Then go on an underwater adventure as Andy the Angel Fish, a lowly sea creature struggling to work his way up the food chain by chowing down on smaller fish. But look out for bigger and badder predators, lest the hunter becomes the hunted. Feeding Frenzy™ highlights include: 40 levels Tons of power-ups Sparkling undersea.
This entry was posted in General Security, Research, Vulnerabilities, WordPress Security on February 9, 2017 by Mark Maunder49 Replies
In this report we share data on the ongoing flood of WordPress REST-API exploits we are seeing in the wild. We include data on 20 different site defacement campaigns we are currently tracking.
We show how attackers have switched to the REST-API exploit and how it has increased their success rates. We have also seen an evolution in the attack method targeting the REST-API exploit and have evolved our rule-set accordingly. We also demonstrate how hackers are competing to deface sites using the REST-API exploit.
This report highlights the immediate need to protect your site against this attack. Both our attack data and our site cleaning team’s observations are indicating that this attack is having a wide impact.
On January 26th, WordPress released version 4.7.2 which contained a security fix for a vulnerability that allows attackers to modify content on a WordPress site. They did not announce the fix at the time so that attackers would not be aware of the vulnerability while the WordPress auto-update mechanism updated vulnerable sites.
The hidden security fix was announced on February 1st, six days later, at which time attackers became aware of the exploit. By that time a substantial number of WordPress websites had updated to version 4.7.2.
We immediately deployed a firewall rule to our Premium customers on February 1st and started logging attacks targeting the REST API vulnerability. We didn’t see many attacks until February 3 when volume started picking up.
Attacks continued and February 6th we saw attackers had discovered a new variant on the attack which bypassed our rule and the rules that other firewall vendors had put into place. We immediately deployed a second rule to our Premium Wordfence customers which was pushed out in real-time early on February 6th.
The new rule is in red on the chart above and shows how attackers massively ramped up the volume of attacks they were launching using this new, more successful variant of the attack. The chart above is up to midnight last night, Pacific time. We have confirmed that the second newer variant of the attack still bypasses at least one major cloud firewall vendor as of 10am PST this morning.
This vulnerability has resulted in a kind of feeding frenzy where attackers are competing with each other to deface vulnerable WordPress websites. During the past 48 hours we have seen over 800,000 attacks exploiting this specific vulnerability across the WordPress sites we monitor.
If you are using Wordfence Premium, you are fully protected against this vulnerability, even if you are running an older vulnerable version of WordPress. There are multiple variants of the REST-API exploit and the Wordfence firewall Premium rule-set protects against all of them.
The attackers using the REST-API exploit are defacing websites by leaving their own signature on a defaced WordPress page. We are currently tracking 20 different defacement campaigns.
The table below shows the total attacks for each campaign, the number of unique WordPress websites attacked and the number of IP addresses that each attacker is using. On the far right we also include the number of defaced pages for each campaign, according to this morning’s Google results.
To determine which campaigns have the highest success rate, we did a Google search for each campaign name in quotes. This gives us an indication of the approximate number of defaced pages per campaign. The actual numbers are in the table above in the far right column.
In some cases the attacker may have used a different exploit to deface a page. However, as you’ll see below, the number of defaced pages for each of these campaigns has increased dramatically since the emergence of the REST-API exploit.
By using Google Trends, we can get a good indication of the success rate of our attackers over time. Using Trends, we found that since mid 2014, these campaigns have had little success compromising websites.
Then starting in early February when the REST API vulnerability was disclosed, the success rate for these campaigns massively increased. Google started indexing compromised pages and it shows up in Google trends:
If we change the scale of the chart to just show 2017, you can see the huge spike in success these attack campaigns have had infecting WordPress websites using the REST-API vulnerability. This spike coincides exactly with the date the REST-API vulnerability was disclosed.
Lets take a look at our top defacer. If we look at the list of MuhmadEmad’s compromised sites on Zone-H.org, he usually drops a file called krd.html or defaces the home page. The content usually looks like this.
On zone-h, which is an archive of hacked sites, it is clear that he took a break for a couple of days after the REST-API attack emerged on February 1st, perhaps to develop a new exploit.
Then he started attacking starting February 4th, and you can see the compromised URLs change to individual defaced WordPress pages:
In some cases we are seeing hackers competing to deface sites. On the defaced page below you can see HolaKo has defaced the current page, and the link to the next page shows that the following page is defaced by ‘Imam’.
In some cases we can see defaced pages being defaced again by another attacker. The hackers are getting hacked. This page was defaced by ‘Imam’:
But when you visit the page, the title has now been changed to show another defacer has taken over.
Sites that suffer from this vulnerability will continue to be defaced and re-defaced until they either install a firewall like Wordfence or upgrade to WordPress 4.7.2.
The following is a list of the top 25 IP addresses by number of attacks, that are exploiting the WordPress REST-API vulnerability. If you are a security researcher you’re welcome to download this table and incorporate it into your own research.
This is one of the worst WordPress related vulnerabilities to emerge in some time. Our site cleaners have been working with site owners all week to help them clean defaced sites. In every case the customer was not running our Premium firewall and had not updated to WordPress 4.7.2.
If you have not been able to update to WordPress 4.7.2 but are using Wordfence Premium, you have been protected against this since exploitation started.
As always, I will be around to reply to your comments.
Feeding Frenzy Web Download
Mark Maunder – Wordfence Founder/CEO.
Eat without getting eaten in this Arcade Style game
Feeding frenzy is a 2D style arcade game that pays homage to the simple to play, but hard to master kinds of games that reward quick reflexes. The game is available online through famous web game publisher PopCap Games and was designed by Sprout game. Featuring 40 levels with various escalating hazards while playing and increasing difficulty, Feeding Frenzy has a ton of content and will keep players coming back to try and beat new levels and gain high scores. The game is a great entry in the casual game genre.
Game Play
Feeding Frenzy isn't a complex game. The player controls various fish through 40 levels of play, able to control up, down and side to side. As they swim through the level, various other fish appear. Smaller fish can be eaten, larger fish will eat you and as you gulp down as many smaller fish as you can, the player's fish will grow in size as well, allowing them to eat larger fish. Through the course of the level, certain hazards present themselves that aren't fish. Things like mines, jelly fish and radiated fish should be avoided. Skill in collecting small fish in a short period of time is rewarded with points and a feeding frenzy, where numerous small fish are introduced to eat. Each fish consumed will add to the player's score as well as to their size. Available is a normal mode and a time attack mode.
Feeding Frenzy Websites
Presentation
Feeding Frenzy has a simple aesthetic, cartoon-y graphics that serve the game well. The soundtrack and effects as well are nothing to write home about, but for a free java based web game, people shouldn't expect too much. There are five different fish that a player can play, but they're tied to specific levels. Players will gradually get to play as each different fish as they progress through the game. each game has a unique ability which addds a little to the game. Andy the angelfish can put on a burst of speed, Leon the lion fish can use an ability called suck, Eddie is an angler fish, J.D. is a john dory fish and the last playable fish is Orville the Orca. Each fish does look and play differently for a little variety and the game introduces new hazards and other game assets at fairly regular intervals, keeping things fresh.
Pros
- Fun time waster with simple mechanics allows anyone to pick up and play without
- Free!
Cons
- Casual game without any real depth, story or options
Comments are closed.