Blocking Zero-day WordPress Attacks with F5 Essential App Protect

Overview

A recent ZDNet article reports that millions of WordPress sites are being probed and compromised due to a vulnerability with the popular "WP File Manager" plugin. Defending against the attacks of this type is one of the fundamental use cases for F5 Essential App Protect, which can block the malicious request and prevents the site from being compromised. This proof-of-concept article demonstrates what happens to a vulnerable WordPress site with and without F5 Essential App Protect.

Attack without Essential App Protect

Our test WordPress site at http://blog.haxrip.net was previously used in a blog post where we set up protection in less than 5 minutes. For this test we removed the instance that protected our site, and activated an older vulnerable version of the WP File Manager plugin:

 

We’re now ready to send a payload via a Python script that exploits connector.minimal.php on our test site. This results in executing an upload of an arbitrary file and thus exposing possibility of remote code execution as per this vulnerability report.

 

The end-result, the upload of a file: hacked.php, which you can see in this “before” and “after” view of the directory into which we’ll upload an arbitrary file via an exploited vulnerability

 

This allows us to execute remote code by running hacked.php from a browser, which is a bad thing! Besides completely opening this WordPress site to modifications, this exposes potentially sensitive information like passwords, credentials, file structure, certificates & keys, and other info on the remote system, which is likely to enable an attacker to grow their attack footprint.

So how can you avoid this?

Enter Essential App Protect

Now let’s “roll back” our attacked WordPress deployment by removing the hacked.php file from our system, and let’s try the same attack after we deploy an instance of Essential App Protect. This takes just a few minutes, with the below screenshots highlighting the main 3 steps of our deployment (a full deployment walk-through is available in the documentation):

1. Set up protection by using the FQDN of our WordPress site: blog.haxrip.net

 

2. Confirm the deployment region, use http / port 80 listener (for simplicity), and all of the default configuration options:

 

3. Use the generated CNAME value to configure the DNS entry for our blog to point traffic to our new Essential App Protect instance:

 

That’s it! We are using Route 53 for our DNS management, so the change propagates in just a few minutes. While that happens we will switch our service from “Monitoring” to “Blocking” mode, to give our vulnerable site the protection it so badly needs!

 

Now we’ll re-run the same Python script that was previously used to explore the vulnerability, which fails as the payload gets detected and blocked by our instance of F5 Essential App Protect. Inside the main dashboard Events View, we can see that our attempt has been flagged, as 4 signatures were picked up to correctly assess this request as an attack and block it. 

 

At this point, our site is protected from this and many other attacks based on thousands of signatures that are continuously updated from the F5 Threat Labs. The beauty of this platform is that it also uses predictive intelligence to detects abnormalities in the requests even if that exact attack signature hasn’t been captured yet. This means that we have a much higher chance of successfully detecting and preventing zero-day attacks on web applications.

Conclusion

F5 Essential App Protect is an effective platform to quickly protect potentially vulnerable instances of WordPress based on the particular exploit that’s making the news rounds this week. Note that in our tests an already exploited site is likely to be vulnerable to this & other attacks, so please set up protection and/or make sure your deployments and all of the plug-ins are up-to-date!

Essential App Protect takes just a few minutes to deploy and sits between a hacker and a targeted website, scrubbing the requests across a number of pre-configured attack vectors, using signatures and predictive intelligence that provide holistic protection for externally-facing web apps. Find out more and get a trial set up today!