Our Website Hacked Trend Report provides insights on the top open-source CMS security, out-of-date software, and specific malware families we see on hacked websites in the Sucuri environment.
We’ve built this analysis from prior reports to identify the latest tactics, techniques, and procedures (TTPs) detected by our Remediation Group. A total of 18,302 infected websites and 4,426,795 cleaned files were analyzed in our recent publication.
Tony will discuss high-level findings on a range of topics, including:
- Affected open-source CMS applications
- Outdated CMS and blacklist analysis
- Malware families and their effects
2. Tony Perez
General Manager, GoDaddy
Security Product Group / Sucuri
Twitter @perezbox
Tweet #AskSucuri to @SucuriSecurity
W E B I N A R S P E A K E R
3. Tweet #AskSucuri to @SucuriSecurity
The report is a representative sample of 25,466 infected websites and 4,426,795
cleaned files and includes only data from Sucuri customers ONLY. The report covers:
• Top affected open-source CMS applications
• Outdated CMS risk assessment
• Blacklist analysis and impact on webmasters
• Malware family distribution and effects
Constant factors throughout 2018:
• Vulnerabilities in extensible components
• Overall security posture by site administrators
• Weak or default credentials and passwords
• Poorly configured environments
Let’s discuss our latest findings for
2018’s hacked website trends:
4. Tweet #AskSucuri to @SucuriSecurity
CMS Security
Tweet #AskSucuri to @SucuriSecurity
5. Tweet #AskSucuri to @SucuriSecurity
Infected Platform Distribution
Three leading CMS platforms in 2018:
• WordPress
• Magento
• Joomla!
This data does not imply these platforms are
more or less secure than others. It does
represent the most common platforms seen in
the Sucuri environment, but also reflects the
overall popularity of CMS'.
6. Tweet #AskSucuri to @SucuriSecurity
Infection Comparison
Our 2018 telemetry saw a shift in
CMS infections:
• WordPress infections rose to 90%
• Magento infection rates dropped to 4.6%
• Joomla! infection rates dropped to 4.3%
• Drupal infections rose to 3.7%
There were no specific events (e.g., mass
infections) that would have contributed to the
increases or decreases in any specific platform.
7. Tweet #AskSucuri to @SucuriSecurity
Common Issues & Threats
Most notorious threats to CMS’ stem from vulnerabilities
introduced by add-on modules, plugins, themes, and
extensions.
Other issues include:
• Credential Stuffing (Brute Force)
• Improper deployment
• Security configuration issues (or missing entirely)
OWASP Top 10 (#6)
• A lack of security knowledge or resources
• Overall site maintenance by webmasters
• Broken authentication and session management
8. Tweet #AskSucuri to @SucuriSecurity
Vulnerabilities
196Vulnerabilities
Researched
116
WordPress
43
Drupal
37
Joomla!
4
Joomla!
5
Drupal
38
WordPress
2 0 1 8 2 0 1 9 - Q 1
47Vulnerabilities
Researched
Note: These are vulnerabilities that have been identified by the Sucuri team
and not indicative of all vulnerabilities targeted at these platforms.
• 2018 we detected 20 severe
WordPress vulnerabilities and
18 for Joomla! - none for Drupal.
• There were 196 total
vulnerabilities, 35 of which had
an install base of over 1 million
users.
• 94.9% of them were blocked by
existent rules.
• Joomla! had 17 severe
vulnerabilities of SQL
Injections.
• WordPress had 7 severe
vulnerabilities of stored
cross-site scripting.
• As of 2019 Q1, we have
detected 10 severe WordPress
vulnerabilities (50% of what
we detected in all of 2018)
and 1 for Drupal—none for
Joomla!.
• 80.9% of them were blocked by
existent rules
• Drupal has 1 severe
vulnerability of remote
code execution.
• WordPress has 3 severe
vulnerabilities of
arbitrary file upload.
9. Tweet #AskSucuri to @SucuriSecurity
Outdated CMS Analysis
Tweet #AskSucuri to @SucuriSecurity
10. Tweet #AskSucuri to @SucuriSecurity
Outdated CMS Risk Assessment
• We reviewed the ticket data for updated and outdated
CMS’ to identify infection distribution trends.
