Showbiz Pro)
Both security holes had been patched long before the massive attacks began.
- The file download vulnerability was fixed in February 2014.
- The file upload security hole (exploited by SoakSoak) was fixed since 2013.
While we’d seen attacks in the wild for a few months before SoakSoak, none of them were as massive.
Why Was This Attack so Massive?
You might be wondering why long patched vulnerabilities in a premium plugin made it possible to infect so many sites in a very short time. If we analyze all of the factors that contributed to the success of the SoakSoak attack, the reason how this massive infection occurred becomes clear.
WordPress Market Share
First of all, the market share of WordPress is huge. At the time of the attack, more than 60 million websites were estimated to be powered by WordPress. Even 1% would be more than half a million, which is a very impressive number.
Most Popular Slider Plugin
Slider Revolution is a premium plugin from ThemePunch that provides a highly customizable all-purpose slide displaying solution. At that time, it was the most popular slider plugin on Envato with over 50,000 sales.
RevSlider Bundled with Thousands of Themes
ThemePunch had a special ThemeForest license for developers who sell their themes on ThemeForest.net. At the end of 2014, 1,200 third-party themes contained RevSlider/ShowBiz plugins.
During this time, Revslider was a part of the #1 top selling WordPress theme Avada. At the end of 2014, this theme alone reported 100,000+ users.
Theme users might not even realize that the third-party RevSlider plugin was installed along with these themes.
Nulled Software
Of course, pirates also leveraged the popularity of these premium plugins and themes. Many webmasters ignored the moral- and security-related questions of using pirated software and installed nulled RevSlider on their sites.
All in all, we estimate there were more than 1 million sites using the Slider Revolution plugin at the time of SoakSoak infection.
One Can’t Simply Update Premium Software
Now that we have an estimate of the plugin usage, let’s think about why hackers managed to massively exploit vulnerabilities that had been patched months before the attack.
Updating is typically not straightforward for premium software. Patched versions are not available unless you are a paid user. Sometimes, only minor updates are free and you have to pay for major upgrades.
In the case of Slider Revolution, upgrades from versions older than 4.1.5 couldn’t be called completely effortless, so some webmasters decided to stay with their current version.
No Reliable Updates for Bundled Plugins
At the time, third-party themes that used RevSlider didn’t include auto-updating functionality for bundled plugins. This meant that RevSlider could only be updated if the theme developers decided to include a new version of the plugin in their theme updates (which, again, could be paid for, unavailable, or just ignored).
Ignoring new version releases for third-party software is quite common, even if they are free and easy to install. Lack of time and fear that the update will break something are the most common reasons. ThemePunch did not emphasize security fixes in new versions, so there had been no special incentive to upgrade the plugins (both for webmasters and theme developers).
The combination of all the above-mentioned factors resulted in hundreds of thousands of websites using vulnerable versions of RevSlider in December 2014. Many of them used more than one year old versions <= 3.0.95.
After the publication of RevSlider exploits, it was just a matter of time for hackers to come up with automated solutions to find and infect compromised sites. The SoakSoak campaign did that very efficiently — it’s scope exceeded most other malware infections that Sucuri has dealt with in the past 10 years.
Conclusion
Here are the main takeaways from the SoakSoak infections:
- Premium and closed-source software are not immune to hacker attacks.
- Popular premium themes and plugins have massive user bases and hackers will always try to find a way to exploit them.
- Timely updating for paid software is as important as updating the CMS itself, along with any free components. If you use a theme with bundled premium plugins, you rely on the theme developers for the plugin updates.
- There are many reasons why you should not use pirated software. Not receiving security updates is one of them.
To minimize risks associated with untimely software updates, websites should consider using web application firewalls that virtually patch most known — and not-yet-known — security holes.