So you receive an email from a known website you trust and have visited frequently over the years…
You click the link and all of a sudden you’re on a strange advertising page saying you’re in with a chance to win a prize.
Or you’re on a mobile and receive a popup which is trying to use the “Allow” notifications button to prove you’re a human.
While these links in themselves do no harm, it’s the next step which could lead to malware of some kind infecting your device, which in turn can lead to a more serious data breach as we’ve seen with the recent Leicester City Council and MOD Payroll hacks.
We noticed this happening on a small WordPress site and immediately notified the owners, offering our assistance free of charge. We were given the CPanel login details and immediately changed all usernames, passwords and email addresses of all user accounts. A maintenance page was displayed while the site was cleaned to prevent further malicious redirects. 2FA was enforced for all Administrator accounts and brute force protection and strong passwords enabled in Wordfence to prevent future hacks.
Root Cause
The Wordfence scans revealed no malware either in the codebase or database. Checking the CPanel config showed no malicious configuration at the DNS level. One thing we did find was a recent unencrypted backup file existing in a publicly accessible folder. We assumed this file was discovered by a bad actor who then found the unused “Admin 1” account credentials which gave them access to the WordPress dashboard. The backup file was immediately deleted.
After manually reviewing the codebase, a suspicious plugin was identified which had no listing on the WordPress.org plugin directory. The link to it’s GitHub page gave a 404 error. This plugin was using the Keitaro service to hide the malicious redirects from the Wordfence scanner. The plugin contained legitimate PHP advertising code calling the Keitaro service so looked innocent to the scanner.
Whois Keitaro?
As described in a recent article by TechTarget.com, Keitaro is a software company that has been causing security headaches due to its traffic distribution system (TDS) being abused by cybercriminals. Keitaro’s TDS is a self-hosted tool that can be used to manage and track advertising campaigns, but it has been linked to malicious activity such as redirecting users to exploit kits.
Security researchers and vendors have reported the abuse, but Keitaro has not taken any corrective actions. The article also mentions Keitaro’s partnership with Adsterra, a digital advertising platform that has also been criticised for its connections to malicious activity. Overall, the article highlights the ongoing problem of TDS abuse and the lack of action taken by Keitaro to address the issue.
While there are no direct links between Keitaro and organised crime, the company’s service has been abused by cybercriminals, who are often part of organised crime groups. These groups use Keitaro’s service to redirect users to exploit kits, which are then used to distribute malware and conduct other malicious activities.
Organised crime groups are increasingly turning to cybercrime as a source of revenue, and TDS abuse is just one of the many tactics they use. By employing legitimate tools such as Keitaro’s TDS, these groups are able to conceal their activities and avoid detection by malware scanners and law enforcement.
It’s important to note that while Keitaro’s TDS has been linked to malicious activity, the company itself is not known to be involved in organised crime. However, the lack of action taken by Keitaro to address the abuse of its TDS has been a cause for concern among security experts.
Lessons Learned
The first lesson learned is to always make sure backups are treated with the fear and respect they deserve. These files contain everything a bad actor needs to take over control of your service. It’s important to encrypt all backups while in transit and at rest. If a backup file is mistakenly exposed to the internet, at least when encrypted the data will not easily be accessible (unless the passphrase or key isn’t strong enough). Always use 3 or 4 random words with spaces, to maximise entropy.
The second lesson is to enforce 2FA on all administrator accounts. No ifs, no buts, this is the only way to mitigate the risk of your admin accounts being compromised. The added friction is a small price to pay. Enable the “Trust this device for X days” option to reduce the impact on users.
The third lesson is not to trust automated malware scanners to detect all types of malicious code or content. The code may look legitimate at first glance and not be obfuscated in the way that backdoors usually are. In this case, only a manual audit or all plugins revealed the culprit.
Further WordPress Hardening
As part of our operating procedures, we perform comprehensive hardening of digital services, both at the host / web server level, and also the database and application layers. This includes the tightening of file permissions so no code files or plugins/module folders are writable by the application layer. In this case, without the ability to install a plugin via the admin dashboard, the bad actor would not have been able to modify the codebase and implement the hack, even with the administrator credentials to hand.
Hardening WordPress is a dark art and specific to each stack. Our standard operating procedure for hardening WordPress is constantly evolving and runs to many pages; It’s a vital asset in our toolset and of huge benefit to our customers.
We encrypt all data in transit and at rest. Backup files are moved to “write only” storage immediatly, so even if the host is compromised, the bad actor is unable to read or delete files in the backup repository.
And as part of following our “defence in depth” principle, we also install monitoring systems to detect unintended data disclosure such as backup or config files containing sensitive information being made publicly available.
If your service has been hacked, and you can find them, maybe you can email the enCircle team: [email protected].