Significantly Increased Website Defacement Activity Following WordPress Vulnerability Disclosure

The Multi-State Information Sharing and Analysis Center (MS-ISAC) has identified a significant increase in state, local, tribal, and territorial (SLTT) website defacements following the announcement of a privilege escalation vulnerability in the WordPress Content Management System (CMS), which allows for unauthenticated privilege escalation. The MS-ISAC issued a Cybersecurity Advisory on the vulnerability and patch on February 2. Thus far the number of defacements identified by the MS-ISAC is equivalent to over 1/3 of all defacement activity observed by the MS-ISAC in 2016. Based on the known cyber threat actors involved, the range of targeted entities, and concurrent open-source reporting, the MS-ISAC believes these attacks are opportunistic and do not strategically target SLTT websites.

MS-ISAC monitoring and Sucuri open source reporting identified the following indicators conducting potential exploit activity. The MS-ISAC recommends reviewing logs for activity or attempted activity by the following IP addresses and taking appropriate action:

* 2a00:1a48:7808:104:9b57:dda6:eb3c:61e1

Sucuri also proposed a method of identifying potential exploits of this vulnerability. The MS-ISAC encourages SLTT entities to consider drafting a signature for their network security device based on the following information:

· Suspicious POST attempts to “/wp-json/wp/v2/posts/[post number]” are indications of possible exploit activity where

o [post number] is an integer

o POST data of vulnerable attempts may look like ”id=8960justrawdata&title=By+NeT.Defacer&content=By+NeT.Defacer” where the id value is not numeric

· Suspicious GET attempts to “/wp-json/wp/v2/posts/[post number]?id=[alphanumberic]” are used to scan for vulnerable WordPress installations

o [post number] is an integer; example of suspicious GET “/index.php/wp-json/wp/v2/posts/1?id=1asd”

Please report additional indicators to the MS-ISAC at<>.

The MS-ISAC continues to monitor for open source web defacement activity against all SLTT websites, as well as for activity against members monitored by the MS-ISAC. MS-ISAC recommends the additional following actions:

* Ensure no unauthorized system changes have occurred before applying patches.
* Update WordPress CMS to the latest version after appropriate testing.
* If possible, enable automatic updates from WordPress.
* Run all software as a non-privileged user to diminish effects of a successful attack.
* Review and follow WordPress hardening guidelines -
* Consult MS-ISAC Cyber Security Advisory 2017-011 for more technical details regarding this vulnerability at

If a WordPress installation was compromised, the MS-ISAC recommends replacing the website with a previous known-good copy and resetting passwords.