Recent research by Wordfence indicates that Wordpress might be the next big ransomware target. Wordfence found that certain Wordpress plugins exhibit malicious behaviour in the form of ransomware against the host website. Typically, these plugins will encrypt the data on the website, thereby rendering it non-functional, and then attempt to extort payment from the owner in order to decrypt the website.
An obvious concern arises as to how susceptible large corporate or enterprise websites are to similar attacks. It’s Wordpress today, which is more the domain of private blogs or small business sites, but how long before these attacks are adapted to target larger enterprise websites?
Software developers are increasingly under pressure to deliver functionality and features as a competitive differentiator. But security professionals need to ensure that sufficient governance is enforced to prevent corporate websites falling vulnerable to ransomware attacks due to the careless inclusion of malicious components.
The first step in prevention is education and awareness. Security teams should help to raise awareness among developers of the possible risks, and encourage them to exercise greater caution when including components, perhaps by performing simple integrity checking using fingerprinting to verify authenticity. In addition, excellent technological solutions exist to detect and prevent the inclusion of malicious components. Software composition analysis assessments allows an organisation to perform an inventory of all components used within their organisation and thereby build a composite view of their risk due to third-party components. With this view, when a big vulnerability hits the news, teams can quickly identify which applications in their organization are vulnerable. Such software composition technology could also be utilised to assess components for signs of malicious intent, although a motivated attacker can use sophisticated obfuscation techniques to mask underlying intent.
The most effective mechanism of protection against malicious content is to prevent its inclusion in the first instance. In the most draconian manner, software developers can be barred from accessing public component repositories using firewall rules thereby guaranteeing no malicious (or otherwise) components are included. This is hardly a pragmatic approach as the software developers will now have to “re-invent the wheel” to deliver functionality.
A more realistic approach is to use technology in the form of a package manager (such as Artefactory or Nexus Sonatype) to enforce a security policy and allow developers to draw upon known, validated and approved software components whilst at the same time being prevented from including potentially malicious components from the wider internet. Think of this as a “firewall for software components.”
Get more details on the risks of software components and how to use them securely in Components: Increasing Speed and Risk.