From a recent investigation, a recent release of WordPress was found vulnerable to application defacement under "w4l3XzY3" hack.The following could be helpful in order to protect the application from this defacement.WordPress 4.7.2 was released two weeks ago, including a fix for a severe vulnerability in the WordPress REST API. In less than 48 hours after the vulnerability was disclosed, we saw multiple public exploits being shared and posted online.Wordpress released v4.2 with 4 security fixes in January, included:
- SQL injection vulnerability in WP_Query,
- Cross-site scripting (XSS) vulnerability in the posts list table,
- Press This feature allowing users without permission to assign taxonomy terms,
- Unauthenticated privilege escalation vulnerability in a REST API endpoint.
Just for one defacer, Google alone shows 66,000+ pages compromised:They started the exploits less than 48 hours ago. It's assumed that Google hasn’t had time to reindex all compromised pages. Probably the number on Google’s SERP will continue to increase as the re-indexing scans continue.IP Addresses being used:
2a00:1a48:7808:104:9b57:dda6:eb3c:61e1Defacer[s] group behind it: by w4l3XzY3.The payloads being used can be referred from https://www.exploit-db.com/.
Based on the SIEM tools, the patterns are well observable. If rex is used, have a deeper investigation into the punctuation marks retrieved. And in order to protect, consider the mitigation measures for SQL injection, XSS and CSRF.Refer https://www.owasp.org/ for more mitigation techniques.Conclusion:
This is not a training session, it's an informative article for Information Security. Thank you for reading. Please comment below if you have any questions or comments.