Security Research Archives

October 10, 2022December 5, 2023

Log4Shell – Lessons Learned in 30 Days

On Decemberr 9th, 2021 the web was turned on its head with the disclosure of a high severity vulnerability coined #log4shell. At the time we wrote an article on how this new vulnerability shines the light on the effectiveness of Web Application Firewalls (WAF) as a defensive control but we didn’t dive deep into the […]

August 1, 2022December 5, 2023

Navigating 81 Layers of Encoding to Reveal the C&C

This past week we have been sharing a series of articles that highlight steps a hacker has taken to commandeer one of our honeypot domains. We have shared steps taken to take control, the payloads deployed, and the configurations leveraged to take control of the sites SEO. As interesting as all that has been, today […]

August 1, 2022December 5, 2023

PHP Backdoor on a compromised WordPress to DDoS Attacks

Last week we shared our research on how we investigated and restored a Hacked WordPress site running on a Linode VPS. In that article, we showed the steps we took on the compromised server to identify and remediate the issue; from looking at the server activities, to checking the logs and comparing the integrity of WordPress to […]

July 30, 2022December 7, 2023

How WordPress Gets Hacked in 2022 – Initial Reconnaissance

WordPress is the most popular open-source CMS in the world, as such it carries with it a massive target. For a bad actors it makes all the sense in the world to spend time and resources understanding the platform, especially its weaknesses and features. This article will build on this, and some research we’re doing […]

July 7, 2022December 7, 2023

Analyzing 17,000 Spam Links on a Hacked WordPress Site

We have been analyzing how bad actors attack WordPress, and what they do after they take control of a website. In our most recent article we watched as they modified a functions file for the active theme and injected it with 17,000 SEO links. This article dives into those 17,000 links to see what they are and […]

May 25, 2022December 6, 2023

What Hackers Do with WordPress in 2022 – Post Hack Analysis

In our last article, How WordPress Gets Hacked in 2022 – Initial Reconnaissance, we analyzed the behaviors (TTPs) of bad actors trying to hack a vanilla WordPress deployment. Confirming our suspicions, attacks targeting access controls continues to be the #1 preferred vector by bad actors. Analysis showed that attackers were especially interested in abusing WP-JSON and XMLRPC. […]

March 10, 2022December 7, 2023

How the JSON API and XMLRPC are used for Brute Force Attacks Against WordPress

WordPress is the most popular Content Management System (CMS) – and because of its popularity, it is also the most attacked. One of the common attacks is brute forcing (i.e., trying to guess a users password), an attack that works to guess the password used by a user on the site (hopefully the administrator). Every […]