Analyzing Popular Layer 7 Application DDoS Attacks

7LayerDDoS_V1r1

Distributed Denial of Service (DDoS) attacks have been a major concern for website owners for a while. All types of sites, from small to big, have been taken down and kept offline because of them. Even over-provisioned servers can be taken offline by the smallest of DDoS attacks; caused by IP addresses being null routed by hosting providers and kept offline for days. Websites behind load balancers and cloud infrastructures are also susceptible, since very few of them are designed to handle DDoS Attacks and the variety of ways they can happen.
Read More

Ask Sucuri: How Did My WordPress Website Get Hacked? – A Tutorial

AskSucuri_R1

With the proliferation of Infrastructure and Platform as a Service providers, it is no surprise that a majority of today’s websites are hosting in the proverbial cloud. This is great because it allows organizations and individuals alike to quickly deploy their websites, with relatively little overhead on their own infrastructure/systems. While there are so many positive attributes associated with hosting in cloud, there are also limitations, specifically when it comes to security and what you as a website owner are allowed to do (it depends on the host and what features you have enabled, learn more on how hosts manage your website security).

For example, this comes in to play with retention and collection of vital information in the form of logs, specifically, audit/security logs.

Over the past few months we have shared a number of articles on  How websites get hacked? and the Impacts of said hacks.. Last year,  we spent some time dissecting another WordPress hack using our free WordPress Security plugin. Today, I want to dig a bit further into the world of Incident Response, specifically, forensics – or the art figuring out what happened.


Read More

BIND9 – Denial of Service Exploit in the Wild

Bind9 DNS Vulnerability

BIND is one of the most popular DNS servers in the world. It comes bundled with almost every cPanel, VPS and dedicated server installation and is used by most DNS providers.

A week ago, the Internet Systems Consortium (ISC) team released a patch for a serious denial of service vulnerability (CVE-2015-5477) that allows a remote and unauthenticated attacker to crash the BIND (named) daemon, taking down a DNS server.

This happens because of an error in the way BIND handles TKEY queries, which with a single UDP packet can trigger a required assertion failure, causing the DNS daemon to exit.

Exploits in the Wild

Because of its severity we’ve been actively monitoring to see when the exploit would be live. We can confirm that the attacks have begun. DNS is one of the most critical parts of the Internet infrastructure, so having your DNS go down also means your email, HTTP and all other services will be unavailable.


Read More

Introducing Free Global Website Performance Tool

Website Performance Test
We are happy to launch a new free tool (aka Global Website Performance Tester) that allows anyone to quickly check how fast a website is loading from across the globe.

We extract three key metrics that are critical to the performance of any website: connection time, time to first byte (TTFB) and total load time:

  • Connection time: It measures how long it takes for the TCP session to be established to your website. If you are a networking geek, it measures how long it takes for the 3-way handshake to be completed.
  • Time To First Byte (TTFB): This is one of the most important numbers to pay attention to, as it tells you how long it takes for the first byte to be received by the browser. This metric is important because as soon as the browser receives the first few bytes, it can start to load the page and display content to the end user.
  • Total Load Time: This shows how long it takes for the full page to be loaded.

To give us the visibility we need for these tests, we setup 13 globally distributed testing stations:

  • 4 in USA (New York, Atlanta, Dallas and Los Angeles)
  • 1 in Canada (Montreal)
  • 4 in Europe (Germany, UK, France and Netherlands)
  • 2 in Asia (Japan and Singapore)
  • 1 in South America (Brazil)
  • 1 in Australia

And we run all our tests from all of them. To get started, you can test your websites performance here: https://performance.sucuri.net
Read More

Magento Shoplift (SUPEE-5344) Exploits in the Wild

As warned a few days ago, the Magento Shoplift (SUPEE-5344) vulnerability details have been disclosed by the CheckPoint team. They show step by step how it can be exploited to take over a vulnerable Magento site.

They have prepared the following video showing a Proof of Concept (PoC) in which they create a fake coupon:

That’s a simple example. This vulnerability can be exploited in much more devastating ways.

Magento ShopLift in the Wild

As expected, it is now actively being exploited.

In less than 24 hours since the disclosure, we have started to see attacks via our WAF logs trying to exploit this vulnerability. It seems to be coming from a specific crime group, since they all look the same:


Read More

Security Advisory: XSS Vulnerability Affecting Multiple WordPress Plugins

Multiple WordPress Plugins are vulnerable to Cross-site Scripting (XSS) due to the misuse of the add_query_arg() and remove_query_arg() functions. These are popular functions used by developers to modify and add query strings to URLs within WordPress.

The official WordPress Official Documentation (Codex) for these functions was not very clear and misled many plugin developers to use them in an insecure way. The developers assumed that these functions would escape the user input for them, when it does not. This simple detail, caused many of the most popular plugins to be vulnerable to XSS.

To date, this is the list of affected plugins:

There are probably a few more that we have not listed. If you use WordPress, we highly recommend that you go to your wp-admin dashboard and update any out of date plugins now.


Read More

Critical Magento Shoplift Vulnerability (SUPEE-5344) – Patch Immediately!

magento-security

The Magento team released a critical security patch (SUPEE-5344) to address a remote command execution (RCE) vulnerability back in February. It’s been more than two months since the release and still more than 50% of all the Magento installations have not been patched, leaving them open to attacks.

This means hundreds of thousands of websites are vulnerable right now, worse yet they are ecommerce websites. This means that these websites are used to sell goods online, and in the process they capture personal identifiable information (PII) including credit card details. The impact of Magento websites getting compromised can be devastating for every online buyer that uses, or has used a website built on the platform.


Read More

FBI Public Service Annoucement: Defacements Exploiting WordPress Vulnerabilities

IMG_2802

The US Federal Bureau of Investigation (FBI) just released a public service announcement (PSA) to the public about a large number of websites being exploited and compromised through WordPress plugin vulnerabilities:

Continuous Web site defacements are being perpetrated by individuals sympathetic to the Islamic State in the Levant (ISIL) a.k.a. Islamic State of Iraq and al-Shams (ISIS). The defacements have affected Web site operations and the communication platforms of news organizations, commercial entities, religious institutions, federal/state/local governments, foreign governments, and a variety of other domestic and international Web sites. Although the defacements demonstrate low-level hacking sophistication, they are disruptive and often costly in terms of lost business revenue and expenditures on technical services to repair infected computer systems.


Read More

Intro to E-Commerce and PCI Compliance – Part I

Sucuri-ecommerce-PCI-compliance

Have you ever heard of the term PCI? Specifically, PCI compliance? If you have an ecommerce website you probably have already heard about it, but do you really understand what it means for you and your online business? In this series we will try to explain the PCI standard and how it affects you and your website.

We will focus mostly on small and medium sized ecommerce businesses, which is the category that most of our clients fall into.

  • Part I – Introduction to E-Commerce and PCI Compliance
  • Part II – PCI and E-Commerce cloud-based SMB’s (coming soon)
  • Part III – PCI and your WordPress-based ecommerce (coming soon)
  • Part IV – PCI requirements in detail for cloud-based servers – Open source can help


Read More

Understanding WordPress Plugin Vulnerabilities

The last 7 days have been very busy with a number of WordPress plugin vulnerabilities being disclosed on multiple WordPress plugins. Some of them are minor issues, some are more relevant, while others are what we’d categorize as noise. How are you supposed to make sense of all this?

To help provide some clarity on the influx of data, we want to provide some insights to help you, the website owner, navigate and understand these vulnerabilities. We will provide a summary and an explanation of the ones that matter and the ones that do not.

Read More