On the 24th of May, 2022, Cisco was made aware by its security teams that there had been a breach. The attacker had managed to gain access, escalate their privileges, install remote access and hacking software, and take steps to maintain access to the systems. They managed to do all of this one step at a time. As we shall see, this should have been easily preventable.
While we’re all smarter when looking at things retrospectively, the truth is that what happened to Cisco can occur to anyone managing a WordPress environment.
This article will look at the hackers’ steps towards a successful breach and how every WordPress website owner and manager can prevent a repeat on their WordPress websites.
Who breached Cisco?
Not much is known about the person or persons behind the Cisco breach. Investigations have shown that an IAB (Initial Access Broker) carried out the attack. As the name implies, IABs break into systems but do not carry out attacks. Once a breach is successful, they install software to maintain that access. The access is then sold or given to someone else who will use the access to carry out the actual attack. Evidence points to ties to three malicious actors – UNC2447, Lapsus$, and Yanluowang.
How they breached Cisco
Step 1: Browser passwords
The attacker first gained access to an employee’s personal Google account. By logging in to a Chrome browser using the stolen credentials, the attacker could gain access to the employee’s passwords since they had been saved in the browser and configured to sync.
Browsers have come a long way since the old days of Netscape and Internet Explorer (both browsers have since been consigned to the annals of computer history). They are far more robust, offer a much richer feature set, and are more secure than they used to be.
Browser passwords are one such improvement – allowing users to save their usernames and passwords directly in the browser. While this is very convenient, browsers do not enforce the type of security best practices that password managers do, making them vulnerable to hacking.
Password managers require the users to use a master password that must be appropriately complex and encrypt any saved passwords – making them difficult to steal. Some password managers will even allow you to use biometrics such as your fingerprints or face – increasing security and convenience.
While browsers have begun to catch up in terms of password security, they have not yet reached the level of password managers, making them an unsuitable option.
Another potential security risk here is the use of simple passwords. Research conducted by NordPass in 2021 shows that despite the substantial awareness campaigns, ridiculously unsafe passwords are still prevalent. In fact, the researchers found the password ‘123456’ to be in use over 103 million times, followed by the equally dubious ‘123456789’, which clocked in over 46 million instances. In case you’re wondering, classics such as ‘password’, ‘qwerty’, and ‘iloveyou’ are all still present in the list.
These passwords take less than a second to crack, making them incredibly unsafe. Compounding the problem is the fact that password cracking software has got more advanced and can even account for special character replacements such as switching a with @ or e with 3.
Very few people enjoy typing long and complex passwords, leading people to take shortcuts. Research supports this assertion which is why it’s so important to help users use better passwords.
Encourage better password hygiene.
A strong password is one of the most important steps you can take to mitigate risks. A strong WordPress password policy can help you ensure that users are not using passwords such as ‘123456’, which as research shows us, are still very common.
Using Melapress Login Security, a WordPress password security plugin, you can ensure that good password practices are followed to a T. You can set your own policy, helping you achieve a policy profile that you’re comfortable and happy with.
Discouraging users from saving passwords in their browsers is another important step that can help you (and your users) mitigate risks. After all, it’s not just their WordPress password that risks being stolen – social media, banking, and all other passwords are equally at risk.
Password managers have become mainstream, with many solutions to choose from. Not only do password managers eliminate the risks associated with saving passwords in browsers, but they can also help you come up with stronger passwords, and some will even alert you if there has been a password leak.
Step 2: Social engineering
Once the attacker managed to access the employee’s account, they set about registering 2FA devices to bypass the security mechanisms offered by 2FA. With 2FA being quite robust, the attacker launched a two-pronged attack that made use of social engineering tactics to bypass 2FA.
- Prong One: 2FA fatigue – In a 2FA fatigue attack, the attacker tries to register multiple 2FA devices, effectively forcing the victim to deal with multiple 2FA requests. This type of attack is mostly prevalent in push notifications since all the victim has to do is accept – whether it’s through ignorance, fatigue, or otherwise.
- Prong Two: Vishing – Vishing is a type of social engineering attack in which the attacker calls the victim (voice phishing), claiming to be someone in a position of authority. This feigned authority is abused by putting the victim in a position where they feel they have no option but to comply with the demands of the caller. These demands can include divulging information or taking certain actions, such as clicking on specific links.
Social engineering remains one of the most used tools attackers use to bypass security measures. In some instances, attackers may find it easier to scam people than to deal with the security system. In this case, the attacker had to resort to social engineering to bypass 2FA.
Social engineering comes in many forms, requiring a comprehensive security policy to ensure attacks are not successful. As social engineering targets people, continued awareness campaigns can go a long way in minimizing and mitigating risks.
