Hackers are targeting the WordPress based websites before even the website owners can activate the installation wizard.
Hackers are targeting the Certificate Transparency (CT) system to hack the new WordPress based websites during the brief period before the Content Management System (CMS) is configured and secured.
Certificate Transparency is a web security standard for monitoring and auditing TLS (successor protocol to SSL) certificates, which are used to confirm the validity of websites’s identity and are issued by Certificate Authorities (CAs).
The DigiCert CA was the first to implement the standard in 2013, which requires CAs to immediately report all newly issued certificates on public logs in the aim of interests and the prompt discovery of rogue or misused certificates.
Malicious Cyberattacks
Evidence is mounting that malicious hackers are monitoring these logs in order to locate new WordPress domains and configure the CMS themselves after web administrators have uploaded the WordPress files but have yet to secure the site with a password.
Several testimonies have surfaced describing sites being hacked within minutes, if not seconds, of TLS certificates being requested.
The presence of a malicious file (/wp-includes/.query.php) and sites being forced to joining DDoS attacks have been reported by domain owners.
A Certbot engineer said the assaults had “been happening for a few years now” on related thread on the support forum of Let’s Encrypt, a CA that issues free certificates and launched its own CT log in 2019.
Working Mechanism
The engineer’s hypothesis about the attackers’ reconnaissance techniques is supported by Josh Aas, executive director of the Internet Security Research Group, which operates Let’s Encrypt.
“If the attacker is polling CT logs directly they would see new certificate entries faster, giving them a larger time window in which to pull off the attack,” Aas told The Daily Swig. Scanning crt.sh, a certificate search domain, “might also work, but it takes longer for new certificates to propagate from CT”.
There’s no way the cyberattacks were caused by flaws in the CT system, which according to Let’s Encrypt has “led to numerous improvements to the CA ecosystem and web security” and “is rapidly becoming critical infrastructure”.
According to Aas, all publicly trusted CAs must submit certificates to CT logs “without delay after they are issued”.
Automated WP Installation
Aas indicated that domain owners and hosting providers are ultimately responsible for protecting new WordPress sites.
“Getting a certificate from Let’s Encrypt may make it easier to detect a new installation, but nobody should be putting WordPress installations on the public internet until they are secured. If a hosting provider or any other entity is doing that, please report it as a vulnerability in their deployment process.”
Josepha Haden, executive director on the WordPress project at Automattic, told The Daily Swig that the attacks “only affects direct installations – if a site is on any recommended host, or the installation process is automated, there is usually a pre-configured config file so the installation process is complete/is not interactive and there’s little chance for that attack”.
White Fir Design, a Colorado-based web design firm, in a recent blog post on the topic suggested that WordPress could solve the problem by giving the domain owner “control of the website” at the outset, “say, by adding a [template] file”.
Christopher Cook, developer of Let’s Encrypt Windows UI Certify the Web, proposed on the Let’s Encrypt forum that WordPress “could randomise the install URL and present it only to you in the console, or require a one-time token”.
Josepha Haden acknowledged that WordPress needed “to review the issue. The Core team is aware and discussing the best changes as well as best timing as we move forward with the rest of our releases for the remainder of the year,”