The Network: Our customer is a private equity real estate investment organization on the U.S. East Coast with more than $1B assets under management. Their headquarters location included external facing servers and multiple offices each with hundreds of workstations managed by their central IT department but stretched thin to detect and remediate threats quickly. The EventTracker SIEMphonic service enables 24/7 IT security monitoring.
The Expectation: Millions of websites around the globe are powered by WordPress (WP). A WP vulnerability exposes websites to vulnerabilities that allow unauthorized attackers to execute malicious code that serves up malware or spam, redirects readers to other websites, or plants backdoors for future exploit. Our real estate investment customer operates in an industry based on trust; dangerous malware causes customer confusion and defection, diminished brand reputation and lost revenue.
The Catch: The EventTracker SOC (Security Operations Center) detected an attack attempting to exploit a known vulnerability called TimThumb Remote command execution against the popular WordPress content management system. TimThumb is a PHP script used for web development that resizes images. The EventTracker analyst examined the payload and found that the attacker was trying to exploit the vulnerability, forcing a redirection to hxxp://178.x.x.x/qtx.mips and using the chmod command to escalate the privileges.
The Find: The critical vulnerability discovered by Pichaya Morimoto in the TimThumb Wordpress plugin resides in its “Webshot” feature that, when enabled, allows attackers to execute commands on a targeted website. The vulnerability allows an attacker to execute arbitrary PHP code on the affected website remotely. Once the malicious PHP code executes, the website is easily compromised by the attacker. While TimThumb is used by hundreds of other WordPress plugins and themes, the webshot option is disabled by default, so only those TimThumb installations who have manually enabled the Webshot feature are vulnerable to the flaw. The source of the attack is part of the Mirai botnet.
The Fix: The EventTracker SOC promptly alerted the customer’s network administrator to disable the WebShot feature on the website and verify that the target was not vulnerable to the attack.
The Lesson: Minimize the risk of getting exploited by keeping software updated and patched – especially for high-value assets like a customer-facing website. Educate administrators and users on the threats posed by third-party software and to remain vigilant regarding software and patches over time. SIEM monitoring from EventTracker enables 24/7 visibility and early detection of new and emerging threat.