Social engineering relies on a number of principles, including intimidation, urgency, familiarity, social proof, authority, and scarcity. These principles are used maliciously to get people to comply with requests they otherwise would not have acceded to.
Add two-factor authentication
Strong passwords are only a first line of defense. 2FA is another important aspect of good online security that is able to stop the vast majority of online attacks. 2FA, requires any potential attacker to also gain access to a registered user’s phone – something that is quite difficult.
Cisco’s attackers never managed to bypass 2FA’s defenses – instead, they relied on deception tactics to trick the victim into acceding to their requests – which ultimately allowed them to bypass 2FA.
Even so, 2FA remains a formidable solution to online account security, helping stop attacks in their tracks or, at the very least, slowing them down. Fortunately, adding 2FA to your WordPress website is easy.
Invest in your users
User education is a powerful tool that is all too often ignored – until there is an incident. As the old adage goes, prevention is better than cure. Being proactive is way more beneficial than repairing the damage.
Have a policy that, among other things, asks users to report 2FA requests they were not expecting and make it clear that even if they accept any such request by mistake – it should be reported. Users are often afraid of repercussions arising from such mistakes, leading to such incidents not being reported. Understand that this can happen to anyone – leniency and understanding help both you and your users.
Take the time to go through the policy every so often and, if possible, enroll users in short cybersecurity courses designed for personnel.
Step 3: Privilege escalation
Once the attacker gained initial access, they escalated to administrator-level privileges, which allowed them to access multiple systems. This is what ultimately gave them away as it alerted the security response team – who was able to investigate and remove them from the environment.
In privilege escalation, the attacker tries to gain access to accounts with a higher set of privileges than the one initially compromised. Since lower-authority accounts are typically not as heavily safeguarded as higher-authority accounts, they are easier to break into. Once the initial access is obtained, the attacker might want to escalate privileges to access more sensitive data or do more damage.
While WordPress is, by and large, a secure application, it is not immune to attacks. Reducing the attack surface area is imperative to minimizing risk. This process of reducing the attack surface area is called hardening and can be done at several levels, including;
Which sub-systems you can harden will depend on how your WordPress is hosted. If you have a WordPress hosting plan, your hosting provider carries out most of the tasks. On the other hand, if you manage your own server, you will need to harden each subsystem yourself.
Step 4: Tool installation
Once the attackers gained enough privileges (before the incident response team terminated access), they installed various persistence tools to ensure they could maintain access. These tools would have provided future access – whether the attackers planned on re-visiting or selling the access to a third party.
Persistence tools and methods, also known as backdoors, are doubly dangerous since they allow access for future attacks. Should they go undetected, they will continue to provide the attacker with continuous access to the environment. As most of these tools are designed to avoid detection, finding them can take a bit of extra work.
Vendors like Google may also blocklist your domain or IP, negatively affecting your search engine ranking. This can be even more difficult to recover from, especially if considerable damage was done before noticing the breach.
WordPress backdoors also make use of several PHP functions, which can make them easier to detect. This does not mean that ALL backdoors use certain PHP functions but is something to keep in mind.
Finding all malware and software an attacker leaves behind can be very difficult. Most WordPress administrators tend to resort to an earlier backup from before the initial breach. Several companies also offer professional WordPress cleaning services. Certain plugins can also help you find WordPress malware.
One invaluable tool that you should be using is WordPress File Changes Monitor, a file integrity monitor for WordPress. This free plugin essentially takes a hash of your file system every time it runs and then compares it to the previous hash. The hash will change completely if there is the slightest change to any of the files. This will allow you to start your investigations to determine if a breach has occurred.
Another essential tool that can help you keep track of what’s going on under the hood is WP Activity Log. Using this plugin, you’ll keep a WordPress activity log that gives you deep insights into your WordPress website’s user and system activities, allowing you to suss out suspicious behavior early on. With features such as 3rd party plugin integrations and email or SMS alerts, you will be able to stay informed at all times.
A comprehensive security plan is the only security plan
The attack on Cisco shows that hackers are getting more innovative and sophisticated in carrying out attacks – using multiple vectors to increase their chances of a successful breach. While measures like installing a firewall remain important, they are not the silver bullet conventional wisdom portrays them to be. Instead, a more holistic approach is required to ensure that our WordPress websites are protected on all fronts.
As the Cisco breach shows us, multiple layers are critical to ensure WordPress security hardening; however, the human element remains essential. In many ways, users are stakeholders in the success of any WordPress website, and while implementing policies such as least privilege is imperative, so is user education.