If your CMS is attacked, can your security protect you?
Is your web security robust enough to repel a cyberattack aimed at a vulnerability in your content management system (CMS)? Unfortunately, some companies may be finding out the hard way.
WordPress and Joomla are among the most popular CMS companies today, with WordPress currently residing at the top of the list. More than 60 million websites, including 33.4 percent of the top 10 million global websites, use WordPress.
But being at the top can make you a target, and WordPress and Joomla have become attractive to malicious actors, with cybercriminals targeting sites on these platforms for hacking and injecting malicious content. Over the past several weeks, ThreatLabZ, the embedded research team at Zscaler, has detected several WordPress and Joomla sites that were serving ransomware, backdoors (which can provide unauthorized remote access to a compromised system), malicious redirects (which send users from one URL to another, usually to generate ad impressions), and a variety of phishing pages. The most well-known threats to CMS sites are the result of vulnerabilities introduced by plugins, themes, and extensions.
The compromised WordPress sites observed by ThreatLabZ were using versions 4.8.9 to 5.1.1 and they use SSL certificates issued by Automatic Certificate Management Environment (ACME)-driven certificate authorities, such as Let’s Encrypt, GlobalSign, cPanel, and DigiCert, among others, which tend to have a simple authorization process—and they’re often free. The compromised WordPress sites could be the result of outdated CMS/plugins/themes or server-side software. (You can read an analysis of these attacks here.)
So, what happens if your WordPress site was compromised? What if a vulnerability in your website led to a ransomware or phishing attack? Well, it could cause irrevocable damage to your company.
Ransomware and phishing attacks have become all too common in today’s digital ecosystem.
Ransomware attacks, in the case of a CMS attack, can hold your website hostage until you pay the attacker, typically in Bitcoin. Some of the most notorious ransomware attacks include WannaCry and Petya, but there are plenty of other varieties without the name recognition that are wreaking havoc daily. New strains are getting harder to detect and, in a chilling development, many of the new strains don’t appear to have a decryption mechanism, so even if the ransom is paid, the data is gone.
Phishing attacks attempt to trick users into clicking on a link that takes them to a phony site. Even though the message looks completely legitimate and appears to have come from a trusted vendor such as UPS, Bank of America, Amazon, and many others, the message and the site are both fake, designed to steal sensitive information like usernames, passwords, and credit card numbers. As users have become more careful about clicking suspicious links, attackers have, unfortunately, become much better at mimicking legitimate sites. Often, the only discernable difference is in the URL address.
Obviously, these types of attacks can cost a company quite a bit of money. Some surveys have shown that ransomware losses for businesses can average $2,500 for each incident, with businesses willing to shell out upwards of $50,000 to decrypt their data. There are costs well beyond the ransom, of course. Any disruption to business is costly, as is the loss of productivity. Add to that the time it takes to recover data from backups and reimage systems, pay for upgraded hardware and hire response teams—and the ransom is trivial in comparison.
But the damage can go deeper than that.
In some industries, the brand can be more valuable than the product or service itself. After all, it’s not uncommon for an individual who has a choice between two or three products to choose the one with the brand that’s most well-known or most trusted. But, imagine what happens when that trust is broken. Very quickly, potential customers and partners will take their business to your competitor.
And, in this age of social media, we’ve all seen what happens when an unsatisfied customer posts a negative review about a product or service. What kind of buzz will social media create around your company after you’ve been hit with an attack? Sadly, the old phrase “Any publicity is good publicity” doesn’t hold up under the scrutiny of today’s social media.
Then there are your current customers and partners. What happens to the trust your customers place in you if they become the victims of a phishing scheme launched from your website? What if a partner’s website is suddenly hit with a ransomware attack that came through a vulnerability in your site (a common occurrence)? Unfortunately, after an attack, customers often take their business elsewhere. And, loyal partners can quickly become former partners. Not only does this mean a loss of future revenue, but it also is another hit to your already damaged reputation.
Obviously, companies don’t want to be victims of these attacks. But, as threats evolve, you have to ask yourself if your legacy security is able to handle today’s digital threats. With encryption becoming a top attack vector for cybercriminals, can your security inspect all SSL/TLS traffic? If you are still running a traditional hub-and-spoke network, then the answer to these questions is probably no.
Today’s cyberattacks are getting more sophisticated and they use the latest technologies to evade traditional security and hide malware. That means your security needs to be even more sophisticated, prepared to detect threats hiding in encrypted traffic and block malware callbacks to command-and-control servers. A security platform purpose-built for the cloud can keep these attacks from wreaking havoc on your organization, even if you have locations in scores of countries, with hundreds of branch offices, thousands of remote and mobile workers, and countless apps in the cloud. With cloud security, there’s no on-net or off-net user; every user is the same with identical security.
Cybercriminals are continually rethinking and revising their attacks to give them the greatest chance of success. Isn’t it time you did the same thing with your web security?
Read the ThreatLabZ technical analysis of the attacks: https://www.zscaler.com/blogs/research/abuse-hidden-well-known-directory-https-sites
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Steve Grossenbacher is Zscaler senior manager, product marketing