TARDIS: Rolling Back The Clock On CMS-Targeting Cyber Attacks

Over 55% of the world’s websites run on Content Management Systems (CMS). Unfortunately, this huge user population has made CMS-based websites a high-profile target for hackers. Worse still, the vast majority of the website hosting industry has shifted to a "backup and restore" model of security, which relies on error-prone AV scanners to prompt users to roll back to a pre-infection nightly snapshot. This research had the opportunity to study these nightly backups for over 300,000 unique production websites. In doing so, we measured the attack landscape of CMS-based websites and assessed the effectiveness of the backup and restore protection scheme. To our surprise, we found that the evolution of tens of thousands of attacks exhibited clear long-lived multi-stage attack patterns. We now propose TARDIS, an automated provenance inference technique, which enables the investigation and remediation of CMS-targeting attacks based on only the nightly backups already being collected by website hosting companies. With the help of our industry collaborator, we applied TARDIS to the nightly backups of those 300K websites and found 20,591 attacks which lasted from 6 to 1,694 days, some of which were still yet to be detected.

[1]  Subbarayan Venkatesan,et al.  Forensic analysis of file system intrusions using improved backtracking , 2005, Third IEEE International Workshop on Information Assurance (IWIA'05).

[2]  Georgios C. Anagnostopoulos,et al.  A Scalable and Efficient Outlier Detection Strategy for Categorical Data , 2007, 19th IEEE International Conference on Tools with Artificial Intelligence(ICTAI 2007).

[3]  William K. Robertson,et al.  Identifying Extension-Based Ad Injection via Fine-Grained Web Content Provenance , 2016, RAID.

[4]  Thorsten Holz,et al.  No Honor Among Thieves: A Large-Scale Analysis of Malicious Web Shells , 2016, WWW.

[5]  Ding Li,et al.  NoDoze: Combatting Threat Alert Fatigue with Automated Provenance Triage , 2019, NDSS.

[6]  V. N. Venkatakrishnan,et al.  SLEUTH: Real-time Attack Scenario Reconstruction from COTS Audit Data , 2018, USENIX Security Symposium.

[7]  Davide Balzarotti,et al.  Behind the Scenes of Online Attacks: an Analysis of Exploitation Behaviors on the Web , 2013, NDSS.

[8]  Xiangyu Zhang,et al.  Accurate, Low Cost and Instrumentation-Free Security Audit Logging for Windows , 2015, ACSAC.

[9]  Xiangyu Zhang,et al.  LogGC: garbage collecting audit log , 2013, CCS.

[10]  Somesh Jha,et al.  MCI : Modeling-based Causality Inference in Audit Logging for Attack Investigation , 2018, NDSS.

[11]  Ben Stock,et al.  Precise Client-side Protection against DOM-based Cross-Site Scripting , 2014, USENIX Security Symposium.

[12]  Bo Li,et al.  Enabling Reconstruction of Attacks on Users via Efficient Browsing Snapshots , 2017, NDSS.

[13]  V. N. Venkatakrishnan,et al.  HOLMES: Real-Time APT Detection through Correlation of Suspicious Information Flows , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[14]  Marco Balduzzi,et al.  Automatic Extraction of Indicators of Compromise for Web Applications , 2016, WWW.

[15]  Margo I. Seltzer,et al.  Layering in Provenance Systems , 2009, USENIX Annual Technical Conference.

[16]  Samuel T. King,et al.  Backtracking intrusions , 2003, SOSP '03.

[17]  H.F.G. Robledo,et al.  Types of Hosts on a Remote File Inclusion (RFI) Botnet , 2008, 2008 Electronics, Robotics and Automotive Mechanics Conference (CERMA '08).

[18]  Xiangyu Zhang,et al.  High Accuracy Attack Provenance via Binary-based Execution Partition , 2013, NDSS.

[19]  Xiangyu Zhang,et al.  LDX: Causality Inference by Lightweight Dual Execution , 2016, ASPLOS.

[20]  Mu Zhang,et al.  Towards a Timely Causality Analysis for Enterprise Security , 2018, NDSS.

[21]  Michael Backes,et al.  Efficient and Flexible Discovery of PHP Application Vulnerabilities , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[22]  Wei Meng,et al.  Understanding Malvertising Through Ad-Injecting Browser Extensions , 2015, WWW.

[23]  William K. Robertson,et al.  Surveylance: Automatically Detecting Online Survey Scams , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[24]  Lujo Bauer,et al.  Riding out DOMsday: Towards Detecting and Preventing DOM Cross-Site Scripting , 2018, NDSS.

[25]  Suresh Kumar,et al.  SQL injection: Types, methodology, attack queries and prevention , 2016, 2016 3rd International Conference on Computing for Sustainable Global Development (INDIACom).

[26]  Zhendong Su,et al.  Static detection of cross-site scripting vulnerabilities , 2008, 2008 ACM/IEEE 30th International Conference on Software Engineering.

[27]  Fei Wang,et al.  HERCULE: attack story reconstruction via community discovery on correlated log graph , 2016, ACSAC.

[28]  Vern Paxson,et al.  Ad Injection at Scale: Assessing Deceptive Advertisement Modifications , 2015, 2015 IEEE Symposium on Security and Privacy.

[29]  Fei Wang,et al.  MPI: Multiple Perspective Attack Investigation with Semantic Aware Execution Partitioning , 2017, USENIX Security Symposium.

[30]  Zainab S. Alwan,et al.  Detection and Prevention of SQL Injection Attack: A Survey , 2017 .

[31]  Xiangyu Zhang,et al.  Lprov: Practical Library-aware Provenance Tracing , 2018, ACSAC.

[32]  Deepak Singh Tomar,et al.  DNS Pharming through PHP Injection: Attack Scenario and Investigation , 2015 .

[33]  David C. Howell,et al.  Median Absolute Deviation , 2005 .

[34]  Rajashree Shettar,et al.  SQLI detection system for a safer web application , 2015, 2015 IEEE International Advance Computing Conference (IACC).

[35]  Somesh Jha,et al.  Kernel-Supported Cost-Effective Audit Logging for Causality Tracking , 2018, USENIX Annual Technical Conference.

[36]  Damon McCoy,et al.  There Are No Free iPads: An Analysis of Survey Scams as a Business , 2013, LEET.

[37]  Aurélien Francillon,et al.  The role of web hosting providers in detecting compromised websites , 2013, WWW '13.

[38]  Xiangyu Zhang,et al.  ProTracer: Towards Practical Provenance Tracing by Alternating Between Logging and Tainting , 2016, NDSS.

[39]  Michael Backes,et al.  Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification , 2016, USENIX Security Symposium.