This entry was posted in General Security, Vulnerabilities, Wordfence, WordPress Security on February 10, 2017 by Mark Maunder 22 Replies

Yesterday we published numbers indicating how widespread the defacement campaign is targeting the REST-API vulnerability recently fixed in WordPress 4.7.2. If you have not updated to 4.7.2 already on all sites you operate, do so immediately. If you are using Wordfence Premium, you are already protected.

26% Growth in Defacements in 24 Hours

Yesterday when we published our initial research on the defacement campaigns we are tracking, we published data on 19 separate defacement campaigns. (20 total, but one is the same string, just capitalized differently, so we have removed it.)

This is yesterday’s chart on total defacements per campaign.

The table below shows defacement growth per campaign during the past 24 hours since we published the statistics above. During the past 24 hours we have seen an average growth in defaced pages per campaign of 44%.

The total number of defaced pages for all these campaigns, as indexed by Google has grown from 1,496,020 to 1,893,690. That is a 26% increase in total defaced pages in just 24 hours.

Government, Educational and Commercial Sites All Impacted

This morning we look a look at which websites have been affected by this attack. We only considered the single most successful defacement campaign when doing this research: The “Hacked by MuhmadEmad” campaign.

The following is a partial list of websites that have been defaced by the top defacement campaign alone. So far we have seen:

Vanderbilt University’s Center for Teaching defaced:

Conservative commentator Glen Beck’s site defaced:

ChildCareAware.org, a project funded by the US Department of Health and Human Services defaced:

National American University (Nasdaq: NAUH), a school with over 5,000 students was defaced.

LetsGetHealthy.ca.gov, a California government website was defaced.

The Utah Office of Tourism Industry website defaced:

The US Department of Energy’s Joint Center for Energy Storage Research website defaced:

In the UK we’re seeing local government websites defaced. This is the Offa community council website serving several areas in North Wales.

The list of victims is long and growing. In the UK alone we’re seeing tourism sites, public health websites, support websites, healthcare sites, sites discussing abuse issues and schools all affected by this defacement campaign.

New Campaigns Appearing

In the past 24 hours we have seen 5 new defacement campaigns appear. Their defacement numbers are still low relative to the large numbers we are seeing among established campaigns.

Growth in Unique Attacking IPs

Across all campaigns we are seeing steady growth in the number of unique IP addresses that are attacking WordPress sites using the REST-API defacement attack.

Analyzing the Top Defacement Campaign

When analyzing the top defacement campaign, we looked at other attack methods that “MuhmadEmad” uses. Over the past 90 days the attack types for this threat actor we have detected are:

The above shows which firewall rules in Wordfence blocked this attacker. As you can see this attacker uses a wide range of techniques to deface websites.

Over 95% of attacks that we blocked from “MuhmadEmad” are coming from a single IP address:

IP Address 149.56.218.228 Total attacks blocked by Wordfence from this IP over 90 days 33,972 Hostname ip228.ip-149-56-218.net Location Montreal, Canada Hosting provider OVH Hosting, also known as OVH SAS

This attacker uses a range of malware and has switched attack techniques several times during the past 90 days. They recently switched to exploiting websites using the new REST-API vulnerability.

Conclusion

As you can see the defacement campaign targeting the REST-API vulnerability continues with growing momentum. The number of attacking IP addresses has increased and the number of defacement campaigns have increased too. We are also seeing a rapid increase in the number of defaced websites, a 26% increase in total defaced pages in the past 24 hours across the defacement campaigns we started tracking yesterday.

You can help the community by spreading the word as quickly and widely as possible: If you haven’t already updated to WordPress 4.7.2, it is only a matter of time until you are hit by this.