• A CMS was considered out of date if environment was
not patched with most recent recommended security
version at point of infection.
• This data indicates that even though maintaining the
core CMS with latest patches is important, it does not
necessarily protect you from attack.
11. Tweet #AskSucuri to @SucuriSecurity
CMS Distribution
• Ecommerce websites
continue to lead the way in
outdated infections due
to fear of an update
breaking their website.
• This is short-sighted and
dangerous because these
platforms, more so than any
other, have things like PCI to
be in compliance with.
12. Tweet #AskSucuri to @SucuriSecurity
Outdated Infected
WordPress Installations
• WordPress experienced a decline in the number of outdated
vulnerable versions at the point of infection:
• Dropped almost 3% from 2017.
• Auto-updates have positive impact on this CMS.
• Vulnerable third-party components are primary attack vector.
13. Tweet #AskSucuri to @SucuriSecurity
Outdated Infected
Joomla! Installations
• Joomla! rose sharply from 69.8% in 2017 to 87.5% in 2018,
a 17.7% change.
• Joomla! Does not have automatic update functionality,
contributing to larger window for attackers to target
known vulnerabilities.
• May be related to version release speed or client
profiles seen during calendar year.
14. Tweet #AskSucuri to @SucuriSecurity
Outdated Infected
Magento Installations
• Magento websites mostly out of date and vulnerable at the
point of infection, up 2.8% from 2017.
• Ecommerce sites are notorious for being behind on
updates to avoid breaking functionality and losing revenue
from downtime.
• Attackers have high interest in targeting ecommerce sites
with valuable customer data.
• Core vulnerabilities have traditionally led hacks, as we
move into 2019 we're seeing a shift to extensible
components (e.g., Modules) (Great Source: Willem's Lab)
15. Tweet #AskSucuri to @SucuriSecurity
Blacklist Analysis
Tweet #AskSucuri to @SucuriSecurity
16. Tweet #AskSucuri to @SucuriSecurity
Blacklist
Analysis
Why Do They Happen?
Website blacklists can significantly impact website
owners with devastating results.
• Affects how visitors access a site.
• Impacts rank in Search Engine Result Pages (SERPs).
• Websites lose ~95% of traffic when blacklisted
by Google.
The majority of blacklisting occurs due to spam,
phishing, and other malicious content.
17. Tweet #AskSucuri to @SucuriSecurity
Blacklisted vs. Non-Blacklisted
Approximately 11% of the infected websites
were blacklisted by a prominent blacklist
authority (a 6% decrease from 17% in 2017).
Why Is This Number so Low?
Blacklists do a poor job of detecting internal
infections like backdoors, which aren’t easily
detected by automated scans.
For more information on blacklists see our
guide “What is a Google Blacklist?”
https://sucuri.net/guides/what-is-google-blacklist
18. Tweet #AskSucuri to @SucuriSecurity
Reported Blacklisted Sites
• The two most prominent blacklist authorities were
Norton Safe Web and McAfee SiteAdvisor.
• Both of these groups accounted for over 40% of
blacklisted websites.
• The overlap in percentages is due to more than
one blacklisting authority flagging a single website.
• Blacklists do not operate the same—and will not
necessarily share information with each other.
• If your site is blacklisted (or removed from
blacklisting) by one authority, you may not see this
reflected with other blacklist authorities.
19. Tweet #AskSucuri to @SucuriSecurity
Malware Families
Tweet #AskSucuri to @SucuriSecurity
20. Tweet #AskSucuri to @SucuriSecurity
Malware Family Distribution
• Malware families allow our team to
assess the tactics, techniques, and
procedures (TTP) used by bad actors.
• Help us understand their intentions
and provide us with information to
anticipate and mitigate future threats.
*A hacked website may have multiple files modified with different
malware families, which explains why totals exceed 100%.
