WordPress Hacks Behind Surging Neutrino EK Traffic

msm1267 writes: More than 2,000 websites running WordPress have been compromised and are responsible for a surge this week in traffic from the Neutrino Exploit Kit. Attacks against sites running older versions of the content management system, 4.2 and earlier, were spotted by Zscaler. Those sites are backdoored and redirect a victim's browser through iframes to a landing page hosting the exploit kit where a Flash exploit awaits. The exploits generally target Internet Explorer, Zscaler said, and victims' computers are eventually infected with CryptoWall 3.0 ransomware. This analysis is in line with a similar report from the SANS Institute, which pointed the finger at a particular cybercrime group that had steered away from using the prolific Angler Exploit Kit and moved operations to Neutrino.

WordPress is a security problem

[mwvdlee]

WordPress is a security problem

I know I'm going to catch flak for this.

WordPress and all of it's plugins and themes are a huge target for hackers and reliably available online.
The main problem is that users don't regularly update, or rather that they can't in many cases.
That is, assuming the plugins are updated for security holes at all.

I wouldn't be surprised if hackers had databases of the exact versions, plugins and themes of millions of WordPress installations.
Just wait for a new public disclosure, replicate the exploit and attack the matching sites in your database.
They could have hundreds of freshly hacked WP sites every week.
These sites may only stay hacked for a few days or weeks, but it's simple economics.

Re:WordPress is a security problem

[Gavagai80]

They don't bother with such databases, they just query every site they can reach with a wordpress hack attempt whether it has a wordpress on it or not. After unsuccessfully attacking a few million sites, they gain a few thousand new hacked sites.

Re:WordPress is a security problem

[John+Bokma]

4.2 is considered older in the summary. According to Wikipedia: "4.2 (Powell) 23 April 2015". I doubt many people update each and every time.

By the way, I just don't get:

mysql> GRANT ALL PRIVILEGES ON databasename.* TO "wordpressusername"@"hostname" IDENTIFIED BY "password";

WordPress is not the only software to do this. And MySQL does support multiple users, each with different rights. I don't get it why a visitor of a website accesses indirectly the database with rights to drop all tables, modify all tables ...

Re:WordPress is a security problem

[Zedrick]

> I doubt many people update each and every time.

They don't have to, Wordpress updates itself by default. Most Wordpress-sites are hacked through plugins like Revslider (lots of people are still running that old version from early 2014) - usually pirated premium plugins (or themes).

Re:WordPress is a security problem

[phantomfive]

This is exactly what I came to say. If you are running Word Press, start a contingency plan now, because you are going to be hacked.

Re:WordPress is a security problem

[phantomfive]

That's victim blaming.

You're right, you shouldn't have to update. Use an old version! Don't conform! Don't let the man tell you what to do!
I'm not going to blame the victim, but if you don't update, you're still going to get hacked.

Re:WordPress is a security problem

[John+Bokma]

https://threatpost.com/wordpre...

The vulnerability affected the core WordPress engine in versions 4.2 and earlier, a rarity among the constant parade of serious security issues affecting plugins for the content management platform. The vulnerability allows an attacker to inject JavaScript in the WordPress comment field; the comment has to be at least 66,000 characters long and it will be triggered when the comment is viewed

Ugh...

Re:WordPress is a security problem

[DNS-and-BIND]

You CANNOT upgrade Wordpress every time there's a change. Doing so breaks your plugins, and these are not often updated. A Wordpress site with no plugins is a weak piece of garbage.

It took me a long time to realize that Wordpress isn't actually a software package like other software packages. It's meant to be a framework upon which you do your own coding. If you just care about a website and screw the coding, like most WP users, then you're shit-out-of-luck.

Re:WordPress is a security problem

[Lennie]

This why the Internet Of Things people keep talking about is going to be so awesome ! ;-)

Lot's of products are failing and it's going to get a whole lot worse soon:
https://www.youtube.com/watch?...

Cars are my 'favorite' topic right now:
http://www.wired.com/2015/07/g...
http://www.wired.com/2015/07/h...
http://www.bbc.com/news/techno...
https://www.youtube.com/watch?...
etc.

