Date aired: April 11, 2019
Join us as we provide insights on the top open-source CMS security, out-of-date software, and specific malware families that we see trending on hacked websites.
Tony Perez
General Manager, Security Product Group
Tony is the GoDaddy General Manager (GM) responsible for the Security Product Group and Sucuri Brand. He oversees the Certificate Authority (CA), Content Distribution Network (CDN), Website Application Firewall (WAF), Website Backups, Monitoring, DNS and Incident Response Product and services. He is the former CEO/Co-Founder at Sucuri and US Marine. Twitter: @perezbox
Question #1: After searching my site on Google, I found many results about my site with Japanese characters. What should I do?
Answer: So this is tricky. I think Alicia wrote an article on this a couple years back where people are using sites for SCL. It could mean that you’re compromised. It could mean somebody’s just hijacking your SCL, there’s different tactics. We have seen Japanese character-type attacks, but it could be an indicator that obviously something is wrong. And so we can help her kind of think through that.
Question #2: What is the best 2FA for my WP dashboard, and what is the best anti-spam plugin for WP?
Answer: I don’t live in a world of absolutes, so best and worst are very relative, right? I mean it’s whatever you think. So for instance, me personally, I use a allowlist approach so I don’t use 2FA on my website. That being said, when I do use 2FA I do use things like Google Authenticator. It’s simple, it’s easy, it works and I have Google Authenticator with a lot of my other applications. And so I enjoy that. In terms of spam filters, I think cloud-based firewalls can help. I also think that Akismet is pretty good and I use that as well. So whether it’s the best or worst, I don’t know. How do you measure that? But those are the things that I do that are pretty effective and my site’s been pretty good.
Question #3: What can you do if you can’t update your CMS or components?
Answer: Great question. My personal opinion is there’s always a way to upgrade. That being said, there are challenges. Just the other day I was working with a small town El Portal Village where they had a highly customized theme, it was on WordPress, and the designer was just too afraid to update. They knew it’d take the whole site down, she didn’t know how I was gonna do it, et cetera. And so the first thing we did was, we deployed a cloud-based firewall on it and from there immediately we stopped all the attacks saw coming in. And what that did was, it wasn’t saying ‘Don’t update’ it was just saying ‘Hey, you have a little bit more time now’ and let’s get a plan in place to figure out how we can do the update process. Now if you absolutely can’t update, then I would do things like deploy a cloud-based firewall. I would also do hardening on the endpoint where I cue a PHP execution and I disable all abilities to update across the entire environment. What that’s essentially doing is that most malware, most backdoor requires some form of PHP execution and so by killing it by default, it’ll make it very difficult and most sites, most themes don’t require that but that’s a more advanced process because you can break things…but that’s kind of where I’d start without knowing more information.
Question #4: I have an Ecommerce website but I really don’t like to update. I rather stick to my favorite configuration. I hear you say it’s risky but isn’t it just as risky to lose money if the update is wonky?
Answer: Yeah, that’s the biggest fear I hear from small businesses and especially online store folks. When it comes to real dollars, if it’s a brochure site, you’re like ‘Whatever it’s fine. If I break it I break it’ for the most part relatively speaking. On an online store, nobody wants to lose those dollars. If you’re generating dollars and it’s performing, it’s like ‘Don’t touch it. Don’t mess with it.’ Know what I mean? Whatever you do, don’t cause downtime at all. And so, yeah. Unfortunately though, in my opinion, that needs to be one of those things that as a small business as you start getting online and you start growing, you need to be taking security seriously and making that part of your everyday maintenance program for the site.
Question #5: Tony, what do you think will be the biggest hack trend in 2019?
Answer:The past couple of years have been relatively quiet. That doesn’t mean they haven’t been impactful and things haven’t been happening, but it’s not 2013, 2014 and we’re seeing mass compromises. I think what I’m most interested about is the severity of some of the vulnerabilities being disclosed. I wonder if we’re kind of at an inflection point where either an inflection of new users, or just a state of plugins or whatever or extensions, we are seeing this rise in Magento all of a sudden becoming more the third party components and then these issues on the number of severities in WordPress. I kind of think about that. I look at what had just happened with Mailgun this week and I think about supply chain poisoning. It’s been happening now for a couple years. I kind of wonder where that’s gonna go. I wonder where more of these attacks that abuse resources like cryptojacking or DDoS scripts are gonna be. But I don’t anticipate something material outside of maybe a massive compromise in a host of some kind. But outside of that, overall, I anticipate that the CMS environments are going to continue to become more secure by default. I think that that’s directionally correct. I think WordPress is gonna continue to lead the charge on that. And I would expect that more and more platforms are gonna start following suit. We’ve started to see more conversation on this in other environments and I don’t know if 2019 will be the year that we’ll see kind of backwards compatibility and upgrade issues or auto-upgrade opportunities but I would say as we begin 2020 we should start expecting that which will have a material impact on the web as a whole I think. And then I think we can see more and more hosts integrating it as a default configuration. I think that…I think that’s just directionally the right way, a more secure by default environment. Not just the CMS’ but in the hosting environment as well. I think customers expect it. I think customers are getting tired, there’s a little fatigue going on where like ‘Oh my God, how do I get my head around this stuff?’ So that’s kind of where my head’s at in terms of moving forward.
