Have you ever wondered what a mass WordPress infection looks like? All at once, a hundred thousand websites get blacklisted due to the swift, automated attacks from evil malware authors. This leaves a great number of business owners, developers, and system admins scrambling for solutions.
Meanwhile, the companies that provide professional hack cleanup services are inundated with new requests for emergency assistance, all at once. These massive infections are impossible to plan for, especially if it’s your first day on the job.
Come on in, the Water’s Fine
It is Monday morning, December 15, 2014; the day I start my dream job. I wake up and acknowledge it is a Monday, but I don’t think much of it because… dream jobs.
I grab a hot cup of coffee and sit down at my computer. I boot up, log in and, voila, the day begins. I start my morning by reading the latest blog posts on our company blog. I finish the two most recent posts, dated December 14 and December 15 and authored by our CEO and CTO respectively. Being in marketing, the gravity of the disclosures hadn’t sunk in quite yet. I then messaged Tony Perez, CEO, and inform him of the task completed. I am proud. First task, done. I smile.
After reading the two blog posts about the SoakSoak issue, I expect him to reply and direct me to start my technical training, because I am aware that everyone at Sucuri needs to learn to clean websites—even in marketing and sales. Tony responds with a choppy, morse-code-meets-shorthand message that says:
[Dec-15 9:31 AM] Tony Perez: what I’d recommend
[Dec-15 9:31 AM] Tony Perez: for now
[Dec-15 9:31 AM] Tony Perez: is try to find as many threads as you can on this issue
[Dec-15 9:31 AM] Tony Perez: on the web
[Dec-15 9:31 AM] Tony Perez: and follow them
[Dec-15 9:31 AM] Tony Perez: see who is mentioning us
[Dec-15 9:31 AM] Tony Perez: good or bad
[Dec-15 9:31 AM] Tony Perez: and keep me posted
[Dec-15 9:31 AM] Tony Perez: don’t engage
Excellent! I can definitely do that. And so it begins. It is vital to note the titles of the posts I read:
- SoakSoak Malware Compromises 100,000+ WordPress Websites
- RevSlider Vulnerability Leads To Massive WordPress SoakSoak Compromise
A Bigger Picture
Being new to the website security world, I did not have the slightest clue just how ominous “SoakSoak” actually was, and I struggled to put its weight into context until I started tracking the online conversation.
Internally, there were moving parts working in tandem—a joint effort being pursued. Beyond merely treading water, the goal maintained during the SoakSoak outbreak was to help, and the effort was organized, strategic, and measurable.
Identifying, researching, and disclosing vulnerabilities is a daunting task and it is far from simple; however, when done correctly, thoroughly, and with integrity, it could result in meaningful difference. What I observed immediately was a calculated and coordinated counterattack against the dark-forces of the Internet.
The discussion surrounding the SoakSoak exploit of the RevSlider WordPress plugin vulnerability continued to grow. As the day progressed, the numbers from Twitter alone showed an estimated combined total reach of 1.5M. Woe. Yes, 1,500,000. I was shocked. Day 1 and I am charged with tracking a confirmed viral post from my company—the same company that is on the leading edge of the discovery. Norton picked up the notice along with several well-trusted companies and media outlets. Nice. I am living the marketing dream.
Still, there was more to understand. I eventually realized that the roots of SoakSoak went back a bit further as the initial article posted was in September 2014 by Daniel Cid. The actual vulnerability had been silently patched back in February. Revelation: They (the hackers) have been at this for a while.
Although I was inundated with the task of tracking those who had been affected, I was fascinated at the pervasiveness of the compromise and more so with all the intricacies necessary to properly notify, recover, and secure someone’s website. I began seeing a bigger picture.
Since that first week, the RevSlider vulnerability has evolved. It not only uses SoakSoak, but now encompasses other exploits, injecting malicious iFrames.
Due to the expansive compromise, hackers have become able to leverage a plethora of compromised sites as engines to store their payload and exploit creative backdoor opportunities. In that first afront alone, more than 10K sites had been blacklisted by Google due to this specific vulnerability.
That number was sure to increase. Why? The reality is that even after being exposed to 1.5M people, updates were not completed fast enough, more people were affected than effectively notified, and still others were lax` not understanding the true gravity of the matter. The clock was ticking and while site-owners scrambled or drug their feet, hackers continued their advances.
Learning to Swim
Organized and strategic practices are only a fraction of the real battlefront. At the core and foundation of the entire company, I observed a drive to sincerely protect people—not only their websites, but also everything else that comes with: work, income, growth, stability, brand, etc. All of those components matter to a site owner and none of it should be written off.
For this reason, the attitude of tenacious help for hacked webmasters validated the required remediation training in which EVERYONE at Sucuri (regardless of job-title or position) must partake. It clarified, for me at least, the enthusiasm among a team who had been working tirelessly, literally around the clock (even up to, on, and immediately after Christmas Day). All hands were on deck. No one was too big or too small to help in the concerted effort. That matters.
As a result, the tone of the messages from those discussing the information we provided about SoakSoak was overwhelmingly positive. From affected individuals to major news outlets, the SoakSoak article seemed to be directly or indirectly painted at minimum a necessary warning of which to take heed, and at maximum the very standard which vulnerability disclosures should follow. I was impressed. I was proud.
Letting It All Sink In
Let’s recap. So, what are the lessons here? Proverbial Internet trolls are actually out there, but they are not, necessarily, the people posting snarky comments on blogs and Twitter-shaming people. They are those malware authors who cloak themselves in proxies and data center bounces while invading plugins and widgets with advertisements and spam. These attackers work deep in the dark corners of the Internet, seeking any opportunity to capitalize on vulnerabilities, failures to update, or weak passwords.
Since Monday, December 15, 2014, I have come to realize that a hacked site can cost a significant amount. Often, the cost of recovery, in business, is significantly under-appreciated. Yet, it is important to remember what is at stake. Left unchecked, the vermin who lurk about the binary interspace seeking the next victim to devour, would be successful.
They would cost a small business owner precious time with their family, and branding damage that could force a medium-sized company to re-evaluate their Human Resource budget (which would equate to layoffs).
The stay-at-home blogger could lose the much needed traffic necessary to generate the advertising dollars she uses to buy groceries and pay bills. Beyond the discovery of real Internet “dangers,” more than anything else, I have learned that the fixers are a necessary and invaluable resource. And, those fixers must remain as objective as possible in order to truly wear the white hats.
Organization and attitude are two key factors in maintaining security and effectively persisting in white hat efforts. All of this was learned from a single starting point during a critical mass infection. I am excited about the future of our anti-hacker team and our strategies for success.