15 Feb, 2021

Not Even Google Servers are Safe From Security Vulnerability Exploit Attacks

Quttera recently implemented two major enhancements to their malware scanner report that allow you to react more flexibly to threats and to more securely protect your website.
When it comes to operating online, website owners and operators tend to trust the digital platforms with the strongest brand names. This means opting for solutions offered by "gold standard" companies like WordPress or Google. But maintaining protection against each security vulnerability exploit requires hyper-vigilance, no matter which company you're opting to use for your digital solutions.

While some platforms, like Google, may seem exceedingly safe — and in most cases, they are — you'll want to perform your due diligence to mitigate your risks online. You'll also want to understand that not even Google servers are 100% secure or foolproof from hacking attacks. It can come from anyone or anywhere.

Let's take a closer look at one example of a security vulnerability exploit that came from Google, which we identified to better understand the threat, as well as what you can do to protect yourself from it.
Why Quttera Conducts Periodic Investigations Online
At Quttera, we practice what we preach. We believe in maintaining comprehensive situational awareness of as many cyber threats as possible. To do this, we conduct periodic investigations of any attempted attacks blocked by our web application firewall.

What is a web application firewall (or WAF)? It's essentially a set of rules that helps protect your application's servers. It's usually put in place to block a specific application. A WAF can be a server plugin or filter that you can tailor to fit your system's specific needs. As the application changes, you'll want to update it to stay in line with the latest threats.

Our investigations are frequent and thorough. On one recent investigation of activity our firewall blocked, we found activity with a familiar name attached to it that caused us to take notice.
What Quttera's Investigation Found
Blocked attacks aren't necessarily uncommon. For the most part, they are simply evidence that all security systems are functioning correctly and doing their job. The inherent value in observing the root of these blocked attacks, however, is to get a better handle on where the malicious activity is coming from.

During one of our recent periodic investigations, we observed a malicious HTTP POST request. What made this particular attack stand out was the source. Our web application firewall logs noted the attack was sent from the following IP address: 130.211.0.243. To the casual observer, those numbers may not be significant. But upon further investigation, we determined that the IP address in question belonged to Google LLC. The IP address had introduced a security vulnerability exploit.
What is a Security Vulnerability Exploit?
A security vulnerability exploit is a piece of code that examines a system, drills down to find its weak link, and uses that weak link to compromise the system or device. It can be used for either good (ethical hackers attempting to test a system's vulnerabilities for potential improvements) or bad (hackers simply looking to access data or other elements of a system).

Security vulnerability exploits provide an enhanced level of privileges to the hacker, giving them unfettered access to a system they typically wouldn't be able to control. In some cases, the attack is used to implement a file that enables multiple malicious codes to take hold. This can lead to the theft of important information or data — passwords, financial records, or other private information a website owner would not want falling into the wrong hands.
What was this Particular Request Doing?
Understanding that there's an attack is only the first step. The next step is to take an analytical approach to determine what the request itself was doing. This particular attack was trying to exploit an older vulnerability found within a WordPress plugin known as "Duplicator." It attempted to inject the PHP code listed below:

file_put_contents("wp-data.php", base64_decode('base64-encoded-string");

The malicious request intercepted by Quttera WAF:
This string of code is what is known as a malware dropper. Typically, a malware dropper does not itself take any malicious action. Its purpose is to introduce and install other malicious tools onto a device without the owner being aware. The malware dropper comes ready-made with all the tools needed to conduct an attack from the malicious actor's server. It then launches the code and saves it on the device.

Malware droppers can contain one or multiple tools. Sometimes all the tools serve the same purpose, while other times, they can come from multiple malicious sources. In this particular case, it could be a bit surprising to someone without experience managing these threats to see that the malicious code came from Google. But this only proves that no servers are safe — even the servers of one of the most trusted IT companies in the world.

The blocked malware dropper:
Security vulnerability exploits are a popular tool for hackers. The reason is simple: security vulnerability exploits are usually invisible to the website's owner until the website actually becomes infected. This gives the malicious code time to do its damage without raising suspicion. As an owner, this is a problem for you. It means that any second you lose can be an advantage to the hacker and potentially detrimental to your system.
The Best Way to Safeguard Your Servers
The bottom line is that hackers can even use Google servers to attack a website with vulnerable plugins. If your site has weaknesses, hackers will find them and exploit them. Your website is only as strong as the defensive posture you adopt.

Often, cybersecurity can come down to how fast you can react to an attempted attack. But the best defense is a good offense, and maintaining a proactive approach is the best safeguard for your servers. You'll want to partner with an IT service provider who understands the threat landscape, how to protect against those threats, and how to respond when they morph into attacks. The first step is to find website protection services that can help you rest easy, knowing that you're staying one step ahead of malicious actors and hackers attempting to exploit your systems.

Quttera's ThreatSign platform provides all the required services you'll need to protect your website from the kind of attacks observed in the Google incident referenced above. To help secure your website from the multitude of threats out there, sign up for ThreatSign today.