cms hacking
DESCRIPTION
ISACA 10/22/2013 Covering an analysis of the 3rd party application threats, focusing on CMS systems.TRANSCRIPT
Confidential© 2013 Imperva, Inc. All rights reserved.
CMS Hacking
Analyzing the Risk with 3rd Party Applications
1
Barry Shteiman – Director of Security Strategy04/11/2023
© 2013 Imperva, Inc. All rights reserved. Confidential
Agenda
2
CMS defined Risks and trends Recent incidents Into the details
• An attack campaign
• Industrialized attack campaign
Reclaiming security
© 2013 Imperva, Inc. All rights reserved. Confidential
Today’s Speaker - Barry Shteiman
3
Director of Security Strategy Security Researcher working
with the CTO office Author of several application
security tools, including HULK Open source security projects
code contributor Twitter @bshteiman
© 2013 Imperva, Inc. All rights reserved. Confidential
CMS Defined
4
Content Management System
Confidential© 2013 Imperva, Inc. All rights reserved.
What is a CMS?
5
A content management system (CMS) is a computer program that allows publishing, editing and modifying content as well as maintenance from a central interface.
Source: https://en.wikipedia.org/wiki/Content_management_system
Confidential© 2013 Imperva, Inc. All rights reserved.
Deployment Distribution
6
Source: http://trends.builtwith.com/cms
Confidential© 2013 Imperva, Inc. All rights reserved.
Enterprise Adoption
7
© 2013 Imperva, Inc. All rights reserved. Confidential
Risks and Trends
8
© 2013 Imperva, Inc. All rights reserved. Confidential9
OWASP Top 10 – 2013 Update
New, A9 - Using Known Vulnerable Components
© 2013 Imperva, Inc. All rights reserved. Confidential10
3rd Party
According to Veracode: • “Up to 70% of internally developed code originates outside of the
development team”
• 28% of assessed applications are identified as created by a 3rd party
© 2013 Imperva, Inc. All rights reserved. Confidential
When a 3rd Party Brings its Friends
11
More than 20% of the 50 most popular WordPress plugins are vulnerable to web attacks
7 out of top 10 most popular e-commerce plugins are vulnerable to common Web attacks
-- Checkmarx Ltd. research lab “The Security State of WordPress’ Top 50 Plugins” white paper, June 18, 2013
You can’t fix code you don’t own, even if you host your own, that code has third party components in it.
© 2013 Imperva, Inc. All rights reserved. Confidential
Attack Surface
12
Source: https://www.bsi.bund.de/DE/Publikationen/Studien/CMS/Studie_CMS.htmlBSI is Germany's federal office for information security
In a research conducted by BSI in Germany, ~20% of the vulnerabilities discovered were found in the CMS core, ~80% in plugins and extensions.
Confidential© 2013 Imperva, Inc. All rights reserved.
Classic Web Site Hacking
13
Hacking
1. Identify Target2. Find Vulnerability3. Exploit
Single Site Attack
Confidential© 2013 Imperva, Inc. All rights reserved.
Classic Web Site Hacking
14
Hacking
1. Identify Target2. Find Vulnerability3. Exploit
Hacking
1. Identify Target2. Find Vulnerability3. Exploit
Hacking
1. Identify Target2. Find Vulnerability3. Exploit
Hacking
1. Identify Target2. Find Vulnerability3. Exploit
Hacking
1. Identify Target2. Find Vulnerability3. Exploit
Multiple Site Attacks
Confidential© 2013 Imperva, Inc. All rights reserved.
CMS Hacking
15
Hacking
1. Identify CMS2. Find Vulnerability3. Exploit
CMS Targeting Attack
© 2013 Imperva, Inc. All rights reserved. Confidential
Recent Incidents
16
Confidential© 2013 Imperva, Inc. All rights reserved.
3rd Party Code Driven Incidents
17
Breached via 3rd party application on Drupal.org own servers.
Confidential© 2013 Imperva, Inc. All rights reserved.
3rd Party Code Driven Incidents
18
3rd party service provider hacked, customer data affected.
Confidential© 2013 Imperva, Inc. All rights reserved.
3rd Party Code Driven Incidents
19
Yahoo’s 3rd party hack as detailed in Imperva’s January HII report.
