CIS CYBER ALERT
Significantly Increased Website Defacement Activity Following WordPress Vulnerability Disclosure
The Multi-State Information Sharing and Analysis Center (MS-ISAC) has identified a significant increase in state, local, tribal, and territorial (SLTT) website defacements following the announcement of a privilege escalation vulnerability in the WordPress Content Management System (CMS), which allows for unauthenticated privilege escalation. The MS-ISAC issued a Cybersecurity Advisory on the vulnerability and patch on February 2. Thus far the number of defacements identified by the MS-ISAC is equivalent to over 1/3 of all defacement activity observed by the MS-ISAC in 2016. Based on the known cyber threat actors involved, the range of targeted entities, and concurrent open-source reporting, the MS-ISAC believes these attacks are opportunistic and do not strategically target SLTT websites.
MS-ISAC monitoring and Sucuri open source reporting identified the following indicators conducting potential exploit activity. The MS-ISAC recommends reviewing logs for activity or attempted activity by the following IP addresses and taking appropriate action:
Sucuri also proposed a method of identifying potential exploits of this vulnerability. The MS-ISAC encourages SLTT entities to consider drafting a signature for their network security device based on the following information:
Â· Suspicious POST attempts to “/wp-json/wp/v2/posts/[post number]” are indications of possible exploit activity where
o [post number] is an integer
o POST data of vulnerable attempts may look like ”id=8960justrawdata&title=By+NeT.Defacer&content=By+NeT.Defacer” where the id value is not numeric
Â· Suspicious GET attempts to “/wp-json/wp/v2/posts/[post number]?id=[alphanumberic]” are used to scan for vulnerable WordPress installations
o [post number] is an integer; example of suspicious GET “/index.php/wp-json/wp/v2/posts/1?id=1asd”
Please report additional indicators to the MS-ISAC at SOC@cisecurity.org<mailto:SOC@cisecurity.org>.
The MS-ISAC continues to monitor for open source web defacement activity against all SLTT websites, as well as for activity against members monitored by the MS-ISAC. MS-ISAC recommends the additional following actions:
* Ensure no unauthorized system changes have occurred before applying patches.
* Update WordPress CMS to the latest version after appropriate testing.
* If possible, enable automatic updates from WordPress.
* Run all software as a non-privileged user to diminish effects of a successful attack.
* Review and follow WordPress hardening guidelines - http://codex.wordpress.org/Hardening_WordPress.
* Consult MS-ISAC Cyber Security Advisory 2017-011 for more technical details regarding this vulnerability at https://msisac.cisecurity.org/advisories/2017/2017-011.cfm.
If a WordPress installation was compromised, the MS-ISAC recommends replacing the website with a previous known-good copy and resetting passwords.