21. Tweet #AskSucuri to @SucuriSecurity
Cryptomining
& Ransomware
2017; year of Ransomware – 2018; year of Cryptomining
• 272 tickets contained cryptomining malware
• 67% of all Cryptomining signatures were related
to client-side infections with JavaScript based
miners like CoinHive.
• Remaining 33% of Cryptominers were server-side
and used PHP to mine digital currencies.
• Number of attacks correlated with price of
cryptocurrencies; we saw a decline in attacks using
CoinHive and other JS miners as the price of
Monero fell.
%oforganizationsinfectedbyRansomware
Source: Check Point
22. Tweet #AskSucuri to @SucuriSecurity
PHP Backdoor
• In 2018, 68% of all cleanup requests revealed at least one PHP-
based backdoor hidden on the site.
• This percentage dropped 3% from 2017 but does not negate the
relevance or importance of doing deep scans.
• Backdoors are the #1 leading infection out of all cleanup requests
analyzed by the team.
• They're one of the first things an attacker will deploy to ensure
continued access to a compromised environment:
• Function as the point of entry into a site environment
• Allow an attacker to bypass existing access controls
• Effective at eluding modern scanning technologies
• One of the leading causes of reinfections
23. Tweet #AskSucuri to @SucuriSecurity
Malware Distribution
• We discovered a sharp increase in the general
malware family distribution – from 47% in 2017 to
56.4% in 2018.
• Attacks in this category are primarily related to PHP
functions with undetermined payloads that don’t meet
the criteria for other families.
• ie. Payment information stealers, malicious
trackers and ad networks, injections from paste
sites and URL shorteners, cryptominers, exploits.
24. Tweet #AskSucuri to @SucuriSecurity
SEO Spam
• 51.3% of all infection cases in 2018
were related to SEO spam campaigns;
up 7.3% from the previous year.
• One of the fastest growing families in
recent years.
• Typically occur via PHP, database
injections, or .htaccess redirects.
• Used to abuse existing site rankings,
increase referrals through malicious
redirects, or inject unwanted content.
• Can be difficult to detect; bad actors
employ creative techniques to hide
spam from ordinary visitors and
website owners.
25. Tweet #AskSucuri to @SucuriSecurity
Files Cleaned Per Site
• We cleaned approximately 292 files during
each malware removal request, a 73.81%
increase from 2017.
• Spam infections can inject thousands of files
on a website, and over 38% of infected
functions.php files were associated with SEO
spam signature php.spam-seo.injector.221.
• Indicates an increase in the depth of files being
affected during a website compromise.
• Demonstrates why cleaning the symptom from
one file is often not enough to completely
remove an infection.
26. Tweet #AskSucuri to @SucuriSecurity
Top 3 Modified Files – index.php
• Approximately 34.5% of sites had their index.php files modified after a compromise.
• The index.php file is modified by attackers for a variety of reasons including malware
distribution, server scripts, phishing attacks, blackhat SEO, conditional redirects, and
defacements.
• 24% of index.php files were associated with PHP malware responsible for hiding a
file inclusion.
• This malware calls to PHP functions like include and include_once by replacing
the file path characters with corresponding Hexadecimal and mixed up
alphabetic characters.
• 15.8% of index.php files were affected by malicious PHP scripts disguised using
absolute paths and obfuscated characters and hidden within seemingly innocent files.
• Instead of injecting full malware code into a file, this method makes the malware
more difficult to detect by using PHP includes and obfuscation.
27. Tweet #AskSucuri to @SucuriSecurity
Top 3 Modified Files – functions.php
• 13.5% of compromised sites had modified functions.php files, which are often
used by attackers to deploy SEO spam and other malicious payloads, including
backdoors and injections.
• Over 38% of functions.php files were associated with SEO spam injectors:
• Malware that loads random content from a third-party URL and injects it on
the affected site.
• Able to update configurations through a remote command.
• Doesn't explicitly act as a backdoor but can use the function to load any kind
of code – including a backdoor.
• Usually found on nulled or pirated themes and plugins.
• 8.3% of functions.php files impacted by generic malware.
• 7.3% of files associated with PHP.Anuna, which injects malicious code into PHP files.