They were already warned about the problems in 2011, there was a talk at Usenix conference about it:
https://www.youtube.com/watch?...

They did say: business models are a problem.

So maybe that's the cause.

Re:WordPress is a security problem

[drinkypoo]

The main problem is that users don't regularly update

That's victim blaming.

If you volunteer to become a victim, you deserve to share the blame when you are. It doesn't mean we should let people off for what they do, it does mean that someone should explain where you went wrong to you.

Re:WordPress is a security problem

[0100010001010011]

I moved to Nikola. It's a static site generator written in python.

All of my posts / pages are written in markdown or restructured text.

It's easy to integrate with github pages.

It's static.

Re:WordPress is a security problem

[mwvdlee]

And, sadly, it's impossible to use for somebody barely technical enough to order an overpriced preinstalled WordPress site from a hosting provider.

Re:WordPress is a security problem

[phantomfive]

But "Mwvdlee" called it "the main problem" that users don't update their software

That's true, the main problem was using Wordpress in the first place.

Re:WordPress is a security problem

[l0n3s0m3phr34k]

My base install does NOT auto-update automatically. It notifies me via email. As Wordpress is presented as a GUI-driven system, modifying config files by hand in a text editor to get auto-update working is a negative for qualifying as "default". Installing a plug-in to get auto-update working isn't considered "default" either. I've looked through the GUI and see no mention of enabling auto-updates, nor see any references to this being "by default".

Re:WordPress is a security problem

[0100010001010011]

GitHub pages is near idiot proof, even with your own domain.

Re:WordPress is a security problem

[l0n3s0m3phr34k]

And your suggestion for an alternative is what? Drupal? Sharepoint? I don't know of any other free content management systems with Wordpress's functionality...but that's not my area of expertise anyway. I've only ran Wordpress and Drupal as my hobby CMS, and at work we only use Sharepoint. I'm open to suggestions though!

Re: WordPress is a security problem

[Zaiff+Urgulbunger]

I have a dev WordPress install running on localhost which hasn't been updated in a while - I just tried that site, and I get a page saying something like "site maintenance being performed - please try again in a minute", and sure enough, it worked shortly after.

I got an email from it saying it had updated to 4.2.4, but that 4.3 was also now available.

So it seems minor updates get auto-updated, but not major updates. Which is fair enough... but I don't know how long older releases get security patches for.

Re:WordPress is a security problem

GitHub pages is near idiot proof, even with your own domain.

Challenge accepted!

Re:WordPress is a security problem

[Dracos]

Drupal is just as free as WP, so is Cake, CodeIgniter, Laravel, and dozens of others. WP brings less to the table than any of those, but it does bring being an easy target.

Re:WordPress is a security problem

[thegarbz]

Wordpress is simple enough to understand by computer illiterate people which is why it is pushed to the "my first blog" crowd. Unfortunately dumbing down the design is part of what makes it such a convenient target. The dozens of others do not offer a CMS for someone who doesn't know what CMS stands for.

If PHP is a fractal of bad design ...

[John+Bokma]

... then Wordpress is a Menger Sponge.

Re:Please teach us how to protect ourselves

[mpol]

You only need this if you use WordPress on a public website ofcourse...

Make sure to have an uptodate WordPress install. That means that the current major version of 4.3 is okay, but also the minor security update of 4.2.4 (which is an update for 4.2), or even 3.7.10 (which is an update for 3.7).
Any major version before 3.7 is not supported and a security risk.

About plugins, only use plugins that are maintained, and use the latest version from the author.
If you use plugins that haven't had an update in a year or even in 2 years, check if the maintainer is still active, and plan to switch to something else.

If you use commercial plugins, stay away from illegal downloads. They will have malware inside them.
Only use commercial plugins in their current version, and keep them updated (which mostly means, pay your yearly fee).

If you are a developer that builds websites for customers, you will have customers that won't click on Update. You could consider offering a service where you update the software regularly for a reasonale fee.

Re:Please teach us how to protect ourselves

[John+Bokma]

I think the question is: "how can we protect ourselves from getting infected by hacked Wordpress sites".

