CIS CYBER ALERT

DATE ISSUED:
02/08/2017

SUBJECT:
Significantly Increased Website Defacement Activity Following WordPress Vulnerability Disclosure

The Multi-State Information Sharing and Analysis Center (MS-ISAC) has identified a significant increase in state, local, tribal, and territorial (SLTT) website defacements following the announcement of a privilege escalation vulnerability in the WordPress Content Management System (CMS), which allows for unauthenticated privilege escalation. The MS-ISAC issued a Cybersecurity Advisory on the vulnerability and patch on February 2. Thus far the number of defacements identified by the MS-ISAC is equivalent to over 1/3 of all defacement activity observed by the MS-ISAC in 2016. Based on the known cyber threat actors involved, the range of targeted entities, and concurrent open-source reporting, the MS-ISAC believes these attacks are opportunistic and do not strategically target SLTT websites.

INDICATORS:
MS-ISAC monitoring and Sucuri open source reporting identified the following indicators conducting potential exploit activity. The MS-ISAC recommends reviewing logs for activity or attempted activity by the following IP addresses and taking appropriate action:

* 37.237.192.22
* 71.19.248.195
* 134.213.54.163
* 144.217.81.160
* 176.9.36.102
* 185.116.213.71
* 2a00:1a48:7808:104:9b57:dda6:eb3c:61e1

Sucuri also proposed a method of identifying potential exploits of this vulnerability. The MS-ISAC encourages SLTT entities to consider drafting a signature for their network security device based on the following information:

· Suspicious POST attempts to “/wp-json/wp/v2/posts/[post number]” are indications of possible exploit activity where

o [post number] is an integer

o POST data of vulnerable attempts may look like ”id=8960justrawdata&title=By+NeT.Defacer&content=By+NeT.Defacer” where the id value is not numeric

· Suspicious GET attempts to “/wp-json/wp/v2/posts/[post number]?id=[alphanumberic]” are used to scan for vulnerable WordPress installations

o [post number] is an integer; example of suspicious GET “/index.php/wp-json/wp/v2/posts/1?id=1asd”

Please report additional indicators to the MS-ISAC at SOC@cisecurity.org<mailto:SOC@cisecurity.org>.

RECOMMENDATIONS:
The MS-ISAC continues to monitor for open source web defacement activity against all SLTT websites, as well as for activity against members monitored by the MS-ISAC. MS-ISAC recommends the additional following actions:

* Ensure no unauthorized system changes have occurred before applying patches.
* Update WordPress CMS to the latest version after appropriate testing.
* If possible, enable automatic updates from WordPress.
* Run all software as a non-privileged user to diminish effects of a successful attack.
* Review and follow WordPress hardening guidelines - http://codex.wordpress.org/Hardening_WordPress.
* Consult MS-ISAC Cyber Security Advisory 2017-011 for more technical details regarding this vulnerability at https://msisac.cisecurity.org/advisories/2017/2017-011.cfm.

If a WordPress installation was compromised, the MS-ISAC recommends replacing the website with a previous known-good copy and resetting passwords.

REFERENCES:

* https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
* https://blog.sucuri.net/2017/02/wordpress-rest-api-vulnerability-abused-in-defacement-campaigns.html
* https://msisac.cisecurity.org/advisories/2017/2017-011.cfm