HII Report: http://www.imperva.com/docs/HII_Lessons_Learned_From_the_Yahoo_Hack.pdf
Confidential© 2013 Imperva, Inc. All rights reserved.
Just Last Week…
20
© 2013 Imperva, Inc. All rights reserved. Confidential
Into the Details
21
How a CMS Attack Campaign Might Look
© 2013 Imperva, Inc. All rights reserved. Confidential22
The Attacker’s Focus
Server Takeover
Direct Data Theft
Confidential© 2013 Imperva, Inc. All rights reserved.
CMS Mass Hacking
23
Source: www.exploit-db.com
Step 1: Find a vulnerability in a CMS platform
Even public vulnerability databases, contain thousands of CMS related vulnerabilities.
Confidential© 2013 Imperva, Inc. All rights reserved.
CMS Gone Wild(card)
24
Step 2: Identify a fingerprint in a relevant CMS-based site
A fingerprint can be
• Image
• URL
• Tag
• Object Reference
• Response to a query
• etc..
Confidential© 2013 Imperva, Inc. All rights reserved.
Fingerprinted
25
Tag based
The code will usually contain fingerprints (unless obfuscated) of the CMS in use.
Confidential© 2013 Imperva, Inc. All rights reserved.
Fingerprinted
26
URL based
An administrator interface may be front facing, allowing detection and login attempts
© 2013 Imperva, Inc. All rights reserved. Confidential
Google Dork for the Masses
27
Query: inurl:(wp-config.conf | wp-config.txt) ext:(conf | txt | config)
Results: 144,000
© 2013 Imperva, Inc. All rights reserved. Confidential
Google Dork for the Masses
28
In our case: Database Host, User and Password Exposed
© 2013 Imperva, Inc. All rights reserved. Confidential
Botnets Targeting Your CMS
29
Recently Observed:• Botnets Scan websites for
vulnerabilities
• Inject Hijack/Drive-by code to vulnerable systems
• Onboarding hijacked systems into the Botnet
Confidential© 2013 Imperva, Inc. All rights reserved.
From a Botnet Communication
30
Botnet operator uses zombies to scan sites for vulnerabilities
* As observed by Imperva’s ADC Research Team
Google Dork
Confidential© 2013 Imperva, Inc. All rights reserved.
From a Botnet Communication
31
Botnet exploits vulnerabilities and absorbs victim servers
* As observed by Imperva’s ADC Research Team
© 2013 Imperva, Inc. All rights reserved. Confidential
Reclaiming Security
32
Securing 3rd Party Applications
Confidential© 2013 Imperva, Inc. All rights reserved.
Analyzing the Attack Surface
33
Graphics Source: https://www.bsi.bund.de/DE/Publikationen/Studien/CMS/Studie_CMS.htmlBSI is Germany's federal office for information security
Certain vulnerabilities in 3rd party applications, can only be properly fixed using Web Application Firewalls.
Confidential© 2013 Imperva, Inc. All rights reserved.
Deployment Matters
34
Cloud based deploymentOn premise deployment
Applications and 3rd party code deployed in your virtual/physical data center.
Hosted applications and B2B services.
Imperva Incapsula Cloud
© 2013 Imperva, Inc. All rights reserved. Confidential
When a company builds its security model it usually does not take into account elements that are not in control, which creates the security hole.
Companies should:
Implement policies both on the legal and technical aspects to control data access and data usage.
Require third party applications to accept your security policies and put proper controls in place
Monitor.
Recommendations
3535
© 2013 Imperva, Inc. All rights reserved. Confidential
Assume third-party code – coming from partners, vendors, or mergers and acquisitions – contains serious vulnerabilities
Pen test before deployment to identify these issues
Deploy the application behind a WAF to
• Virtually patch pen test findings
• Mitigate new risks (unknown on the pen test time)
• Mitigate issues the pen tester missed
• Use cloud WAF for remotely hosted applications
Virtually patch newly discovered CVEs
• Requires a robust security update service
Technical Recommendations
3636
© 2013 Imperva, Inc. All rights reserved. Confidential
Questions?
37
www.imperva.com
© 2013 Imperva, Inc. All rights reserved. Confidential
Thank You
38