Akamai Diversity
Home > Web Security > WordPress Plugins Exploitation Through the Big Data Prism

WordPress Plugins Exploitation Through the Big Data Prism

Overview

According to Wikipedia, WordPress is a free and open source blogging tool and a content management system (CMS) based on PHP and MySQL, which runs on a web hosting service. Features include a plug-in architecture and a template system. WordPress is used by more than 18.9% of the top 10 million websites as of August 2013. WordPress is the most popular blogging system in use on the Web, at more than 60 million websites.
In recent years, the security posture of WordPress plugins was a topic of much interest, mostly due to the abundance of security vulnerabilities that were found and published. A quick search of the CVE database for the terms 'WordPress' and 'plugin', returns 64 different vulnerability disclosures in 2013 alone - obviously a high number by any standard.

In June 2013, Checkmarx, a source code analysis vendor released a very thorough and interesting whitepaper on the topic of WordPress Plugins Security, listing the most vulnerable plugins.

While reading Checkmarx's whitepaper, and going through the long list of vulnerable WordPress plugins, we felt that a few critical questions were still left unanswered. The questions were:

  • Are web hackers really targeting WordPress plugins?
  • Which WordPress plugins are the most sought after by hackers? 
  • What types of vulnerabilities are the most coveted by hackers? 

In order to answer the questions above, we decided to mine Akamai's security big data platform ('Cloud Security Intelligence') for WordPress plugin attack patterns. Akamai's 'Cloud Security Intelligence' is a massive scale distributed data platform, which stores billions of security events from thousands of web applications all across the globe. The platform enables Akamai's threat research team to distill quality insights on attack trends taking place on the Internet.

Findings

When looking at attacks against WordPress plugins across Akamai's customer base during a one-week period, we discovered the following:

  • Approximately 43,000 attacks specifically targeted WordPress plugins during a single week
  • A total of 66 different WordPress plugins were targeted, out of which 8 received the lions share of attacks (see chart below)
  • The "TimThumb" plugin: http://www.binarymoon.co.uk/projects/timthumb/ received a whopping 73% of all attacks
Ory Wordpress New Graphic 1.png When looking at the type of vulnerabilities that hackers were trying to exploit, we saw a clear preference for Remote File Inclusion vulnerabilities, which accounted for 96% of all vulnerability types. 
WordPressPlugins.004.png
Hacker's fondness of remote file inclusion vulnerabilities can be explained by the high "return on investment" involved -

  • Many PHP applications are infested with RFI vulnerabilities - see the chart below, which portrays the amount of 'RFI' vulnerability disclosures in PHP applications, that were made publicWordPressPlugins.005.png

  • Massive scanning of vulnerable WordPress plugins is an easy task to perform. The internet offers many "off the shelf" PHP RFI scanning tools, which hackers can download and run
  • The benefit from exploiting RFI, for the hacker is tremendous - in most cases it means full control of the web server's infrastructure

When looking closely at the vulnerabilities that were being targeted, we noticed the following distribution by year of vulnerability publication (according to CVE and OSVDB): 
Ory Blog Post New Img 2.png

The chart above raises an interesting insight on the WordPress plugins vulnerability mitigation habits of application owners. Given that hackers do not waste time on irrelevant exploits and vulnerabilities, this clearly indicates that many applications are still left unpatched, even years after the publication of the vulnerability.

Lets spend a moment dissecting the information we gleaned on the 'Timthumb' attacks that we spotted during the sample week

  • 270 unique attackers were responsible for the attacks during the sample week
  • 70% of the attacks originated from only 6 attackers in France
  • The rest of the attacks mostly originated from Italy, US, Germany, Canada and Brazil (in that order) WordPressPlugins.003.png
  • A total of 318 different web applications were targeted during the sample week
  • Out of the 318 web applications that were being targeted:
      • 39% belong to '.com' domains
      • 23% belong to US military domains ('.mil' TLD)
      • 6% belong to US government domains ('.gov' TLD)
      • 1% belong to non-profit organization domains ('.org' TLD)
      • 1% belong to educational domains ('.edu' TLD)
      • All other targets were country code second-level domains (e.g. .co.uk, .co.jp, etc.)
  • The URLs used inside the RFI payload point almost entirely to hostnames that resemble legitimate known sites such as: Picasa, Blogger, Flickr, YouTube (in this order), for example, http://www.picasa.some.site or http://flickr.com.some.site 
  • Deeper analysis of the majority of remote PHP code that is used by hackers revealed that it was written by Indonesian hackers, who breached and took over legitimate web servers across the web
  • The remote PHP code, which is included, was always encoded multiple times using Base64, ROT13, and Gzip compressed. This is probably done for the purpose of WAF, Anti-Virus and Anti-Malware evasion
  • The purpose of the remote PHP included code is to install two main types of malware:
      • A remote command execution PHP web page, which enables the hackers to remotely control the web server's machine, and grants them access to all files on the system
      • A highly evolved botnet software with many capabilities such as remote command and control through IRC, automatic propagation to other web servers using similar vulnerabilities, MySQL data dumping capabilities and so forth

Summary

As suspected, it is beyond any doubt that WordPress plugin exploitation is one of the main tools in the malicious web hackers' arsenal. Specifically, the 'Timthumb' remote file inclusion vulnerability, which was originally published back in August 2011, is still the most sought after by hackers.

We have also concluded that the root cause for the majority of WordPress plugin vulnerabilities that are being targeted by web hackers is remote file inclusion - this is probably due to the high ROI involved with these vulnerabilities. Moreover, it seems that hackers are still actively looking for vulnerabilities, which are 2-5 years old. This may indicate that application owners are very slow in deploying fixes and do not tend to upgrade WordPress plugins to the latest, more secure versions.

Based on the malicious PHP code that was 'remotely included' in the attacks, it seems that while the majority of attacks appeared to originate from European countries, the people behind these attacks were actually Indonesian hackers. In addition, the remote code was always encoded multiple times to evade pattern-based protections such as WAF, Anti-Virus or Anti-Malware, and was placed on remote machines with domain names that resemble popular legitimate sites

Last but not least - all of the attacks mentioned in this article were thwarted by Akamai's KONA security solutions.

This blog post was written by Ory Segal, Principal Product Architect and Or Katz, Principal Security Researcher


Leave a comment