See all Questions & Answers
Expand
Name: Tony Perez – Title: General Manager, Security Product Group
Tony Perez:Thanks so much, Nikki. I’m really excited to be here to give this webinar. As Nikki mentioned, my name is Tony Perez, you can find me online at Perez Box. I’m one of the co founders of Sucuri. I’m also responsible for GoDaddy’s security product group. As she mentioned, today we’re going to dive a little bit deeper into our hack report. For those that are unaware, we’ve been doing this for the past couple years. What’s really cool is that you can kind of start seeing this trend and this change over time. There’s a lot of consistency, but it gives us a lot of things to talk about. It’s just a nice way to recap. So that’s what we’re going to do. It’s important to note that all the information that we’re going to share is specifically to the Sucuri brand, right? So Sucuri brand is one the things I’m responsible for. Later in the year I’ll be doing a more holistic one for all of GoDaddy. But I can almost guarantee there’s going to be a lot of similarities into what we’re seeing. So with that, this year’s report, we took a representative sample of our entire base that came out to about 25,466 different infected websites. Of those, which is really interesting, is the number of files we had to clean, about four and a half million. And that will make a little bit more sense as we kind of dive deeper into the presentation. As we traditionally do, we’re going to kind of talk four distinct topics, kind of hey, what were the most effective open source CMS applications, what were some of the risks associated without theda CMSs and kind of how am I thinking about that, how is our business thinking about that. We’ll dive into the blocklist analysis and what those engines are, and what that means to you as a website owner. And then finally, we’ll kind of talk, dive a little bit deeper into the malware families. We won’t go too deep into that. For that, I’d bring some of the smart guys on. I’m just a pretty face of this thing. With that, let’s kind of dive into CMS security. So what did we see. As we’ve seen in previous years, WordPress continues to be a very big piece of our base and it continues to grow. And that’s okay. This is pretty representative of what we’re seeing on the web. Right now, I think, last I checked WordPress has been about a 33 and a half, 34 percent market share in terms of all the websites, about 60, 65 percent of CMS specifically. When you do the math on that and you start kind of looking at it, it makes sense for the distribution to be the way it is. What continues to be interesting, at least to me, is kind of where does Magento and other online commerce, like PrestaShop, OpenCart sit, and that’ll make more sense as we kind of dive deeper into the conversation. With that, let’s dive into kind of some of the changes. So we do see some fluctuation. Again though, this is not representative of the platform being more or less secure, it was just kind of it’s such a big platform, so dominant in this space, that it’s expected to see this kind of distribution. We did see some modest drops in Magento, some more significant drops in Joomla, a little bit of a rise in Drupal, but again because this is representative of our base, maybe that’s just more hey, this is kind of what our customer base looks like and you can see the ebbs and flows of our engagement in the different communities or different communities might be leveraging us, or promoting us to their customers. It’s insightful to look at it and think through it that way. Look at it from those lenses.
Tony Perez:One common theme we did have, which continues to be year and year out, is it’s not so much the platforms themselves that are the problem as much as it is the connected ecosystem, these third-party components that make up the greater platform. At least that is the case for platforms like WordPress, has been the case for platforms like Joomla and Drupal. And we’re starting to see this shift for platforms like Magento. So predominantly Magento’s had more core issues, and that’s been changing over the past 12 months where we’re starting to see more third-party extension. So they’re starting to suffer the same problems that the greater CMS ecosystem has suffered for the better part of the past four, five years. So are there contributors beyond exploitation of what abilities and third-party components, of course. Credential stuff, force tax against axis control, we continue to see that, improper deployment, security configurations, it’s literally why it’s number six on OS top 10. A general lack of knowledge. The more people coming online, we’re starting to see this very different type of user or website owner. What we did want to add, though, is we didn’t include this in the hack report, but I wanted to make sure to cover on this, and I’ll be writing an article on this. It’s like we always talk about third-party extensions, but what does that really mean? What does it look like? So we went back and we analyzed what we specifically as an organization analyzed in 2018, and we saw that about 196 different vulnerabilities that we identified as an organization. Maybe we didn’t publicize them, but we did a lot of engagements directly with WordPress.org and some of the other repos, as well as some as developers. What’s kind of really interesting to me, and it’s kind of a little bit of a shift, is in all of 2018, of all the analysis we do and all the connections we have, we saw about 20 severe vulnerabilities in WordPress plugins that are part of the ecosystem. In Q1 of 2019, we’re actually already 50 percent of where we were in all of 2018. We don’t have a good pulse on why and what’s going on with that just yet. This reminds me of back in 2014, 2013 when we were kind of starting to really disclose a lot of the vulnerabilities and some very, very severe issues. So we’re trying to get to the bottom of this and hopefully we’ll have a little bit more insight as I work with Mark Alexander and feel to understand what’s going on in the threat landscape. But this is something interesting for us to keep in mind. One thing we are seeing, though, it’s not always just about the vulnerabilities and the plugins, but also about attacking the supply chain. We just saw an amazing research by folks on [Pit Dig In 00:05:46] and what they were doing as an organization intentionally, right? Using it to DDosing competitors, or redirect the users. We literally just saw an attack this week against MailGun where a plugin was redirecting users to a different site maliciously, right? Unbeknownst to the actual website owner. Attacking the supply chain is actually a really, really big problem that I anticipate will continue to be abused as more of the websites, kind of like a big infrastructure, as more infrastructure applies all these controls to mitigate attacks to their network and it gets really hard, we start going for the weak area. So if you’re leveraging plugins, understanding the changes that are happening there and understanding that the reputable sources become even more important.
