How CMS Systems are being used by hackers to stage a cybercrime

The development of Content Management Systems (“CMS”) has enabled the most inexperienced of new users to develop and publish their own blog or website.  What are CMS Systems and how are CMS Systems being used by hackers to stage a cybercrime?

The WikiPedia definition of a CMS is “a computer application that supports the creation and modification of digital content. It is often used to support multiple users working in a collaborative environment.”

Simply put, a CMS is a set of tools and applications that are used to build and manage electronic text.  They are available as point and press development tools for non-IT literate users to develop their own websites and blogs.

The WordPress CMS generator accounts for about 27% of all websites and a CMS market share of around 60%. It claims to allow a complete novice to have a fully‑fledged CMS up and running in less than ten minutes.

As a consequence many developers do not have the background to understand the need for good security hygiene, and do not build fully-tested security systems and features into the design and implementation of their blogs and websites.

All CMS development platforms include a section on what to do following deployment to make your implementation more secure.  Usually this involves removing installation files and changing access rights to operational code libraries.   In the excitement of the moment, most novices do not follow these instructions through, leaving their sites open to hackers.

Bear in mind though that the novice user usually uses a hosted platform to host their blog or website and it is up to the host to ensure that their part of the deal is secure.  As can be seen from the footnotes, one exploit was successful because a host was lax in the application of up to date security patches.

That is why they are ripe for plunder by hackers.

Who are the hackers and what do they want?  They range from geeks looking for boasting credits, to criminals stealing personal information for later sale, to businesses carrying out industrial espionage and spies and terrorists looking for classified information.   CMS attackers tend to be geeks or outright criminals.

At first glance there are two main threats – infection with malware and ransomware.  But it must be remembered that CMS attacks are not limited to these two malware variants.

Where organisations use cloud technologies to host a CMS platform, there is the potential for data extraction, leading to identity theft and other criminal acts.  CMS does not need new malware.  It is a new platform for malware, which because most CMS sites are developed by inexperienced users, do not have appropriate security features in place.

To distribute malware, hackers seed a CMS website or blogging platform with malware so that unsuspecting users download it when visiting the site, and subsequently seed the other blogs and websites they visit. It’s not just the malware protection software.  It is also very important to keep the CMS software up to date with patches and version upgrades to ensure that all potential threats are recognised and countered.

An example of where neglecting patch management caused problems is the SoakSoak attack in late 2014 on WordPress CMS sites.  The exploit infected over 100,000 sites with malware.  Google blacklisted over 11,000 domains.

Sucuri reported that “ “Our analysis is showing impacts in the order of 100’s of thousands of WordPress specific websites. We cannot confirm the exact vector, but preliminary analysis is showing correlation with the Revslider vulnerability we reported a few months back.” states the post. “The impact seems to be affecting most hosts across the WordPress hosting spectrum. Quick breakdown of the decoding process is available via our PHP Decoder.” ”

The effect of SoakSoak was to redirect unsuspecting users to SoakSoak.ru webpages, where further malicious malware was downloaded to the user computer.

Ransomware is a relatively new phenomenon that is rapidly heading to a Billion dollar a year turnover according to the FBI.  Basically it involves encoding or encrypting a user’s systems and or data. The user is asked to pay for a decryption key to return the data to a usable format.  Formerly targeted only at large corporate sites able to pay a large ransom to have their systems returned, it is now diversifying to smaller individual personal sites holding family picture and video albums.  Most individuals will pay out to have their precious memories returned to them.

It’s not just WordPress.  Both Joomla and  Drupal, two top CMS platforms have also been targeted.   Open systems users shouldn’t feel complacent.  Linux based CMS systems have also been attacked in this way.

It is important to remember that security is not an event, it is a continuous process.   Risk can never be reduced to zero, security programmes are more about risk reduction than elimination.

Today, if one looks at HackDig the war between the hacker and the CMS platform developer rages on.  New vulnerabilities are being uncovered and patched at the time of writing.

How to prevent hackers using your CMS as a platform for cybercrime is to adopt the same protocols as any other IT platform. Practice good cyber hygiene.  Like most criminals, hackers tend to be opportunistic by nature, and will attack the low-hanging fruit first.  Prepare and implement a good security framework for your organisation. If you are a novice user, please implement the bits you forgot about or ignored when developing your CMS.  Harass your hosting service provider to keep up to date with all relevant security patches.