The FBI issued a public service announcement today, warning concerning WordPress website attacks being carried out by individuals sympathetic to the Islamic State in the Levant (ISIL) a.k.a. Islamic State of Iraq and al-Shams (ISIS). The perpetrators of these attacks are defacing sites across various platforms such as news organizations, businesses, government sites, and religious institutions.
Last month the would-be terrorists gained infamy by hijacking the Fancybox Plugin vulnerability in order to deface sites with ISIS propaganda. This particular vulnerability allows malware (or any random script/content) to be added to the vulnerable site and was most recently identified as the entry point for the hackers who injected iframes with ISIS messages.
A patch exists for the vulnerability and those affected can easily remove the plugin as an alternative. However, many WordPress users are either ignorant of the security issue or indifferent. The FBI’s announcement serves to warn users of the cost and inconvenience associated with this kind of attack:
Although the defacements demonstrate low-level hacking sophistication, they are disruptive and often costly in terms of lost business revenue and expenditures on technical services to repair infected computer systems.
The announcement cited multiple plugin vulnerabilities as a security risk to WordPress users but did not identify the plugins for which patches are currently available. Technical details of the brief are limited to a generalized list of consequences should a vulnerable site get hacked:
Successful exploitation of the vulnerabilities could result in an attacker gaining unauthorized access, bypassing security restrictions, injecting scripts, and stealing cookies from computer systems or network servers. An attacker could install malicious software; manipulate data; or create new accounts with full user privileges for future Web site exploitation.
Since these are low level hackers exploiting the most basic types of vulnerabilities, they are not targeting specific sites but rather knocking down any open door they can find. The announcement notes that all of the victims of the defacements share common WordPress plugin vulnerabilities.
The FBI does not believe that these attacks are actually coming from members of ISIL but instead are coming from hackers using the organization’s name as a vehicle for greater exposure.
The FBI assesses that the perpetrators are not members of the ISIL terrorist organization. These individuals are hackers using relatively unsophisticated methods to exploit technical vulnerabilities and are utilizing the ISIL name to gain more notoriety than the underlying attack would have otherwise garnered.
The announcement concludes with a list of general resources for hardening WordPress and identifying vulnerabilities, but the recommendations are vague and non-specific. The best thing that you can do to keep your site safe from these continuing attacks is to make sure you are running the latest version of WordPress. Log in to your sites and update all of your themes and plugins. If you’re using any commercial plugins or themes, make sure to check for updates in case you are not automatically notified.
All of the vulnerabilities referenced in the FBI warning already have patches, and all you need to do is update your plugins. If you have multiple WordPress sites, consider adding them to a centralized dashboard service such as Jetpack Manage, MangeWP, WP Remote, InfiniteWP, or another service of your choosing.