Tony Perez:With that, let’s dive a little bit into some of the CMS analysis. What we notice, which was about 56 percent of the sites we worked on, were up to date. That’s pretty cool. 44 percent of them were out of date. The system really tells us a story, and so what we do is we kind of dive a little bit deeper, we say, okay, which platform specifically. As you can see, coincidentally, while WordPress makes up a big piece of our base, its out of date state is a lot less than almost any other CMS. There’s specific reasons for this that I’ll talk to about in a second. What I also look at is I look at things like Magento and OpenCart and PrestaShop and why those are so important is because while they’re representation of the basis really, really small, they actually make a up a very big percentage of online GMV, or market value, right? Because these organizations are generating serious dollars, they’re pushing out products, services, goods. They also have an obligation to be up to date in accordance to being PCI since they are online commerce. So that is a little bit concerning. What’s actually also really interesting about this is that when you look at some of these platforms to the right versus platforms to the left, you start seeing things like they lack backwards compatibility, they don’t have auto update features, things like that. That’s why when we look at things like WordPress, we start saying, wow, they’re really leading the way in this because you can see the dramatic impact that they had over the past few years with their implementation of auto updates. So huge shout out to the WordPress org team. And we started to see other CMSs start to have this conversation. We’ve also seen what happens in platforms like Joomla where you don’t have that backwards compatibility, and then all of a sudden, it becomes really, really difficult to update. So we saw a modest drop of about three percent from 2017 in terms of the out of date state of WordPress. Now understand, what we’re talking about here is when the infection comes to us and when we work on the site, we take a note of that or we take a tick, and we say, is it up to date or is it out of date. And that’s what we’re talking about here. But this also complements or supports some of our analysis where the greatest threat, at least for platforms like WordPress specifically, the third-party’s ecosystem. Joomla is a little bit of a different story, right? We saw a pretty interesting rise in out of date state of Joomla, and the way I look at is as the platform continues to progress and evolve, the lack of focus and backwards compatibility actually has a material impact on users. All of a sudden there’s no clean way to make that progress, and so you have a lot more of well, I don’t want to make an update because I don’t know what’s going to happen, and it’s going to break, and I don’t want to risk my site being down for whatever reason. It’s something worth keeping in mind and taking a look at. When you have issues like this, couple that, so Joomla, like WordPress, has a third-party ecosystem problem, but it also has the same problems Magento has, which just has core issues as well, or severe core issues.
Tony Perez:Speaking of which, when we look at Magento, we did see a rise in out of date state. What’s kind of interesting, and [Willam’s 00:09:43] lab kind of talks about this really nicely, he’s a great researcher that focuses a lot of energy in Magento, he says when he looks backwards in time, Magento has had some pretty significant core issues, and that’s been the thing that people exploit. What he’s starting to see is this trend, at least starting around fall of 2018, where he started to see more and more third-party extensions being exploited, and being used as a vector to get into the applications. So what you’re seeing is this shift, so WordPress has been here for a couple years now, you see Magento following the same suit, as the platform gets more secure with Magento and Adobe and what they’re doing, now it’s this entire third-party ecosystem. This kind of relates, I think, to all CMSs and it’s kind of worth, as an organization looking at that and saying, how can we help improve that dynamic. Because every ecosystem is kind of working in their own little silos. So if you’re using Magento, [Willam 00:10:42] and his team and a bunch of researchers have put out some really good resources for you to analyze your existing environment, look at your modules, see which ones are out of date, which ones are potentially vulnerable, and help provide some better visibility. My biggest concern here are things like PCI, online commerce, and the fact that specifically for platforms like Magento, which is very similar to Drupal is to websites, but Magento is to online commerce, which is large enterprises are using it, pushing serious GMV through it. We need to be having a more serious conversation on how we’re going to get ahead of some of these threats. Let’s dive a little bit into blocklist analysis. So if you’re not familiar with blocklist, blocklist are organizations that have invested some level of resources to identify if a site is potentially good or bad, right? So it’s a blocklist. Like oh my God, we’ve identified it for whatever reasons. So Google safe browsing, perhaps one of the better known blocklist entities out there and what they say is they have a commitment to creating a safer web, and so their blocklist scans all the sites on the web that are coming online, that their search engine finds, or their crawlers find, and they say, okay, hey, is it distributor malware, does it look to be deceptive, is it doing some kind of search engine poisoning attack, something along those lines. And then their whole intent is to create a safe experience for you, or for me, or for any of the online users. So they say, hey, if you click on a link and it’s deceptive or it’s distributing malware, we’re going to tell you and we’re going to present it with this really big red screen. And this red screen is designed to deter you from proceeding, right? So they make it really difficult. So you can click on details, sometimes it lets you go, sometimes it doesn’t. It’s all about trying to create a safer experience. But they’re not the only ones.
Tony Perez:What we’ve actually identified in some of our research and conversations, and this is a bit anecdotal, we’ve noticed anywhere between 85 to 95 percent loss in traffic when you do get blocklisted by an organization like Google. So if you’re a large organization, hey, maybe that doesn’t mean anything to you. But when you’re a small organization, being blocklisted and not allowing a customer to get to your site for an hour could be devastating, let alone a day or two days or three days. So it’s something to be mindful of. It’s one of the reasons that we kind of suck in these blocklists. So what we’ve found is that about 11 percent of the infected websites that we worked on were actually blocklisted. And you kind of scratch your head like why is that? Are these guys so much better? I don’t necessarily think so, I think we just look at things a little bit differently. And you’ll see in a second when I start talking about some of the blocklists themselves and their differences, you’ll kind of see why this is. But when I can tell you is that one of the reasons that this distribution is the way it is because when we do our scans, we’re looking not just … when we’re working on these infected sites, we get to see the whole world, we get to see what’s happening on the back end, what’s happening on the front end, what’s involved in the landscape. And so we’re constantly evolving and checking, and so we get to compare like hey, this is the real state versus the rest of the world, what’s being detected. So that’s really interesting. If you’re curious and you want to read more about blocklist and what they are, we do have a link here, we have a guide that we put together. It’s an educational guide, it just helps you kind of walk through the process. So let’s talk about the blocklist. So you heard me talk a lot about Google, but what’s really interesting is that Google’s actually the third, the fourth of the blocklist that are driving some of our detections. What’s actually driving when you look at this, to the left of this graph you see a lot of the antiviruses, the Norton’s, the McAfee’s, things you have sitting on your notebook that tell you if you have malware or not. And then to the right of it, you have the Yandexes and the Googles, and then we have a few others. We have Spamhaus, we have things like Fish Tank, things like that. But these four make up the biggest representation. They make about 40 percent of all blocklisted websites are coming from these four. The left one, the AV are things that hey, this site is trying to do something that we don’t acknowledge on your desktop. These are AVs, the Norton’s, the McAfee’s. And they have a bunch of different triggers. Speaking of which, none of these function the same. They all kind of, sort of work similarly, but they all have their own uniqueness to it, so McAfee might be looking a reputation of your IP while Google will specifically be looking only at malware and phishing, but they don’t really care about SEO spam, right? And so you have those dynamics happening, and everyone’s a little bit different. Everyone you have to do your research. One of the things that you do have the option of doing is every one of them have the ability to register your site with them so they give you report. So Google, you can go to safe search, you can register with them, you can register with McAfee, you can register with Norton safe search, as well as Yandex. The really interesting thing about that is if any one of them see an issue, typically they kind of say … they give you about 24, 48 hours before you have a really bad day. They’re like hey, we’re about to create a really bad day for you in about 48 hours. It’s in your interest to fix this. And then sometimes they’ll give you a button to resubmit, re index, things like that.
