Vulnerable plugins, extensions and default settings are responsible for a high rate of website compromise, according to new research.
Content management systems (CMS) are frequently used to structure websites and online services, including e-commerce stores, and to facilitate the management and publication of content by web administrators.
Plugins and extensions add to website functionality and can provide everything from contact forms to SEO optimization, maps, image albums and payment options. As a result, they’re incredibly popular – but if vulnerable to exploitation, their use can put entire websites at risk of being hacked.
Sucuri’s 2021 Website Threat Research Report (.PDF) examined these issues in depth with a particular focus on the use of CMS including WordPress, Joomla and Drupal.
According to the researchers, vulnerable plugins and extensions “represent significantly more compromises to websites than outdated core CMS files”, with approximately half of website intrusions recorded by the company’s customers occurring on a domain with an update. CMS.
Threat actors often exploit legitimate, but hacked, websites to host malware, credit card skimmers, or to deploy spam. Sucuri says websites containing “a recently vulnerable plugin or other extension” are most likely to be abused in this way.
“Even a fully updated and patched website can suddenly become vulnerable if one of the elements of the website has a vulnerability and steps are not taken quickly to fix it,” the researchers commented.
Additionally, webmasters who leave their CMS websites and control panels on default configurations are considered a “serious liability”, especially when multi-factor authentication (MFA) is not implemented or possible.
The report listed the most common types of malware found on compromised websites. At the top we have backdoors – forms of malware that give their operators persistent access to a domain and the ability to exfiltrate data, among other features.
Sucuri said more than 60% of its website compromise cases involved at least one backdoor.
Additionally, credit card skimmers remain a persistent threat to e-commerce retailers. Skimmers are usually small pieces of code implanted on payment pages, which collect card details from customers. and forward them to a server controlled by the attacker.
They now account for more than 25% of new PHP-based malware signatures detected in 2021.
Spam is also one of the most common forms of website compromise. A total of 52.6% of websites cleaned by the company contained SEO spam, such as URL redirects, which are used to force visitors to landing pages that display malicious content. Additionally, the team found evidence of spam injectors hiding spammy links in hacked websites to improve their SEO rankings.
Most of the spam related content is about pharmaceutical products like viagra, essay writing services, escorts, gambling, adult websites and pirated software.
“While there is no 100% security solution for website owners, we have always advised using a defense-in-depth strategy,” says Sucuri. “Having defensive controls in place helps you better identify and mitigate attacks against your website. […] At its most basic, maintaining a good security posture comes down to a few basic principles: keep your environment up-to-date and patched, use strong passwords, enforce the principle of least privilege, and take advantage of a firewall. web application fire to filter malicious traffic. »
Previous and related coverage
Do you have any advice? Get in touch securely via WhatsApp | Signal at +447713 025 499, or more at Keybase: charlie0