From: MS-ISAC Advisory Sent: Wednesday, February 8, 2017 3:07 PM To: Thomas Duffy Subject: Message from the MS-ISAC: Significantly Increased Website Defacement Activity Following WordPress Vulnerability Disclosure - TLP: GREEN TLP: GREEN MS-ISAC CYBER ALERT TO: All MS-ISAC Members, Fusion Centers, and lIC Partners DATE: February 8, 2017 SUBJECT: Significantly Increased Website Defacement Activity Following WordPress Vulnerability Disclosure ‘The Multi-State information Sharing and Analysis Center (MS-ISAC) has identified a significant increase in state, local, tribal, and territorial (SLTT) website defacements following the announcement of a privilege escalation vulnerability in the WordPress Content Management System (CMS), which allows for unauthenticated privilege escalation, The MS-ISAC issued a Cybersecurity Advisory on the vulnerability and patch on February 2. Since that time, the MS-ISAC notified ‘members of more than 180 defacements and numerous scans based on both open source reporting and MS-ISAC ‘monitoring, This is a 1850% increase in defacement activity compared to January 2017, and equivalent to over 1/3 of all defacement activity observed in 2016. Based on the known cyber threat actors involved, the range of targeted enti and concurrent open-source reporting, the MS-ISAC believes these attacks are opportunistic and do not strategically target SLTT websites. INDICATORS: ‘MS-ISAC monitoring and Sucuri open source reporting identified the following indicators conducting potential exploit activity. The MS-ISAC recommends reviewing logs for activity or attempted activity by the following IP addresses and taking appropriate action: © 37.237.192.22 71.19.248.195 134,213,54.163 144,217.81.160 176.9.36.102 185,116.213.71 2a00:1a48:7808:104:9b57:dda6:eb3c:61e1 ‘Sucuri also proposed a method of identifying potential exploits of this vulnerability. The MS-ISAC encourages SLT entities to consider drafting a signature for their network security device based on the following information: ‘© Suspicious POST attempts to "/wp-json/wp/v2/posts/ [post number” are indications of possible exploit activity where 0 [post number] is an integer © POST data of vulnerable attempts may look like "id=8960justrawdata&title=By+NeT.Defacer&icontent=By+NeT.Defacer” where the id value is not numeric ‘* Suspicious GET attempts to "/wp-ison/wp/v2/posts/ [post number]?id=[alphanumberic]” are used to scan for vulnerable WordPress installations © [post number] is an integer; example of suspicious GET “/index.php/wp-ison/wp/v2/posts/1?id=1asd” 1Please report additional indicators to the MS-ISAC at SOC@cisecuritv.org. RECOMMENDATIONS: ‘The MS-ISAC continues to monitor for open source web defacement activity against all SLIT websites, as well as for activity against members monitored by the MS-ISAC. MS-ISAC recommends the additional following actions: Ensure no unauthorized system changes have occurred before applying patches. Update WordPress CMS to the latest version after appropriate testing, If possible, enable automatic updates from WordPress. Run all software as a non-privileged user to diminish effects of a successful attack. Review and follow WordPress hardening guidelines ~ htto://codex.wordpress.org/Hardening WordPress. Consult MS-ISAC Cyber Security Advisory 2017-011 for more technical details regarding this vulnerability at hnttps://msisac.cisecurity.ora/advisories/2017/2017-011.cfm, fa WordPress installation was compromised, the MS-ISAC recommends replacing the website with a previous known- {good copy and resetting passwords REFERENCES: * https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html * httos://blog sucuri net/2017/02/wordpress-rest-api-vulnerability-abused-in-defacement-campaigns.htm! Center for internet Security (CIS) Integrated Intelligence Center (IIC) Multi-State Information Sharing and Analysis Center (MS-ISAC) 1-866-787-4722 (7%24 SOC) Email: soc@cisecurity.org www.cisecurity.org Follow us @ciSecurity TLP: GREEN Limited disclosure, restricted to the community. Recipients may share TLP: GREEN information with peers and partner ‘organizations within their sector or community, but not via publicly accessible channels. TLP: GREEN information may not be released outside of the community http://www.us-cert.gov/tl This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments. {Messages and attachments sent io or fom this email account penairing tothe City-County of Sute-Siver Bow business may be considered pubic or private records depending onthe message conten rele Satin 9, Montana Coren: 26 MCA).