• Malicious payloads vary from spam injection, backdoors, creation of rogue
admin users, and a variety of other objectionable activities.
28. Tweet #AskSucuri to @SucuriSecurity
Top 3 Modified Files – wp-config.php
• wp-config.php was the third most commonly modified file (10.6%).
• Contains sensitive information about the database, including
name, host, username, and password. It is also used to define
advanced settings, security keys, and dev options.
• 11.3% of wp-config.php files were associated with PHP malware
responsible for hiding a file inclusion, also commonly seen with index.php.
• Index.php, wp-config.php, and functions.php files are popular targets
among attackers:
• Loaded on every site access
• Belong to core files not overwritten during WP updates
• Often ignored by integrity monitoring systems
29. Tweet #AskSucuri to @SucuriSecurity
Conclusion
Tweet #AskSucuri to @SucuriSecurity
30. Tweet #AskSucuri to @SucuriSecurity
What We Learned:
Accounted for 90%
of all websites
cleaned by Sucuri
in 2018.
Authorities detected
only 11% of infected
sites in 2018, a 6%
drop from 2017.
Increased by 14%
to 51.3%, from
37% in Q3 2016.
Increased to 56.4%,
from 47% in 2017.
WordPress Blacklist SEO Spam General Malware Ecommerce
Outdated software
continues to be the
greatest vulnerability
to these targets.
31. Tweet #AskSucuri to @SucuriSecurity
Website
Compromises:
Why Do They Happen?
The majority of compromises are related to outdated or
vulnerable software, stolen credentials, and bad configurations:
• Cross-site contamination
• Highly customized deployments
• Lack of knowledge around security best practices
• Abused access control credentials and leaked passwords
• Pirated software or poorly configured plugins, modules, extensions,
applications, server environments
• Issues with backwards compatibility, neglected sites, or a lack of
resources to patch/update
32. Tweet #AskSucuri to @SucuriSecurity
What You Can Do
to Stay Safe Online:
1. Always update your core software and components with the
latest security patches
2. Maintain offsite website backups. Automation and redundancy
are important here
3. Employ detection tools that include integrity monitoring,
auditing, and alerts
4. Implement SSL & HTTPS to securely encrypt and transmit data
5. Adhere to the principle of least privilege and employ access
control measures, including strong passwords
6. Use a website application firewall (WAF) to inspect and filter
malicious traffic before reaching your server
7. Leverage a whitelist approach to access control; block all by
default, allow only known good
Free Resources to help you
improve your security posture:
OWASP WordPress Security Implementation Guideline
https://www.owasp.org/index.php/OWASP_Wordpress_Security_I
mplementation_Guideline
How to Clean a Hacked WordPress Site
https://sucuri.net/guides/how-to-clean-hacked-wordpress
How to Clean a Hacked Magento Site
https://sucuri.net/guides/how-to-clean-hacked-magento
How to Clean a Hacked Drupal Site
https://sucuri.net/guides/how-to-clean-hacked-drupal
How to Clean a Hacked Joomla! Site
https://sucuri.net/guides/how-to-clean-hacked-joomla
PCI DSS Compliance Requirements Guide & Checklist
https://sucuri.net/guides/pci-compliance-requirements-checklist
WordPress Plugin Vulnerabilities
https://wpvulndb.com/plugins
Hinweis der Redaktion
* here, we’ll fix the common malware definition
* I’ll show you three common ways where malware hides
* I’ll try to deobfuscate this magic word little bit
And in the end of this webinar I’ll tell you something about…
*
*
So what is malware >
"The most obvious item to me is that there are way more vulnerabilities seen for smaller install bases - which could indicate that they have less resources (devs) to ensure that plugins/themes have appropriate updates or security"
"The most obvious item to me is that there are way more vulnerabilities seen for smaller install bases - which could indicate that they have less resources (devs) to ensure that plugins/themes have appropriate updates or security"
"The most obvious item to me is that there are way more vulnerabilities seen for smaller install bases - which could indicate that they have less resources (devs) to ensure that plugins/themes have appropriate updates or security"