Root Causes 223: CT Log-Enabled Attacks on WordPress Sites

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  This is new to me. I’d say an exploit that has a new angle that I’ve ever heard of before, and the gist of it is WordPress sites with newly issued certificates are being exploited before the certificates are installed. What seems to happen is that this information is being gotten in a very timely fashion from Certificate Transparency Logs, CT logs, and then from there, the bad guys are using the time gap between when the certificate is issued and when it’s installed to go in to the non-SSL site, which I suppose it matters for some reason, and get their, I think it’s their malware on there. Am I getting that right, Jay?

• 

  Jason Soroko

  Absolutely, Tim. So, it’s a very ripe area for the bad guys to understand, there’s a new site, and we know that there’s timing issues between when things are secured or when things have their certificate. We certainly know that when a CT log item pops up that means that the certificate has just been issued, and so, we probably have a tiny bit of time between that moment and the moment that the certificate is actually implemented and installed on the web server.

  So, let’s think about that for a moment. The bad guys have this – are taking advantage of this unintended consequence of CT logs which is basically, they’re getting information publicly, just like everybody else does, about brand new certificates. It may not absolutely mean that it’s a brand new site. It may not mean but they’re taking the 80/20 Rule, probably saying it probably is. I would say here the fact that WordPress comes up so much in this topic is probably because there might be a bad practice people are doing, and this was mentioned in an article that we were looking at, and it makes a lot of sense. The fact that you really don’t want to be exposing a WordPress site that’s been just set up and not locked down and secured and then expose that to the public internet. So in other words for those of you who know how to build a simple website, the analogy here is think of the equivalent of your index.html file, which directs you to – here is the website I want you to look at whenever somebody does browse to you. You probably want to direct that somewhere else direct it to a, we’re getting ready page or something rather than the site itself because of the fact that a WordPress site in its infancy probably isn’t I guess the right way of saying it is, it is probably vulnerable until it has been made not vulnerable by some work. And so the certificate is part of that.

• 

  Tim Callan

  One of the questions I had was, is it that the absence of the certificate itself exposes this vulnerability, or is it that the absence of the certificate suggests that this is, as you say, an infant site that is not yet - doesn't have all of the other safeguards in place either and so, the two are correlative, New certificate is correlative to a site that I can penetrate. I’m suspecting it’s the second, but - -

• 

  Jason Soroko

  That is correct.

• 

  Tim Callan

  Because other than that, it’s a little funny, like, why does the presence of an SSL certificate matter to whether or not you can install your malware? There are a couple interesting things here. One is, one possibly why so much discussion is around WordPress is just because it’s so insanely popular. We had conversation not too long ago in an earlier podcast about how when a SaaS application gets big enough, it itself becomes a legitimate environment to hatch customized attacks. And if that’s the case, WordPress absolutely makes the list. So, that could have to do with it as well, I would think.

• 

  Jason Soroko

  I don’t want to declare it as like monoculture on the internet. There’s a lot of websites now that there are other legitimate platforms out there. There’s a lot of things being hosted out on the public cloud, but WordPress, geez, last time I checked the numbers, I think they had surpassed 50% of all websites and heading quickly toward 60%. I don’t know where the number is, but it is more than half of the internet at any given time.

• 

  Tim Callan

  WordPress will tend to skew toward smaller businesses in a very big way, and therefore, you might say, well less value in those targets overall, but in this case these guys are using it to create a Botnet for DDoS attacks. So, lots of small sites are great for that. Work really well.

• 

  Jason Soroko

  And in fact, that’s really part of the attack going on is the taking advantage of a vulnerability of a WordPress site in its infancy to be able to insert a file that actually engages you into a Botnet, and that’s part of what’s been going on. But there are other nefarious things that the bad guys have been doing as well.

• 

  Tim Callan

  Sure. So, the other angle that I found so interesting about this, of course, and you already hinted at this, is the CT angle in all of this. Like, Certificate Transparency was created for express purposes to do specific things that are valuable and worthwhile, and it does those things. And yet, somebody has come up with this other way to use Certificate Transparency that is very much to the detriment of the security of the internet. You mentioned unintended consequences. I think this is a perfect illustration of that sort of thing in action.

• 

  Jason Soroko

  Tim, it is. I think my position on this – and I’m not claiming to have thought this through 100% - but my initial reaction to this is CT logs are an absolutely good idea. The fact that it does tip you off to – there’s a website that has requested a certificate - that information being made public in real time or near real time is, it’s an advantage to a bad guy only when you haven’t, the person who owns the website has not done some best practices. So, in other words, it’s not something that’s inherently – that information is not inherently bad – there’s a new website presumably because there’s a certificate being issued. That public information is not inherently bad if the creator of the websites has done some due diligence in terms of setting up the website securely ahead of time, before the event. Even if a certificate’s been issued, it doesn’t necessarily mean that the bad guy, has automatically got free range to be able to do bad things. It’s just - because of the fact that best practices are not taken into account by sometimes a lot of new website owners or sometimes even just official corporate rollouts of brand new sites might not be taking into account best practices for security, the bad guys know that best practices are not – maybe – I don’t want to say the majority of the time - best practices are not used, but on the other hand, the bad guys know that it's quite common. But it’s not something inherently bad about the CT logs.

