Last week our team attended Black Hat and DefCon in Las Vegas, two of the biggest information security conferences on earth. DefCon alone attracts approximately 20,000 information security professionals, researchers, government employees, and fans. To say it is very busy is an understatement.

One of the interesting presentations at DefCon this year discussed a way for attackers to quickly find new WordPress installations to target. The presentation was given by Hanno Böck, and in it he discusses a method attackers can use to find a WordPress website just 30 minutes after it has been installed for the first time.

About three weeks ago, we published a blog post titled “The WPSetup Attack: New Campaign Targets Fresh WordPress Installs” where we discuss how we are seeing attackers specifically target fresh WordPress installs and how to avoid being attacked. Hanno expands on this risk in his presentation.

Certificate Transparency is an open standard that allows the online community to monitor SSL certificates that have been issued to websites. This allows, for example, websites like Facebook to monitor if someone has ordered an SSL certificate for one of their domains. It also allows security teams to monitor if a certificate authority (companies that issue SSL certificates) has mistakenly issued a certificate it shouldn’t have.

Anyone can use certificate transparency data to see new SSL certificates that have been issued. The data includes the website domain name. Hanno’s research showed that within 30 to 60 minutes of a new SSL certificate being issued, attackers can see it in the certificate transparency report. This provides attackers with a way to discover new websites to attack.

The sequence of events would go something like this:

  1. You order a new website hosting package from a hosting provider. Your order includes a free or paid SSL certificate for your domain.
  2. The SSL certificate is issued once your order completes.
  3. 30 minutes later, attackers see your fresh website listed in the certificate transparency report.
  4. At that time – 30 minutes later – you are halfway through completing your website setup and are just beginning to install WordPress.
  5. An attacker is constantly monitoring your new domain, and as soon as they see the setup script, they run it, install a back door and then reset your site to the state it was in so that you don’t notice.

We described how the WPSetup attack works in our post three weeks ago. This new technique gives attackers a way to reliably find and attack fresh websites as they are being set up.

Last week we also discussed the