Tony Perez:My normal advice to folks is if you know these are the four main driving blocklist entities, go and register with them, put your sites in their environments, so that you can get that advanced warning. More monitoring is never going to hurt you. It might drive you a little crazy, but that’s okay. And then one thing to note is just being removed from one doesn’t necessarily mean you’ll be removed from another. Now some of these guys share APIs, so if they see an issue, they might be using the Google blocklist, but if Google removes you, that might be one team, then that team has to update another team, and then that updates the API. Right? So like there’s this entire chain. And so my advice to you is be patient. Have a conversation with them, hopefully they’ll respond, if not, you can talk to us. We have a few ways of getting things moving. And then just give it a little bit of time to propagate. Right? It needs to make its way through the systems. So let’s talk a little bit more about … Well, let’s talk about the families themselves and things that we’ve seen. This is kind of the funner part or the things that get exciting. So these are like, “Hey, what are the tactics, techniques and procedures that attackers are doing?” So they compromise you. And then what? What was their action and objectives, what we call them in the security space? So what we see is this really nice distribution of different types of malware types or malware family distribution. And on the left-hand side, for the last couple years, we’ve been talking about backdoors. What are backdoors? They’re ways for people to bypass [access 00:17:01] control, et cetera. And I’ll dive into that in a couple slides. Then you have things like malware. These are intentional things, credit card scrapers, drive-by downloads, “Hey, you’re infected, click this button, download a fake AV,” they put a Trojan in your environment or a RAT in your environment. In fact, if you think back to the DNC hack of 2016, it was a benign website that was distributing a malware dropper that was used to download a RAT into the environment. And so when the user went and took that notebook and put it into the DNC network, the RAT was able to then propagate, burrow into the network that way. That’s a really great example of what happened there. And then you have other things like SEO spam that continues to rise, and we’ll talk through that.
Tony Perez:But what I wanted to spend a little bit of time on, and we didn’t talk about this in the hack report, but we are going to talk about it here, is cryptojacking and ransomware. So, if you think back to about 2017, 2017 was a real interesting year for ransomware. We saw a lot of interesting noise happening around ransomware on notebooks, right? People abusing through email attachments, through website distribution, abusing OS software vulnerabilities, and infecting large organizations. Now, ransomware in the desktops and the notebooks is still a pretty interesting problem. We just saw Atlanta get hit by this a few months ago. Right? Where it hasn’t been very effective has been on websites. Why? Well, websites unlike desktops is a little bit different. You’re usually on a host, and most reputable hosts will give you traditionally like 24 hours of free backups. So even if you get infected, if somebody tries to steal your information, deletes it, there’s usually a decent way to recover it. There’s a funny story there where I once destroyed a customer’s site, and thank God the customer was able to help us. It’s literally why they don’t let me touch servers anymore. In any event, so ransomware just wasn’t very effective. And so that attacker, basically, was like, “Well, there’s no real money in it,” right? So people, what attackers need is an incentive, time and motivation to do it. So if there’s no incentive, in terms of monetary gain, right? Or social gain, then why do it? Now, enter cryptojacking. So cryptojacking’s kind of interesting. So if we think back to about a year, year and a half, what we see is this meteoric rise in cryptocurrency, right? All of a sudden, one coin is worth $20,000. And it’s like, “Oh my gosh,” well what does that give us all of a sudden? That gives us incentive. That’s where cryptojacking comes into play. What’s really interesting this is we’ve kind of seen a decline in 2018 and 2019 around cryptojacking. But that’s not the full story. What’s really interesting about this is when you look at how cryptojacking is and what drives it. So on the chart to the right, what you see is the black is the rise in cryptocurrency over time, and the red is the actual rise in cryptojacking. So what does that tell you? Well, all of a sudden, there’s direct correlation that says: As the price of something goes up, the incentive to do it goes up. Why is that important? Well, as we look at the markets, this becomes a really interesting trigger or indicator that says, “Hey, if all of a sudden you see cryptocurrency going back up, we need to be mindful as a host, as a security company, that we’re going to probably start seeing this problem. We probably need to start educating customers.” Like, “Hey, there’s a reason for this.”