• 

  Tim Callan

  Sure, but there’s probably, like in this case, it’s probably automated. Surely this is automated. It picks it up from the CT log, an automated attack goes out because it has to be very timely, and it’s got to work. Whatever happens to happen with that certificate, and at that point, it just a percentage game. You say, ok, well, as long as there is non-trivial percentage of these sites, these target sites, that are going to be victimized that my attack will get through on, then it’s worth my while to run this automated attack and get through when I get through especially if part of what you're doing is you're then using them to continue the automated attack. And so, in that regard, that’s another reason maybe why WordPress makes good sense. It is open-source, it is inexpensive, it’s used by small business – these are all of the things that are going to correlate with holes in security or security that hasn’t been implemented in as timely of a fashion. Again, if you're doing this kind of thing, you're playing the odds and you don’t need everyone to work, you just need enough of them to work, so correlative signals are very good, and new SSL Certificate is definitely a signal.

• 

  Jason Soroko

  Well said, Tim. I think that – I don’t want to be a shill here, but on the other hand, I think I do have to mention it. Because of organizations that might not have the resources they need or the know-how they need to do those best practices that we talked about, I do think that it might be a good idea to get yourself some help from the outside, which is to use a malware scanning tool. Sectigo has SiteLock, and SiteLock does this for WordPress very, very well. In fact, it does it for a lot of other platforms as well, and so, to me, if you're an SMB, if you're a small team, if you're just a website owner and you want to at least know – I’m being affected by this or I’m not being affected by this, reach out and get some help. I think that’s what you have to do in this environment where not everybody can afford a full IT team to be locking down a website, a WordPress website, properly.

• 

  Tim Callan

  That’s really what that service is for. That’s a designated service that’s designed to deal with exactly this kind of situation and as you said, is very effective with WordPress.

  The other thing I find interesting about this attack, not just the unintended consequences of it, but the innovation, like, don’t think the bad guys are stupid. These are bad guys that came and came up with the unique angle for a way to use CT logs in order enable and exploit that – the industry didn’t foresee. All the smart guys at the browsers and the CAs and everybody else who has to do with CT logs, and journalists and industry watchers; that community didn’t foresee this. But, somebody who was seeking an exploit did, and that’s also part of the, that’s part of the ground conditions that we’re dealing with.

• 

  Jason Soroko

  We had even talked about some other unintended consequences of CT log information being made public. Things such as if you had publicly-trusted certificates being used for internal purposes, intranets and you didn’t want the public to know what your intranet server names were and things like this, domain names were; obviously then, you have to do things differently because if you are using a publicly-issued certificate that information is going to be made public, at least to some point that the certificate is being issued to. And so, I still think on every count, it’s like, well, that just means a change in behavior, and in the case of these WordPress sites, it really just means, well, you have to set up – don’t make your vulnerable WordPress site don’t announce it to the world by issuing a certificate. That’s really all it comes down to.

• 

  Tim Callan

  I’m thinking of another similar thing to that. This isn’t about CT logs in particular. Well it is. It’s not about this attack in particular, but one of the things that we see is GDPR, of course, contains, one of the provisos it contains is the right to be forgotten. Which is, you can go to somebody who is using your data and say, erase my data, and you can’t erase data from CT logs. You cannot. It’s not editable. It would break the log, and so, certainly there are cases where people who probably don’t understand the nuances of GDPR fully come and say – erase my certificate information from these CT logs or again, we operate crt.sh. They come to us and say don’t report it in crt.sh. And we have to say, I’m sorry, that’s just not how the computer technology works. And, fortunately, the GDPR rules allow for that. But you got a public who doesn’t quite understand that necessarily who is coming and demanding to be “forgotten” from what is essentially an unforgettable or an unforgetting log.

• 

  Jason Soroko

  That’s a really good point. These one-way hashes are permanent. I hate to say it, but even like taking full copies of them and – because once they’re in the public, you have to assume, I can’t burn that down. I can’t make that not exist anymore. It’s going to exist somewhere.

• 

  Tim Callan

  CT logs certainly, I’m a big believer. I think they’ve been very healthy for the industry, but it’s interesting how somebody has found an exploit and has taken what is a very good thing and found a way under specific circumstances to weaponize it.

• 

  Jason Soroko

  So, Tim, I guess the bottom line, if you’ve listened to us for this long, it comes down to, before you get a certificate issued for your domain, which is a nice event, it’s like the capstone to a nice website – well, what you got to do is make sure that that website is locked down before you announce to the world – this website exists.