One prevalent issue often encountered in website hosting environments is “cross-contamination,” which refers to the lateral movement of attackers between websites. This occurs when a site becomes infected by neighboring sites sharing the same hosting environment, primarily due to inadequate isolation on the server or suboptimal account configuration. In this post, we will examine the factors contributing to the development of insecure environments, explore the mechanisms by which malware can spread laterally among websites, and discuss preventive measures to avoid these pitfalls when hosting multiple websites.
What does the term “lateral movement” mean?
Lateral movement encompasses the strategies and tactics employed by hackers to systematically navigate through a network with the objective of attaining access to areas of escalating privilege or heightened sensitivity.
In the realm of website security, lateral movement primarily involves an unauthorized intrusion into one site on a server, strategically serving as a launchpad for infiltrating and infecting other sites co-located within the same hosting environment. Exploiting weak security controls, misconfigurations, or vulnerabilities in websites sharing the same account becomes the modus operandi for the attacker.
Fundamentally, the compromise of a single inadequately secured site acts as a portal, potentially enabling the compromise of additional (or all) sites residing on the server or hosting account.
What does the term “cross-site contamination” mean?
Cross-site contamination refers to the phenomenon where websites, co-located within the same hosting environment, can inadvertently affect each other. This commonly occurs when websites share write access privileges to one another. This situation is particularly prevalent in cPanel environments, especially when utilizing multiple “addon domains,” or in virtual private servers (VPS) with insecure configurations.
In cPanel setups, for instance, websites hosted within the same account typically share the same owner:group as the primary website situated in the main public_html directory. Additionally, the underlying PHP process on the server operates under the same user. Consequently, files from one website can have access to and modify the files of another site, and vice versa. While this setup is generally unproblematic, the introduction of malware to the environment can rapidly escalate a potentially troublesome situation into a severe one.
What prompts the lateral movement of malware between websites?
Keep in mind, the objective of malware is to infiltrate as many environments as possible. The broader the range of infected websites, the greater the pool of potential victims for attackers to exploit. This holds true whether the malware is crafted for drive-by downloads, trojan dissemination, deceptive browser update prompts, or any other malicious intent.
A common characteristic of malware is its inherent capability to autonomously propagate from one website to another when provided with the opportunity. Certain types of malware are particularly notorious for cross-contaminating. An example is the SocGholish malware, known for its “fake browser update” tactic, where it embeds itself into any accessible JavaScript file within an infected web hosting environment.
This approach not only heightens the effectiveness of attackers’ redirects but also complicates the removal of the malware from an infected website. Furthermore, it enhances the likelihood of success, meaning that users are more prone to unwittingly download the fraudulent browser updates, putting them at risk of subsequent ransomware attacks.
Analyzing the source code of the ongoing Balada Injector website malware campaign reveals that cross-site contamination is intricately woven into its operational framework. The malware systematically scans the directory structure, reaching as far as possible to identify additional websites for infection:
Cross-contamination within cPanel environments
A commonly utilized feature in the standard cPanel web hosting environment is the use of “addon domains“. These domains can be seamlessly incorporated into a cPanel setup without the need to set up an entirely new instance. It provides a convenient and swift method for website administrators overseeing multiple domains or websites to launch new projects.
Typically, a scenario unfolds where one or two primary websites receive the majority of the administrator’s attention, while several others may be somewhat neglected. These less prioritized websites, often referred to as “forgotten,” may not benefit from timely plugin or theme updates, significantly increasing their vulnerability to potential attacks.
The compromise of a single administrator user or the oversight of a vulnerable plugin update is all it takes to trigger a cascade effect, leading to the entire array of websites being affected by malware. This, in turn, can result in search engine blocklisting by platforms such as Google and flagging by antivirus vendors.
Vulnerable Virtual Private Servers (VPS)
Similarly, issues of cross-contamination and lateral movement are observed in Virtual Private Server (VPS) environments hastily assembled by website or server administrators. Frequently, administrators encounter “permission denied” errors while attempting essential tasks like updating plugins or uploading images in platforms like WordPress.
A quick workaround for this predicament involves ensuring that files and directories are owned by www-data:www-data, effectively making them the property of Apache itself. In instances where multiple websites coexist in a directory like /var/www/vhosts, all owned by Apache, they inadvertently share write access to each other.
Just like with cPanel addon domains, a single compromised password or a vulnerability in one software component is all it takes for every website to succumb to the same malware. This transforms what might initially seem like a minor inconvenience into a potential threat capable of jeopardizing a website development business.
How to safeguard your website against lateral movement and cross-contamination
Fortunately, addressing problems related to lateral movement and cross-site contamination is possible through the implementation of appropriate steps and precautions. While it might be less convenient than consolidating all websites into a single container, the long-term benefits become evident, potentially saving a substantial amount of hassle in the event of a compromise.
Preventing cross-contamination in cPanel
To avoid cross-contamination in cPanel environments, it is recommended to establish a distinct cPanel instance for each website. This can be achieved through various methods, depending on your hosting provider:
- Multiple Hosting Plans:
- Web Host Manager (WHM) Environment:
Utilize the Web Host Manager (WHM) environment, which is often available through hosting providers that resell WHM/cPanel services. You can likely arrange this with your hosting provider.
WHM is a website management interface developed by the same company that creates cPanel, and they are designed to seamlessly work together. Once your WHM instance is set up, you can follow the steps outlined in the official documentation to create new accounts and configure cPanel homes for each website.
Important note: Given that the primary objective of isolating your website environments into individual cPanels is to enhance security, it is crucial to activate symlink protection. This feature is typically found in the global Apache settings. Although enabling symlink protection may result in a slight performance decrease in your website’s speed, it is a necessary precaution. Without this protection, there exists a potential, under specific conditions, for attackers to move laterally between websites. Additionally, it is advisable to leverage PHP’s open_basedir to restrict unauthorized access, further fortifying your website’s security measures.
Ensuring the avoidance of cross-contamination in a VPS
Individuals with a penchant for tech and a desire for more hands-on control often choose to configure their own virtualized server environments. This inclination is shared by those seeking to bypass potentially expensive licensing fees associated with proprietary software such as WHM/cPanel. Unfortunately, it’s not uncommon for these custom configurations to inadvertently permit cross-contamination, as previously explained.
While there are various methods to achieve this, one approach to configuring your server and preventing cross-contamination involves using PHP-FPM to establish distinct “containers.”
In summary:
- Each website should reside in its own designated home directory.
- The files and directories of each website should be owned by their respective users.
- The underlying PHP process running on the server should operate under the user of the corresponding website.
By adhering to these principles, you can host multiple websites on the same virtualized server while discouraging cross-contamination. This is achieved by preventing the files of one user from having write access to others. Consequently, if a compromise occurs on one website, the likelihood of it spreading to others on the same server is significantly reduced.