Tony Perez:Now, this also helps tackle a different conversation. So, have you ever had a conversation with a customer that says, “Hey, I don’t know why anybody wants to attack me.” Well, what cryptojacking does, it doesn’t affect you as the individual, as the website owner. It doesn’t affect your customers, per se. It’s not tying to steal their data or do something malicious to them. What it does do, however, is it steals your resources. Now if you think back to about a year ago, we talked about this, around, “Hey, your resources are being abused for things like DDoS.” So, you have a website, somebody has a script in your server, they’re taking that server, they’re taking that script, and they’re attacking somebody else. We literally just saw that with [pip-digging 00:20:47], right? So, [pip-digging 00:20:48] was, “Hey, they didn’t like a competitor, so they went and attacked them using your resources.” Great example of resource abuse and a great example of why your website’s so valuable to somebody else. Cryptojacking is, “Hey, in 33 percent of the cases that we saw with crypto mining and cryptojacking, they were abusing your server resources.” Now, I can tell you from the GoDaddy side, where we sat down and look at that, we’re like, “Oh my god,” like, “What is chewing up all our resourcing power?” Memory usage, utilization, things like that. On the flip side of that, 67 percent of the cryptojacking that we saw was actually happening client-side or via JavaScript. Well, what does that mean to you? Well, have you ever gone to a site and all of a sudden, it’s, “Hey, wait, kill page, page is not running,” or all of a sudden you see a spike in utilization on your desktop? That’s because the JavaScript in your browser is consuming the resources in your device. So, while it might not affect you, it might affect any of the readers. And that’s just because it’s so valuable, right? It’s like, “Hey, the faster I can mine these coins, the more money I can make.” Right? Great example of how, “Hey, cryptojacking and like ransomware is more effective and we should expect to continue to see this, as this entire cryptocurrency world continues to evolve and grow over time.” Okay? And of course, the infrastructures we provide and the resources we have with our netbooks become extremely valuable to the attackers. Enough about that. Just an interesting thing that I thought was worth talking about. PHP backdoors. So, as I mentioned, this is just a really simple way for an attacker to bypass any potential controls you might have in place. Think about it as your house. You have a house, you lock your doors, you lock your windows, but you leave your backdoor open, right? Maybe your dog goes in and out, et cetera. So, the attacker comes in, he walks around your house, he walks in the backdoor, boom, he’s in your house. It’s exactly the same thing. So, attacker comes in, just because you see their payload, maybe they dropped SEO spam or maybe they dropped some malware dropper or they did some other nefarious activity like cryptojacking, it doesn’t mean that they’ve lost value in your environment.
Tony Perez:So what they do is they take a little file and they put it in the backdoor. What that allows them to do is it says, “Hey, I no longer have to go to your admin. I no longer have to go to your WP Admin. I don’t have to go to any control that you might have in place that you’re trying to drive funnel. I’ll just go directly to perezbox.com, backdoor.php. And I’ll bypass all his controls and I’ll log into his environment because it will give me all the permissions I need. That’s essentially what it works like. So, what’s interesting is in 68 percent of all the cases we looked at, we always found backdoors. And so just cleaning what you see is not enough. On the malware distribution side, we saw a really interesting spike, and I was kind of talking to the threat team this morning, like, “Hey, why do we think this is happening?” There wasn’t a really clear answer, but what we can say is we’re seeing a lot of like payment skimmers. Right? People are trying to strip information around credit cards, replacing things, putting malware in the forms to capture entries and things like that, which would explain a lot if you look at the growth of online commerce. But we’re still kind of diving into that. But we did see a really healthy growth in malware, it actually bumped SEO spam to the third spot. It used to be in the second spot. Speaking of which, SEO spam – or what I would call search engine poisoning attacks, right – is exactly as the name implies, right? So as you see here in the image on the right, an attacker is abusing a website and their SEO to promote whatever they’re looking for. It’s traditionally been known for pharma hacks, which is still very prevalent today, but we also see it in things like SEO. I mean, we saw an SEO spam attack targeting student loans or essay-writing. So like, if you want to write an essay, go find here. And what they’re doing is they leverage all these other brands that may have marginal SEO positioning, but it just gives them an ability to raise their awareness in whatever they’re pushing. Why is that so valuable? Well, because it’s predominantly impression-based. That was one of the things that the pharma industry identified many years ago, which was they had an impression-based affiliate scheme that says, “Hey, all I’ve got to do is somebody to see it, somebody to click on it, and I’m generating money.” So with that alone, that explains this rise that we’ve seen over the past three years of search engine poisoning spam, specifically. Kay? So, moving on to the next slide, files that we cleaned in 2018. So, this was kind of interesting. So we saw about a 74 percent increase in the total number of files. Why is this important? Well, when you clean what you think is a payload, if you write your own scripts or tools you use, you want to make sure you’re doing as comprehensive a scan of your environment as possible. Right? Because there are more and more files being loaded by a website by default. So just because you move it out of your header or maybe just move it out of your footer or your functions file doesn’t necessarily mean you’re going to get it. When an attacker comes into your environment, they just throw up in there. It’s everywhere. Right? I mean, 292 files by default is what we’re cleaning. And not even including the databases. That’s a massive, massive, massive number.
