06 May 2022 at 13:36 UTC
Updated: 06 May 2022 at 13:43 UTC
Attackers pounce before site owners can activate the installation wizard
Attackers are abusing the Certificate Transparency (CT) system to compromise new WordPress sites in the typically brief window of time before the content management system (CMS) has been configured and therefore secured.
CT is a web security standard for monitoring and auditing TLS (aka SSL) certificates, which are issued by certificate authorities (CAs) to validate websites’ identity.
First implemented by the DigiCert CA in 2013, the standard mandates that CAs immediately record all newly issued certificates on public logs in the interests of transparency and the prompt discovery of rogue or misused certificates.
However, evidence is growing that malicious hackers are monitoring these logs in order to detect new WordPress domains and configure the CMS themselves after web admins upload the WordPress files, but before they manage to secure the website with a password.
Multiple testimonies have emerged detailing sites being hacked within minutes – within seconds, even – of TLS certificates being requested.
RELATED ‘Dangerous’ EU web authentication plan threatens to undercut browser-led certification system
Domain owners report the appearance of a malicious file (/wp-includes/.query.php) and sites being press-ganged into joining DDoS attacks.
On a related thread on the support forum of Let’s Encrypt, a CA that issues free certificates and launched its own CT log in 2019, a Certbot engineer said the attacks had “been happening for a few years now”.
Josh Aas, executive director at the Internet Security Research Group, which runs Let’s Encrypt, agrees with the engineer’s speculation over the attackers’ reconnaissance techniques.
“If the attacker is polling CT logs directly they would see new certificate entries faster, giving them a larger time window in which to pull off the attack,” Aas told The Daily Swig. Scanning crt.sh, a certificate search domain, “might also work, but it takes longer for new certificates to propagate from CT”.
There’s no question of the attacks reflecting shortcomings in the CT system, which according to Let’s Encrypt has “led to numerous improvements to the CA ecosystem and web security” and “is rapidly becoming critical infrastructure”.
Aas said all publicly trusted CAs are required to submit certificates to CT logs “without delay after they are issued”.
An argument for automation
He suggested that the responsibility for protecting new WordPress sites ultimately lies with domain owners and hosting providers.
“Getting a certificate from Let’s Encrypt may make it easier to detect a new installation, but nobody should be putting WordPress installations on the public internet until they are secured. If a hosting provider or any other entity is doing that, please report it as a vulnerability in their deployment process.”
Catch up on the latest WordPress security news
Josepha Haden, executive director on the WordPress project at Automattic, told The Daily Swig that the attacks “only affects direct installations – if a site is on any recommended host, or the installation process is automated, there is usually a pre-configured config file so the installation process is complete/is not interactive and there’s little chance for that attack”.
In a recent blog post on the topic, Colorado-based web design firm White Fir Design suggested that WordPress could tackle the problem by giving the domain owner “control of the website” at the outset, “say, by adding a [template] file”.
On the Let’s Encrypt forum, Christopher Cook, developer of Let’s Encrypt Windows UI Certify the Web, proposed that WordPress “could randomise the install URL and present it only to you in the console, or require a one-time token”.
Josepha Haden acknowledged that WordPress needed “to review the issue. The Core team is aware and discussing the best changes as well as best timing as we move forward with the rest of our releases for the remainder of the year,” she said.
RECOMMENDED Heroku resets user passwords after concluding April cyber-attack ran deep