Attacks, such as the one originating from the Just for Men website (a brand of hair products for men), serving up malware to visitors are pretty commonplace. Indeed, researchers at Malwarebytes were alerted to the drive-by download by their automated detection systems.
In this case the attack chain started with the Just for Men site suffering from an injection of obfuscated code belonging to the EITest campaign. In turn, this redirected to the RIG exploit kit and ultimately delivered a password stealing Trojan payload if you followed it through to the malicious conclusion.
Nothing unusual there, you may think; and you'd be right, and that's the problem.
The Malwarebytes research (https://blog.malwarebytes.com/cybercrime/2016/09/just-for-men-website-serves-malware/) suggests that after reporting the incident to the Just for Men parent company, the site changed. Post-report it was running the latest version of the WordPress CMS and one plugin (Yoast) had been updated from version 3.07 to version 3.5
These updates are important. The older version of Yoast was known to have a vulnerability and, it might be extrapolated, this could have provided the infection vector for the attackers.
Of course, we don't know that for sure at this moment in time. What we do know is that a non-patched CMS or plugin is the most common of website infection vectors these days.
We also know that major brands, and their web developers, should also be aware of the importance of updating these things to keep secure. So what's going wrong?
SC Magazine UK started by talking to Malwarebytes Lead Malware Intelligence Analyst, Jerome Segura. "What happens quite often is a web design firm will build a website, hand it over to their client and move on" he explained, continuing "the responsibility of maintenance and updates will then fall into the owner's hands."
And, unfortunately, without a due process and resources in place, in the majority of cases the website's core (not the content itself) will never get updated. Even if a third-party is brought in to manage the site, that cannot guarantee regular and timely patching.
"It's not always negligence that is responsible for outdated sites" Segura told us "but rather the fear of breaking functionality by pushing out an update." This is a misplaced fear as the longer you wait, the more difficult it tends to be to apply those patches without an adverse effect!
Jonathan Sander, VP of product strategy at Lieberman Software, warns against blaming WordPress itself. "WordPress is in a tight spot here" he told us. "Their problem is similar to Facebook's or Twitter's problem patrolling for hate speech. WordPress supplies a platform. If the people using that platform do it carelessly, what are they supposed to do?"
Indeed, so what should the platform users be doing by way of risk mitigation?
Alex Mathews, EMEA technical manager of Positive Technologies revealed that in-house research suggested "CMS vulnerabilities are about 18 per cent of all the web application flaws found yearly" so should not be underestimated.
Mathews suggests that site owners should mitigate the risk by hiding the versions of applications being used. "If an attacker knows the CMS version, he also knows its flaws" he says, adding "also use a web application firewall (WAF) to fence off attacks."
Tod Beardsley, senior security research manager, Rapid7 isn't so keen on the external solutions line. "While there are external solutions available like intrusion prevention systems (IPSs) to web application firewalls (WAF)" he explains "ultimately, they are stopgap measures that buy time until proper patches can be applied."
In a DevOps-embracing enterprise where continuous integration is a standard practice, Beardsley would expect server software to behave the same when it comes to critical security fixes. "The gap between patch availability and patch application is the sweetest spot for attackers" he warns "so narrowing that gap is of paramount importance for defenders of the enterprise."
Oliver Fay, lead intrusion analyst at Context Information Security, reckons that part of the problem is the fragmented nature of the WordPress plugin community. "In many cases plugins may not be actively developed or supported anymore and may therefore have unpatched, known vulnerabilities" Fay told SC. "The nature of WordPress means that these plugins typically run with the same permissions and privileges as the core application."
Aside from the obvious ‘keeping things up to date' advice, regular security testing of websites enhances organisations' ability to detect and remediate these kinds of security issues before they can be capitalised upon by nefarious actors. "Awareness of the plugins used and how their configuration may impact the security of the site" Fay says, adding "a generally proactive attitude towards security during the development phases of sites using the CMS solutions are obviously also vital."
We will leave the final word to Ian Trump, security lead at LOGICnow who points out that "if the integrity of the brand - and not looking stupid - is important to a business then they need to either outsource IT, staff the IT department with the right people who can do this, or adjust IT workloads."
Those managing the IT department, Trump insists, need to wake up every morning and think: how is my IT department going to face down the bad guys trying to wreck my company? "If your IT department can't have that conversation" Trump concludes "then fundamental changes need to take place."