Tony Perez:And when we talk to customers and they come back, and they’re like, “Hey, I still see this problem, I removed the payload, or I continue to have reinfections,” it’s usually because, A) they’ve missed things like backdoors or the payload is actually embedded through a number of different files that are being loaded by default or maybe it’s embedded inside the database in their options files or in their widgets or whatnot that are causing it to render dynamically. So again, just indicates a really increase in depth of files being affected. And I would anticipate this will continue to increase. The three types of files hasn’t really changed over the past couple years, and I think when you look at the three types – index, function and WP config – it makes a lot of sense. These are some of the basic file types that we use. Index and function, specifically, regardless of what CMS you’re using. WP config would be more specific to WordPress, but WordPress being so dominant in our base, it makes a lot of sense for it to be there. But a couple interesting insights I want to call out. So, the index file being affected was about 34.5 percent of the sites had their index modified. Makes a lot of sense. It’s by default one of the things that gets loaded. A number of different things that we saw in here. About 24 percent of these files were hiding file inclusions. So, what they’re doing is they’re leveraging like hexadecimal and what not, trying to hide things like “include,” “include_once.” And then about 16 percent of them were using malicious php scripts. So what they’re doing is instead of bringing the include inside the file itself, they’re calling other files and injecting those. And it just helps … it makes it more difficult to detect it and obfuscate it. It kind of creates this chain that you have to go chase down. But we saw a number of things like malware distribution, server site scripts, DDoS scripts, malware scripts, a lot of phishing coming through this file type. Blackhead SEO and conditional redirects. A lot of these things make a lot of sense, right? This is the basic file that gets loaded, so you kind of see it like this soup kitchen of malware getting dropped on this file type. When you look at the function files, about 13.5 percent of them were affected in the sites that we cleaned. We predominantly saw SEO spam injections in here. I don’t know there’s a specific reason for that, I’ll need to talk to the threat team a little bit more about that. But in about 40 percent of the cases, the function files that we cleaned were specific to SEO spam. That’s random content from a third-party URL, injects it in the affected site, able to configure it through remote command, things like that. About 8.5 percent of the functions files were generic malware, a little bit different distribution than what we saw. And about 7.5 percent of the files were the PHP.Ahuna specifically. And in here in the future, I’ll try to get the threat analyst to come on and kind of dive deeper into this for all of those that are interested in the malware, specifically.
Tony Perez:On the wp-config, very similar to some of the system files you might find in some of the other … or the config files, excuse me, that you’ll find in some of the other CMSes. It’s an extremely important file. It gives you a lot of information specific to the database, your SALTs, things like that or configuration settings, specifically for the WordPress application. So it makes a lot of sense that it would be targeted. So, about 11.5 percent of the [inaudible 00:28:57] were associated with PHP malware, as well. So it’s being loaded, it’s being called, and so it’s a valuable target, specifically in WordPress. And it’s in here because WordPress is just so dominant in our base. So with that, let’s kind of recap what we talked about. So, what did we learn? Well, about 90 percent – at least in our sites – were cleaned by Sucuri, were specifically WordPress. Makes a lot of sense. It’s pretty representative of what’s going on in the base. Authorities detected about 11 percent, which is about a 6 percent drop. In my mind, I look at that and I say, “Hey, this is why it’s so important to have different things scanning and monitoring your environments and seeing what’s happening.” SEO spam continues to increase, it had the greatest increase, I think in my mind, for 2018, where we saw about 14 percent moving from 37 percent to about 51.5 percent between 2016 and now. And then general malware, interestingly enough, had a really interesting increase, as well, from 47 to 56, about eight points or eight percent. E-commerce continues to be something that’s top-of-mind for me. I look at these platforms and I get worried about how complicated it is for customers to manage these platforms. They have an obligation for things like PCI, but we’re still seeing it very, very difficult for them to kind of tackle these issues. So, why do they happen? Why is this thing such a thing, right? And this happens for a number of different reasons. One, when I look at it, I think that the technical aptitude required to get online these days is dramatically changing. It’s a very different online ecosystem than we saw 10 years ago, let alone 20 years ago. It’s really, really easy to get online. And so these CMSes, like the WordPresses, the Joomlas, the Drupals, the Magentos of the world, make it easy to get online, get your content online, get your idea online, get your online store online, and so that makes it hard. Because what happens is most people don’t necessarily know how to configure it correctly, don’t necessarily know how to secure it correctly, and so you start seeing things like misconfigurations. I can’t tell you the number of times that I’ve had conversations with customers, like, “But I bought a web application firewall.” But it was never configured correctly. Or external access directly to the server was never controlled. Or we see a lot of cross-site contamination. You have a soup kitchen server. You have all this content on the server, all these different sites, and maybe you have your online store with a blog and a main site, et cetera, but they’re not isolated correctly. So we’re not practicing basic best practices like functional isolation, right? Or least privilege, things like that. We continued to see a lot of abuse against access control. You know, credential-stuffing, in other words, trying to throw as much of the username and passwords to a login form trying to get in. We still continue to see really, really bad online hygiene. So you’re using the same password across a number of different applications. That gets more complicated as we start seeing more and more organizations getting compromised, like the most recent 500 million credential leak from Facebook. And so, these are behavioral things.
Tony Perez:When I look at this, I think this is basic website maintenance and improper practice this around website maintenance and proper understanding of basic security, understanding that it’s a continuous process, it’s about risk management. And then a lot of people looking for absolutes. They might get a false sense of security by the deploying a specific security tool or specific control but they don’t understand the concept of defensive depth or defensive breadth, when you’re looking at the full scope or the width or the breadth of the landscape. And so that’s kinda what’s going on. In terms of the why specifically attackers do this? Well because it’s valuable. It’s valuable in the sense that I can abuse your customers, it’s valuable in the sense that I can abuse you as website owner, but it’s also valuable in the sense, in the form of things like cryptojacking or DDoS scripts or malware scripts that I can take advantage of your resources ’cause it’s still expensive to get online and do things. If I can abuse your resources and give you problems with your providers, I don’t have to worry about that. I can just go out and when that shuts down I’ll just go to the next site and abuse those resources and if that doesn’t work, I’ll abuse you via client side infections that allow me to take advantage of your notebook. So there’s a lot of value here as far as somebody to sit back and just say, ‘Hey, I’m going to attack as many websites as possible and do whatever I want with them and just make as much money as possible. What can you do to stay online? So on the right-hand side here, I’ve provided a couple different articles that are really interesting and insightful. Of course I’ll recommend Williams Lab if your in Magento platform [inaudible 00:33:27]. Here at Sucuri we’ve written a couple different guides for WordPress, we’ll have one for Magento coming out soon, for Drupal, for Joomla, and these are just really basic guides that help you like ‘Hey, this is how you should think about security. These are the things that are specific to your platform.’ So I encourage you to use them. The Open Web Application Security Project, OWASP, big fan of them. They came out with their own security implementation for Word Press. I encourage you to take a look at that. The WordPress.org repo has the same thing. Almost every platform out there has some rules or implementation guides that they built based on best practices and feedback from the community. Take advantage of that. That’s why they’re there. But a couple other tips that you should think about. Of course, always try to stay as up to date as possible. If it’s impossible for you to get up to date, like we’ve seen in some of the other platforms at the right of that chart, then you should be looking at other technologies – cloud based, web application firewalls are definitely a technology that are being incorporated more and more because people understand that they just can’t get to those updates fast enough. So what these application firewalls do is they provide you with this concept of virtual patching and virtual hardening. What that allows you to do is, it allows you to mitigate an external attack from exploiting a potential vulnerability, whether it’s a third-party component or whether it’s your server, what we call, right at the edge. So in other words, that attack never hits the origin or your server itself. That just gives you a little bit more time to pressure test whatever patch came out to make sure it doesn’t break, et cetera, and if you’re a small business that’s exactly what the technology was built for.
