Entering a Higher State of Vigilance – Ukraine Under Attack

It appears that Russia has just commenced the invasion of Ukraine. Check your preferred international news outlet, but according to the Ukrainian foreign minister “Putin has just launched a full-scale invasion of Ukraine.”

Wordfence is a cybersecurity organization staffed by some of the world’s leading cybersecurity professionals. Over 4 million websites are under our protection. I’m sending out this email for two reasons. Firstly, I’d like you to know that our team is entering a higher state of alert as this situation unfolds and will be closely examining the telemetry we receive from the sites under our protection. We will react quickly to emerging threats. Secondly, I’m including recommendations for you and your team, if you run a business.

Specifically, we are on the lookout for:

  • WordPress site compromises with no known vulnerability present, that may be exploiting a zero-day vulnerability. It is not uncommon to see an APT (Advanced Persistent Threat – Usually a nation-state) exploit zero-days during a large-scale or strategically important operation.
  • A sudden increase in reports of compromised WordPress websites.
  • An increase in attacks being launched from compromised WordPress sites.
  • Unusual activity reports from our user community or from our attack telemetry.

As we identify new threats, we will, as always, release protection and detection capability to our customers in real-time.

We are also taking a range of internal steps to secure our company, our team, and our infrastructure. If you run a business, I’d like to advise you to enter a higher state of vigilance. I recommend the following steps:

  • Educate your team about the risks of social engineering attacks and of being phished or spear phished.
  • Ensure you have two-factor authentication enabled on every important user account that you and your team operate.
  •  If you develop a WordPress plugin or other software that is distributed to customers, be aware that you are a target for a supply chain attack. So make sure that your code repositories and deployment systems are secure. An attacker may want to use you to distribute backdoors or other malicious code to your clients.
  • Keep a close eye on your logs – security logs in particular – of all the systems under your team’s control.
  • Use configuration management to manage what files should and should not be on your critical infrastructure. If you see new files appearing that you didn’t create, that’s a red flag.
  • Be aware of financial activity in your organization, and be on the lookout for financial fraud attempts.
  • Make sure that your HR systems and other systems that contain sensitive PII (personally identifiable information) are locked down.
  • Ask your team to be on the lookout for anything that “seems weird”. Adopt an approach of “If you see something, say something” and at the very least you’ll have an interesting discussion – and at worst, it’s an attack underway.

If you have any questions, you’re welcome to post them here and I’ll answer them as best I can. Let’s hope this situation does not further escalate, and that it resolves quickly. Our thoughts are with all the affected families and communities.

Regards,

Mark Maunder – Wordfence Founder & CEO.

Did you enjoy this post? Share it!

Comments

17 Comments
  • Thank you for your hard work - it's been a long day of an incredible volume of intrusion attempts from places all over the world to my client websites - locations we don't normally ever see and many-many more 'human' attempts versus bots. It's been a long day, reassuring to hear from you! :)

  • Does Wordfence recommend enabling auto-updates for Wordfence, so any updates you push can be adopted quickly?

    • We push out firewall rules in real-time to our Premium, Care and Response customers, and you do not need auto-update enabled for that. Auto-update will update Wordfence itself when we put out a new release, and we do recommend that, but it's not critical to enable that for you to benefit from our real-time firewall rules.

      Regards,

      Mark.

  • Thanks for this comment - thanks for the true words - and, yes, let´s hope fore a peacefull solution!

  • Good initiative Mark. Seems that cyberattacks are increasing.

  • Been seeing a large number of multiple WP backdoor attempts in the last few days, especially from actors already blocked.

  • Thanks Mark! I have to say you guys are one of very few companies that help us keep our sanity. Online world and the world in general is a crazy place, especially now. I’m grateful to have you watch out for my clients’ sites. And today more than ever… I’m long time user of Wordfence. I’m also an American citizen, born in Ukraine. I appreciate your work very very much!!

  • Very good. I am happy we have people that are there to protect no matter what. Thank you so very much.

  • Thank you very much Mark. Be safe. Best regards.

  • Mark, thanks for engagement with your customers and the advice.

  • Thank you for this reminder.

  • Thank you for the list of things to look out for and a reminder of the steps to be vigilant. It certainly isn't a time to run on autopilot. Your services are invaluable.

  • For customers that have or are considering to geofence, are there customizable options for responses to countries accessing their web sites?

    • The paid version of Wordfence supports country blocking using an accurate geolocation database.

  • How secure is a website if only using the free version of Wordfence?

    • You get around 90% of the features that the paid version has. The main difference is that our free version does not receive real-time firewall rules and malware signatures. They're delayed by 30 days. So you have most of our protection, except for the newest firewalls which block attacks, and the newest malware signatures, which detect malware.

  • Thanks for all of your hard work. In this day and age, we must all be vigilant.