Re:Please teach us how to protect ourselves

[mpol]

If that is the question, then it's just the same as any other hacked website or ad network.

WordPress Flash exploit ..

[nickweller]

"Those sites are backdoored and redirect a victim’s browser through iframes to a landing page hosting the exploit kit where a Flash exploit awaits."

But can only be successfully exploited on Microsoft windows ..

Re:WordPress Flash exploit ..

[drinkypoo]

But can only be successfully exploited on Microsoft windows ..

Oh, only on the world's most popular desktop operating system? No worries then.

Re:WordPress Flash exploit ..

[l0n3s0m3phr34k]

I feel it makes Youtube BETTER. It may take an extra click, but keeping it from autoplaying ads, skipping forward, etc is worth Flash-blocking on it too. Even CNN and other major sites are better with Flash click-enabled on them.

Re:Please teach us how to protect ourselves

[Zumbs]

Can anyone here please share with us in what way we can protect ourselves from being infected with those malwares/ransomwares?

The summary notes that the criminals use a Flash exploit and target Internet Explorer. So, a good guess would be to uninstall Flash and stop using Internet Explorer. If that is too grand a step, you could go for a Flash block addon for your browser, so you get to choose if Flash is allowed to run.

WP Foundation Development Model Adds to Problem

[NaCh0]

WordPress as a platform targets the easy-to-use market and thus has a lot of site admins who are not savvy IT people. The auto-update system built into WordPress addressed a large part of the security problem, namely people who don't actively update their software.

One glaring shortcoming to the WordPress development model is that they don't keep a set of stable releases. The WP core group wants you to stay on the most recent head version to be secure. In practice they have patched previous releases going all the way back to 3.8 but you definitely get the feeling that this is a half-hearted stop gap while they brow-beat you up to the head version.

Linux distros went through this growing pain 15 years ago with the introduction of enterprise distributions. It is about time that the WordPress foundation recognize that they are no longer a small time blog package. They need to introduce long term supported releases for the stability of their platform.

Re:WP Foundation Development Model Adds to Problem

[drinkypoo]

It is about time that the WordPress foundation recognize that they are no longer a small time blog package. They need to introduce long term supported releases for the stability of their platform.

Why? What's wrong with updating? Basic users aren't using internal APIs, so they don't have a problem if they update a module.

Re:WP Foundation Development Model Adds to Problem

[l0n3s0m3phr34k]

"defining constants in wp-config.php, or adding filters using a Plugin. " is NOT considered a GUI-based "default". As far as I can tell, there is no area inside the GUI to enable this, without installing a plugin. That too shouldn't be considered "default". It needs to be in the core GUI, right on the Dashboard "Enable auto updating?" and enabled by default on all deployments. Forcing users to edit a php file on a server isn't a good policy, nor is requiring a plug in. All major operating systems and software puts this right out in the open and doesn't make me edit INI / PHP files.

It took a coming together of RH, VMWare, and Novel to push Linux into the "enterprise" on a serious level. Wordpress has a long way to go, especially if auto updating (and other features) are hidden like this.

How Does One Test For Such An Issue?

[LifesABeach]

OK, so I've got a WordPress site, how can I test to see is this crud is on my site, even though I'm on 4.3?

So much hate

[ganiman]

The Wordpress hate here is hilarious. So much obvious anger. Get over yourselves. All of the hate for Wordpress can be compared to ruling in favor of same sex marriages. All of the right wing nut jobs are screaming about how it affects them and how it's so bad, as if someone were going to force them in to a same sex marriage. No one is forcing anyone to use Wordpress either - it's easy and opens operating a web site to a very large number of people. That is a wonderful thing, not a bad thing. If you don't like it, fine, no one cares. If you believe your site is some how more secure for not using it, or using some alternative, good for you, pat yourself on the back. The truth is, every piece of software ever written has potential for security holes, which may need to be patched. And even using "the most secure" software on the planet is only as secure as the people using it. Wordpress is no different. It definitely has its uses. Arguing about it is like arguing about religion.