Tony Perez:Of course, I can’t stress this enough, I can’t tell you the number of times [inaudible 00:35:00] with somebody that didn’t have a website. And so I encourage you to have a website, it’s the cheapest thing you can do, it’s a safety net, you can get it from anywhere, you can create your own. It can be free. There’s a lot of technologies out there that allow you to create your own tarballs, push it out to another server. Whatever you do, don’t keep it on the same box. I can’t tell you the number of times we’ve cleaned somebody that a) didn’t have a backup which is a problem but then they had a backup and it was on the same environment so the attacker comes in, highlights everything, deletes the whole environment and like ‘But I had backups’ and I’m like ‘But why did you have it in the same environment’. I’m a big fan of detection. Daniel has instilled that in my head time and time again. Watch what’s going on, leverage things like file integrity, monitoring, look for changes. So I talked about 3 specific files. IP Config, Functions and Index. You know those are the files that get modified the most or attacked the most. Add some file integrity monitoring on those so if a change happens, you get notified immediately and you can kind of tackle that. Of course, running HTTPS, running SSL TLS on your site is kind of a default these days. You should be running that, you should be encrypting between point a and point b, but that is a very important distinction. HTTPS does not secure your site, it encrypts the communication between your browser and the server. It ensures whatever you push into it gets to the server securely. So if you push crap into it, crap is going to hit your server. But it’ll be secure. Of course, adhere to the principles least privilege, employ access control measures and then the last one here is my personal favorite, is employ things like allowlist approach. So what that does essentially is it blocks everything by default and allows only known goods. There’s some tools out there that are free like Ipauth.net that allows you to create a private-public pair relationship that allows you to quickly do a knock and update your IP in your environment, and that allows you to employ allowlist. I’ll write another article on that a different time but there are a lot of ways to do this. The biggest friction I get from folks is ‘Oh my God people are not gonna like it.’ Well in some instances that’s okay. We’re just changing behavior a little bit for a much bigger return. Just think about it, if you do a allowlist, nobody can brute force you. Unless they have your IP, which your allowlist is. With that, I will be turning this back over to Nikki, asking her to walk me through whatever questions we might have received. So, Nikki?
Nikki Gerren:Great, thank you Tony, you did a great job. Thanks for taking the time, he’s a busy man. But he’s here for us and we have some questions so let’s see what we’ve got here. What can you do if you can’t update your CMS or components?
Tony Perez:Great question. My personal opinion is there’s always a way to upgrade. That being said, there are challenges. Just the other day I was working with a small town [Opertau 00:37:50] Village where they had a highly customized theme, it was on Word Press, and the designer was just too afraid to update. They knew it’d take the whole site down, she didn’t know how I was gonna do it, et cetera. And so the first thing we did was, we deployed a cloud based firewall on it and from there immediately we stopped all the attacks, we saw all the attacks coming in. And what that did was, it wasn’t saying ‘Don’t update’ it was just saying ‘Hey, you have a little bit more time now’ and let’s get a plan in place to figure out how we can do the update process. Now if you absolutely can’t update, then I would do things like deploy cloud-based firewall. I would also do hardening on the endpoint where I cue a PHP execution and I disable all abilities to update across the entire environment. What that’s essentially doing is that most malware, most backdoor requires some form of PHP execution and so by killing it by default, it’ll make it very difficult and most sites, most themes don’t require that but that’s a more advanced process because you can break things but that’s kind of where I’d start without knowing more information.
Nikki Gerren:Okay, great. Speaking of that with updates. We mentioned it or you were talking about in the trends with e-commerce, updated but it still seems to be a thing where they’re talking about, they try to keep their favorite configuration for as long as humanly possible because they were saying updating is great, it’s still thinks they’re gonna lose money if they do that.
Tony Perez:Yeah, that’s [crosstalk 00:39:21] the biggest fear I hear from small businesses and especially online store folks. When it comes to real dollars, if it’s a brochure site, you’re like ‘Whatever it’s fine. If I break it I break it’ for the most part relatively speaking. On an online store, nobody wants to lose those dollars. If you’re generating dollars and it’s performing, it’s like ‘Don’t touch it. Don’t mess with it.’ Know what I mean? Whatever you do, don’t cause a downtime at all. And so, yeah. Unfortunately though, in my opinion, that needs to be one of those things that as a small business as you start getting online and you start growing, you need to be taking security seriously and making that part of your everyday maintenance program for the site.
Nikki Gerren:Okay thanks for reiterating that. We have Stephen Flowers here, what is the best 2FA for my WordPress Dashboard? And, what is the best anti-spam plugin for WordPress?
