It was announced this week that WordPress, one of the most popular blogging platforms in the world, has fallen prey to a malware attack, infecting at least 100,000 sites so far.
The cause of the attack is a form of Russian malware known as SoakSoak, and it's shrouded in mystery. Launched from soaksoak.ru, the attack exploits a vulnerability in the RevSlider plug-in. Security firm Sucuri noted there was an issue with the plug-in months ago, but it appears as though no steps were taken to remediate the problem. The malware works as a drive-by download, infecting visitors of sites that have already been compromised in order to quickly spread the malicious software. An exact motive behind the attack is still unknown, but researchers have speculated that it could be either financial gain or data theft.
The offending plug-in is a piece of premium WordPress software, making it difficult for most users to upgrade service and remove the problem. According to Sucuri's Daniel Cid, some site administrators are not even aware they have RevSlider because its bundled into the theme they're using.
More worrying than the fact that many users aren't aware of the presence of the plug-in (and therefore potentially the malware), is that hackers appear to be installing new malicious software onto affected sites that allows them to take control of the pages in the long term even after the initial problem is fixed.
Keeping malware off enterprise sites
In an effort to curb the spread of the malware, Google has so far blacklisted tens of thousands of domains, and the number is increasing daily.
"[In] less than 24 hours it was 11,000, today this morning, it was over 15,000…that means it's spreading fast and Google is usually a bit slower,"said Sucuri CEO Tony Perez in an interview with SCMagazine. "If they picked it up that fast it talks to the scale. Our estimates based on our data has it [at] over [100,000 infections] at the moment, and rising."
It can be difficult to know for sure if a WordPress site is infected. The page may begin to act oddly, but it may not become immediately evident that an issue has occurred. When enterprises face threats that are hard to detect, implementing a security information and event management solution can help to fill in the gaps left by traditional defense programs. With a managed SIEM solution, companies receive continuous monitoring of sensitive systems. When suspicious behavior that may suggest an intrusion is detected, the event is recorded and analyzed in order to inform future defense strategies and ensure privileged networks remain private and secure.