The US Federal Bureau of Investigation (FBI) just released a public service announcement (PSA) to the public about a large number of websites being exploited and compromised through WordPress plugin vulnerabilities:
Continuous Web site defacements are being perpetrated by individuals sympathetic to the Islamic State in the Levant (ISIL) a.k.a. Islamic State of Iraq and al-Shams (ISIS).
The defacements have affected Web site operations and the communication platforms of news organizations, commercial entities, religious institutions, federal/state/local governments, foreign governments, and a variety of other domestic and international Web sites. Although the defacements demonstrate low-level hacking sophistication, they are disruptive and often costly in terms of lost business revenue and expenditures on technical services to repair infected computer systems.
The FBI also goes into more detail and explain what happens when a site does get compromised:
Successful exploitation of the vulnerabilities could result in a hacker gaining unauthorized access, bypassing security restrictions, injecting scripts, and stealing cookies from computer systems or network servers. An attacker could install malicious software; manipulate data; or create new accounts with full user privileges for future Web site exploitation.
This is nothing new and we have been warning and educating our users over the years through our blog and other mediums. Political defacements are very common and one of the most used forms of online protest. And when defacement is not practical, we see the same groups leveraging Distributed Denial of Service (DDoS) attacks to try to take the controversial content down.
Plugins being Exploited
The FBI disclosure doesn’t get into details on what is being exploited and what the attackers are doing. We have however had the opportunity to remediate and respond to many sites defaced by this group (and others); we will try to provide some clarity on these attacks. First, the top 2 plugins currently being exploited are:
Outdated RevSlider – Version < 4.2 – Possible Source
Outdated GravityForms – Version < v1.8.20 – Possible Source
The vulnerabilities being exploited appear to be from older versions of the plugins that have yet to be patched. We are not aware of any new vulnerabilities in either of the plugins. Specially Revslider, which is the #1 by far compared to the others. After these first two, we are seeing many attack against FancyBox, Wp Symposium, Mailpoet and other popular plugins that had vulnerabilities disclosed recently. This list is not exhaustive at all, as it seems the attackers try to exploit whatever they can get their hands on, but it gives you an idea of what they are looking for.
Second, the FBI report also misses one very important point. It is not just vulnerability attempts against plugins, but we also see vulnerability on themes being misused, along with many brute force attacks targeted at WordPress administration panel. They are all used by these political defacements once they can get in.
Third, their recommendations to secure WordPress are missing many important points. They link to the WordPress hardening page that provides almost no real security to the end user. It is not just about keeping it updated anymore. You have to have security in depth, you have to have monitoring, you have to leverage low-privileged users for most of your actions, you have to monitor your logs, you have to use good passwords, you have to audit the plugins and themes you are using. Last year, the popular Mailpoet WordPress plugin had a serious file upload vulnerability, allowing an attacker to upload files to the vulnerable site.