Tony Perez:I don’t live in a world of absolutes, so best and worst are very relative, right? I mean it’s whatever you think. So for instance, me personally, I use a allowlist approach so I don’t use 2FA on my website. That being said, when I do use 2FA I do use things like Google Authenticator. It’s simple, it’s easy, it works and I have Google Authenticator with a lot of my other applications. And so I enjoy that.In terms of spam filters, I think cloud-base firewalls can help. I also think that Akismet is pretty good and I use that as well. So whether it’s the best or worst, I don’t know. How do you measure that? But those are the things that I do that are pretty effective and my site’s been pretty good.
Nikki Gerren:Okay, good. And we have, let’s see here. Apologies, Maruth I believe? After searching my site on Google I found many results about my site with Japanese characters.
Tony Perez:Yeah.
Nikki Gerren:What should I do?
Tony Perez:So this is tricky. I think Alicia wrote an article on this a couple years back where people are using sites for SCL. It could mean that you’re compromised. It could mean somebody’s just hijacking your SCL, there’s different tactics. I need to talk to the team specifically and so if she shares her information with us, I can put her in touch with some of the analysts and they can give her a more accurate explanation of what might be going on. I know we have seen those type of attacks, but it could be an indicator that obviously something is wrong. And so we can help her kind of think through that.
Nikki Gerren:Okay. Good, good, good. We can get that to her. And I know you hear this actually with the trends that we’ve gone over, we’ll just kind of conclude with this, the trends of 2018. What are you seeing, Tony, as possible trends for 2019?
Tony Perez:The past couple of years have been relatively quiet. That doesn’t mean they haven’t been impactful and things haven’t been happening, but it’s not 2013, 2014 and we’re seeing mass compromises. I think what I’m most interested about is the severity of some of the vulnerabilities being [declosed 00:42:37]. I wonder if we’re kind of at an inflection point where either an inflection of new users, or just a state of plugins or whatever or extensions, we are seeing this rise in Magento all of a sudden becoming more the third party components and then these issues on the number of severities in WordPress. I kind of think about that. I look at what had just happened with Mailgun this week and I think about supply chain poisoning. It’s been happening now for a couple years. I kind of wonder where that’s gonna go. I wonder where more of these attacks that abuse resources like cryptojacking or scripts are gonna be. But I don’t anticipate something material outside of maybe a massive compromise in a host of some kind. But outside of that, overall, I anticipate that the CMS environments are going to continue to become more secure by default. I think that that’s directionally correct. I think WordPress is gonna continue to lead the charge on that. And I would expect that more and more platforms are gonna start following suit. We’ve started to see more conversation on this in other environments and I don’t know if 2019 will be the year that we’ll see kind of backwards compatibility and upgrade issues or auto-upgrade opportunities but I would say as we begin 2020 we should start expecting that which will have a material impact on the web as a whole I think. And then I think we can see more and more hosts integrating it as a default configuration. I think that…I think that’s just directionally the right way, a more secure by default environment. Not just the CMS’ but in the hosting environment as well. I think customers expect it. I think customers are getting tired, there’s a little fatigue going on where like ‘Oh my God, how do I get my head around this stuff?’ So that’s kind of where my head’s at in terms of moving forward.
Nikki Gerren:Great, great prediction there. Okay well that is pretty much most of the questions. If there’s some others that are coming through we’ve kind of got to wrap this up here. Your time, appreciate it, Tony, and for everyone who attended, appreciate it, being with us. I hope this was beneficial for you. Again, this is a video recording. We’ll get it together for you guys and there will be an e-mail sent out to our registrants. You want to see any of our webinars they’re at sucuri.net/webinars/. For anyone that joined us late as well, everything will be available. I’m going to just say my goodbyes to everyone and give you the last moment to say anything to our attendees.
Tony Perez:Thanks everybody for your time. If you have any questions, feel free to reach out to me at @PerezBox or hit us up at @sucurisecurity on Twitter and we’ll be happy to engage. Take care.
See Full Transcript
ExpandIn the website security community, our name is known for fast site hack cleanup and responsible vulnerability disclosure. As thought leaders in website security, we are committed to sharing what we know. Follow our concise and helpful website security guides and tutorials so you can learn how to clean and secure your website.
Join us on April 5th as we cover the latest findings from our 2022 Hacked Website Threat Report. We’ll shed light on some of the most common tactics and techniques we saw within compromised website environments.
All software has bugs – but some bugs can lead to serious security vulnerabilities that can impact your website and traffic. In this webinar, we dive into the steps you can take to migrate risk from infection and virtually patch known vulnerabilities in your website’s environment.
The threat landscape is constantly shifting. As attackers continue to hone their tools and exploit new vulnerabilities, our team works diligently to identify and analyze threats posed to webmasters. Join us on July 6th as we cover the latest findings from our Hacked Website Threat Report for 2021.
In this webinar we will highlight the various activity, access, and error logs WordPress site administrators have at their fingertips. Plus, learn how logs can best be used to manage, troubleshoot, and most importantly, secure your sites.
In our latest webinar, we'll describe action items that can improve the security state of internet-connected devices we all use every day. These devices will include common household staples such as: WiFi Routers, iOS/Android devices, and personal computers.
Join us as we delve into the minds of hackers to explain targeted attacks, random attack, and SEO attacks. Find out why bad actors target websites.
A feature benefit guide for our agencies and end users. Why use our firewall? What kind of protection does it offer? How does it affect the efficiency and speed of my site? Will it affect my server's resources? Find out the answers to these questions and more in our webinar…..
Cross-site contamination happens when one hacked site infects other sites on a shared server. This webinar is for beginners and web professionals to understand cross-site contamination and how to prevent it…..
If you're considering security for your site or are new to our services, this webinar will guide you through Sucuri's simple setup processes. Potential notifications, support options for various scenarios, and ways that you can also work to keep your site malware-free will be discussed…..
Learn how you or your agency can account for security with your client projects. Presented by Sucuri Co-Founder, Dre Armeda, this webinar shows how you can get involved and help clients who are not aware of some of the security risks involved with managing a website…..