Over the years, Adobe Flash Player has become the go-to distribution vector for malware. Now, there is a new competitor – Content Management Systems such as WordPress, Joomla and Drupal.
In the last year, the attention of malware creators has shifted towards the (largely) Open Source CMS systems, with WordPress representing the biggest target.
The most telling example of this shift is the hack on the website of the Linux Mint operating system. Per Distrowatch, the site that tracks Linux distribution popularity, Linux Mint is the #1 distribution, with a peak hit rate of over 3000 hits per day and increasing.
On Feb 21 2016, a blogpost on the Linux Mint website alerted users that if they had downloaded a specific version from the website, they were likely to be infected with malware. It went on to state that the website had been hacked, and the hacker had replaced the official downloads with an infected version for website users to download. In addition, the forum member list was also hacked, and the user details were on sale on the internet for $85.
In a later interview, the individual claiming responsibility for the hack stated that they gained access to the website by utilizing a security vulnerability in a WordPress plugin. They further claimed that a botnet of hundreds of these infected Linux Mint machines were now under their control.
WordPress is not the only target for malicious actors. On the 16th of February, Brian Krebs, a well-known security reporter, revealed that the website of the Coast Central Credit Union had been compromised. The culprit this time? A known vulnerability in an outdated version of Joomla. Interestingly, the hacker did not look to have done anything malicious to the site and the owners have fixed it. The next few lines from the article make it clear as to why there were no malicious actions thus far:
Holden said he’s discovered more than 13,000 sites that are currently infected with Web shells just like the one that hit Coast Central Credit Union, and that the vast majority of them are Joomla and WordPress blogs that get compromised through outdated and insecure third-party plugins for these popular content management systems. Worse yet, all of the 13,000+ backdoored sites are being remotely controlled with the same username and password.
“It’s a bot,” he said of the self-replicating malware used to deploy the Web shell that infested the credit union’s site. “It goes and exploits vulnerable sites and installs a backdoor with the same credentials.”
Fully automated malware, exploiting servers at the click of a button – in this case 13000+ sites that were exploited and left open for anyone with the knowledge to either hold the site owners to ransom or serve drive-by-downloads to create a botnet. Not a bad return on investment for about 15 minutes of work!
So why are Content Management Systems such popular targets?
Content Management Systems present a very large and shiny target – the big 3, WordPress, Joomla and Drupal account for 70% of CMS's in use and account for about 30% of all websites. Being Open Source provides a leg up to malware creators – they can easily access the source code to identify the vulnerabilities (this also means that the vulnerabilities are fixed very quickly.) Site owners are slow to update their sites, for fear of breaking any part of the website. All of these add up to a large number of sites that are ripe targets.
Cisco’s Annual Security Report 2016 has this to say about the reason WordPress is so popular among malware creators and distributors:
“Online criminals are continually on the lookout for methods to add efficiency and cost savings to their operations—along with new ways to evade detection. Increasingly, cybercriminals are finding this efficiency within websites created using WordPress, the popular website and blog development platform.”
The statistics about the growth of compromised domains and how these servers are used are quite alarming:
“Analyzing the systems used to support ransomware and other malware, Cisco security researchers found that many online criminals are shifting online activity to compromised WordPress servers. The number of WordPress domains used by criminals grew 221 percent between February and October 2015”
“Researchers also identified malware downloaders that contained a list of WordPress sites storing payloads. If one download site was not working, the malware went to the next one and downloaded malicious payloads from the working WordPress server. “
Protecting Your CMS
A website is the most significant external facing entity for an organization. It provides a huge reach to customers and enables businesses to make money. When a website is hacked, it affects an organization in more than one way – to start with, search engines such as Google will drop the ranking of compromised websites and warn against visiting them. Hackers may serve malware to visitors via the website and compromise the visitors’ computers; the web servers themselves may be used as part of a botnet; or the website may be encrypted and held for ransom, and a public notice of the hack put up on the website. Any of these is devastating for a business and causes losses in terms of goodwill, reputation and income.
In our latest firmware release (8.1), the Barracuda Web Application Firewall team is happy to announce our WordPress Template. This template is built based on our intensive testing and research. It allows you to fully secure a WordPress installation with ease, via a configuration wizard. More templates for popular web technologies will follow in our future releases.
The BARRACUDA WEB APPLICATION FIREWALL blocks an ever-expanding list of sophisticated web-based intrusions and attacks that target the applications hosted on your web servers—and the sensitive or confidential data to which they have access.
For more information on the Barracuda Web Application Firewall, visit the product page here. To get a risk-free 30-day trial of a physical appliance or virtual edition of the Barracuda WAF, visit this page.
Tushar Richabadas is a Product Manager for the Barracuda Web Application Firewall and Barracuda Load Balancer ADC. His current areas of focus are Cloud and automation. His prior roles ranged from leading networking product testing teams and technical marketing for HCL-Cisco. Tushar closely tracks the rapidly increasing impact of digital security and is passionate about simplifying digital security for everyone.