The new developments in ransomware and manipulation of hacked websites.
This study is based on data from the Sucuri Remediation Community (RG), which comprises the Incident Response Team (IRT) and the Malware Analysis Team (MRT), gathered and evaluated. It analyses, and publishes data linked to, 8,000 + infected websites:
- Applications of open source CMS impacted
- Information on site WordPress
- Blacklists which flag the hacked site
- Families of malware and its repercussions
The Pattern report on the Hacked Website is a study created by Sucuri. It outlines the current developments from bad actors, describing the Remediation Community (RG)’s new strategies, methods , and procedures (TTPs). This study would draw on preceding quarter results including revised 2016 / Q3 results.
The one constant you will see in this study is the problems linked to poorly qualified website administrators (i.e. webmasters) and their website impact.
This study would include patterns focused on the CMS applications most impacted by website vulnerabilities, the form of malware families working, and blacklisting status changes. It eliminates configuration details for WordPress plugin.
This study is based on a representative survey of the total number of websites in Calendar Year (CY) 2016 Quarter 3 (CY16-Q3) on which the Sucuri RG carried out incident management services. In this study , a total of 7,937 contaminated websites have been analysed. The most reliable description of the overall sites that Sucuri served on this quarter was this survey.
Based on our results, compared to 2016 – Q1 / Q2, WordPress, Joomla, were the three leading CMS platforms! And then Magento. This does not mean, once again, that some networks are more or less reliable than others.
In most cases the examined concessions have little, if anything, to do with the heart of the CMS programme itself, but rather with incorrect webmasters implementation, setup, and overall maintenance.
The Q3 telemetry reveals that stuff on all systems were reasonably consistent. For both Joomla the cumulative improvements seemed slight! And both Magento reported a rise of 1 per cent. Magento’s slight uptick is no surprise , given this year’s trend of attackers turning their attention to online-trade sites ( i.e. e-commerce).
The above map gives a monthly overview of the distribution of the network for the top four CMS applications we track.
Outdated CMS Analysis
Although the leading cause of infections resulted from bugs contained in the extensible components of CMS systems ( i.e. extensions, plugins, modules), it is often necessary to evaluate and appreciate the status of the CMS that we’ve been working on.
- Updated CMS
- Outdated CMS
A CMS was deemed obsolete if it was not on the current approved security upgrade or had not patched the system with required security patches (as is the case for Magento deployments) at the time Sucuri was engaged in incident management services.
The most unexpected shift this quarter has been the 6 percent growth in old, insecure versions of WordPress applications at the infection stage. In Q1 / Q2, WordPress hacked sites reported obsolete instals at 56 per cent respectively and 55 per cent.
Drupal has reported a rise of 2 per cent between Q2 and Q3.
Magento (94 per cent) and Joomla are close to the previous quarters! Websites (84 per cent) were largely out of date and at the point of infection prone.
Why we think this is happening hasn’t changed. It tends to come from three areas: heavily specialised implementations, backward compatibility issues, and the scarcity of sufficient personnel to aid with the migration within the respective organisations. This tend to generate updating and patching problems for the organisations that use them for their websites by problems of incompatibility and possible impacts on functionality of the website.
The most alarming part of this development is with the Magento network, one of major corporations’ leading sites for online trading. Attackers targeting the web for its rich data ecosystem and targeting cardholder data ( i.e., credit card information, even up to PAN information) are increasing concern. More information on that will be available in the Q4 update.
Similar to previous quarters, we provide WordPress website with a deep dive analysis as it accounts for 74 per cent of our sampling.
The top three plugins in WordPress remain TimThumb, Revslider and Gravity Forms:
These were the top three obsolete, weak, plugins at the stage where Sucuri offered resources for incident response:
We saw an increase in Revslider in Q3, falling from 10% to 8.5% and in GravityForms from 6% to 4%. As a result of these three sites, the overall number of contaminated WordPress instals fell considerably this year, from 25 per cent in Q1 to 18 per cent in Q3. If more website owners and hosts continue to proactively fix out of date ecosystems, ongoing decline is expected. The most interesting, and perhaps troubling, dataset is that TimThumb lacks improvement. We think this has to do with the fact that, close to what we saw with Revslider, many website owners are unaware that they have the script on their pages at all.
However, the data reveals that when these get replaced, others start taking their place. There are actually no other mass-used plugins that will account for more than 1 per cent of our dataset.
Note: There was a patch available for all three plugins for a year, with TimThumb dating back several years (four to be accurate, about 2011). In version 1.8.20, December 2014, Gravity Forms was modified to fix the limitation of Arbitrary File Upload (AFU) which is causing the problems described in this article. RevSlider was secretly patched February 2014, publicly unveiled by Sucuri September 2014, with mass compromises beginning (and continuing) from December 2014. This highlights the difficulties faced by the group in raising awareness among website owners of the issues, helping website owners to repair the issues, and encouraging their webmasters’ regular management and administration of websites.
Unfortunately, during the study we have had to delete the plugin distribution in this report due to corrupted info. We intend to see this dataset reintroduced in upcoming quarters.
In Q3 we were continuing our blacklist research. Website blacklists have the potential to negatively impact website owners so it is important to consider how a blacklist notice can be deleted.
A website which is flagged by a blacklist authority such as Google will devastate the functionality of the website. It can impact how people navigate a website, how it rates in the Search Engine Result Pages (SERP) and can negatively affect communications such as email correspondence.
Around 15 percent of the compromised websites were blacklisted according to our study (a 3 percent decline from 18 percent in Q2). This means that about 85 percent of the thousands of compromised websites we’ve been working on is publicly spreading malware. This illustrates the value of constant tracking of the web property through conventional methods, such as webmaster applications like Google and Bing. It also emphasises that tracking of blacklists is not adequate to determine when a site has been hacked.
We use a variety of various blacklists in our tests. Google Secure Browsing was the most popular blacklist; it stood for 69 percent of the blacklisted pages, it also happens to be 10 percent of the overall compromised pages we were operating on. Norton Secure Platform had 24% of the blacklists and McAfee SiteAdvisor caught 10% of the blacklists. All other blacklists that we review were less than 1 percent flagged and omitted from the survey (including: PhishTank, Spamhaus, and a few smaller ones).
Note: The number will never be 100 percent, since many blacklists at the same time have highlighted certain pages.
Part of our analysis over the past quarter involves examining the different patterns in infection , especially how they interact with our family of malware. Malware families help our team to better analyse and understand the strategies , techniques and procedures (TTP) of the attackers which inevitably lead us to their intentions.
A compromised site can have several files changed with various malware families inside it (a partnership of many to many). It depends on the intent of the attacker (i.e., action on goal) and how they intend to exploit their new weapon (i.e. the website which is now part of their network).