Episode 90: WPBakery Plugin Vulnerability Exposes Over 4 Million Sites

A vulnerability discovered by the Wordfence Threat Intelligence team in the WPBakery plugin exposes over 4 million sites. High severity vulnerabilities were discovered in the Post Grid and Team Showcase plugins.

The online avatar service Gravatar, has been exposed to a user enumeration technique, which could be abused to collect data on its users’ profiles, and a card skimmer was found on Boom! Mobile’s web site, putting customer card data at risk.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:12 Vulnerability Exposes Over 4 Million Sites Using WPBakery Plugin
1:50 High Severity Vulnerabilities in Post Grid and Team Showcase Plugins
3:52 Online avatar service Gravatar allows mass collection of user info
5:37 Boom! Hacked page on mobile phone website is stealing customers’ card data

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 90 Transcript

Scott Miller:
Hello everyone. It’s Scott from Wordfence. This is Think Like A Hacker, the weekly podcast about WordPress, security, and innovation. Let’s take a look at the news.

In our first story this week, a vulnerability in WPBakery exposes over 4 million sites. The Wordfence Threat Intelligence team here found a vulnerability in the WPBakery plugin on July 27th. This plugin is installed on over 4.3 million sites and the vulnerability allowed authenticated attackers with contributor level or greater permissions to inject malicious JavaScript in posts. We initially contacted the plugin team on July 28th and disclosed full details on the 29th. After extensive correspondence between Wordfence and the WPBakery development team, a sufficient patch was released on September 24th.

Now the WPBakery plugin had a flaw that would allow users with contributor level or author level roles, the ability to inject malicious JavaScript into pages and posts. The flaw would also give the users the ability to edit other users’ posts. The plugin disabled any default post HTML filtering checks, which allowed any user with access to the WPBakery Builder, to inject HTML and JavaScript anywhere in a post using the page builder. It is recommended to update to the latest version 6.4.1 as soon as possible. You’ll also want to take a look for any untrusted contributor or author user accounts on your WordPress site.

Wordfence Premium users were protected from the vulnerability when they received a new firewall role for protection on July 28th, and Wordfence free users received the same protection on August 28th.

In our next story this week, we take a look at high severity vulnerabilities in the Post Grid and Team Showcase plugins. On September 14th, our threat intel team here at Wordfence discovered two high severity vulnerabilities in the Post Grid plugin, which has over 60,000 installations. While looking further into one of these issues we found in Post Grid, we discovered similar vulnerabilities were also present in the Team Showcase plugin, which is a separate plugin by the same author, and it has over 6,000 installations.

After triggering vulnerable functions in the plugins, a logged in attacker with subscriber level access or above could then send a source parameter referencing a malicious payload, and the vulnerable function would open the file containing that payload and eventually create a new page layout based on its contents. That page would then include a custom script section, which would allow an attacker to add malicious JavaScript to the custom CSS portion of that area. This would then be executed whenever an administrative user edited that layout or a visitor accessed any page based on that layout.

So this vulnerability could have been used to add a back door to the plugin or the theme files, or potentially to steal administrator session information. We reached out to PickPlugins, the developer of these plugins on September 16th, and patches for both plugins were made available not long after on the 17th. Wordfence Premium users received a firewall rule protecting them from these vulnerabilities in both plugins on September 16th. Sites that are still using the free Wordfence plugin will receive this rule after 30 days on October 16th.

If you’re using either the Post Grid or Team Showcase plugin, you should update to the latest version as soon as possible. At the current time, the latest version of the post grid plugin is 2.0.73. And the latest version of the Team Showcase plugin is 1.22.16.

In our next story, Gravatar, the online profile avatar service allows easy collection of user information. So the online avatar service Gravatar, has been exposed to a user enumeration technique, which could be abused to collect data on its users’ profiles. Security researcher Carlo Di Dato demonstrated that after simply appending .JSON to the Gravatar user’s profile page, an ID field was then accessible. Using that ID number specific to each Gravatar profile, user enumeration was possible with a simple script, which Di Dato demonstrated by visiting URLs from IDs 1 to 5,000, giving them access to the JSON data of the first 5,000 Gravatar users.

Some profiles contained more information than others, including location information, as well as phone numbers and Bitcoin wallet addresses. This information could of course also further be used in social engineering attacks. The simple enumeration technique would allow a crawler or bot to grab information at will from Gravatar profiles with no strict rate limiting seemingly in place. As we know, Gravatar is a popular service used with WordPress. And though users with public profiles do consent to making some data publicly available, users are likely unaware that their data could be retrieved as easily as it could be with this user enumeration method. You might consider checking what information is available on your Gravatar profile and also consider what needs to be there. You can also hide your public profile via the services settings.

In our last story for this week, customers card data is at risk due to a card skimmer on Boom! Mobile’s website. So if you’ve recently been searching for a new mobile device and visited Boom! Mobile’s website, you may have been at risk to have your card data stolen. Malwarebytes, the popular security firm has said that Boom!’s website contains a malicious script, which steals payment card data. The script was active and pulled data from the payment fields anytime that it detected changes in those fields.

One thing to note is the site, which is boom.us, is running PHP version 5.6.40, which has not been supported by the PHP developers since 2019, and also has known security issues. The information pulled from the skimmer on the site can include all added information to the forms, such as the name, address, card number, expiration date, and security code, as well as anything else in the form on the site. Boom! released a statement encouraging customers who may have made purchases on boom.us between the 30th of September and 5th of October to take necessary precautions with their card company. Unfortunately, these things can happen on websites and it’s always best to limit where you put your data online and try to stick with reputable websites.

That’s all for us this week. Thanks for joining me on Think Like A Hacker. Stop by on Tuesdays at 12:00 PM Eastern Time for Wordfence live on YouTube, where we talk all things security. Until next time, have a great weekend and we’ll catch you soon.

Follow me on Twitter @wfscottmiller. You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

The post Episode 90: WPBakery Plugin Vulnerability Exposes Over 4 Million Sites appeared first on Wordfence.

Read More

Episode 89: Shopify Rogue Employees, Medium and Twitter Vulnerabilities, and Hackers Hiding Out in Corporate Networks

Shopify reports that two rogue employees stole data from 200 merchants on their platform. A security researcher found a vulnerability in the Medium Partner Program could have allowed an attacker to steal writers’ earnings. Symantec reports that a state-sponsored hacking group has been hiding out in company networks as a part of an information-stealing campaign. And Twitter reports that an API bug exposed app keys and tokens via a caching issue.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:12 Shopify Says ‘Rogue’ Employees Stole Data From Merchants
1:15 Flaw in Medium Partner Program allowed attackers to steal writers’ earnings
2:18 Hackers have spent months hiding out in company networks undetected
4:17 Twitter Warns Developers of API Bug That Exposed App Keys, Tokens

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 88 Transcript

Scott Miller:
Welcome back, everybody. It’s Scott from Wordfence. You’re listening to Think Like a Hacker, the weekly podcast about WordPress, security, and innovation. Let’s take a look into this week’s stories.

In our first story this week, rogue employees at Shopify have reportedly accessed and exposed personal details of Shopify customers. A recent report shows that the incident occurred on September 15th when the personal details of Shopify customers were stolen and exposed. The exposed data included order details, addresses, names, and email addresses and was stolen by two employees from over 100 merchants.

The employees who were part of Shopify’s support team were said to be involved in a scheme to obtain this information, which Shopify noted affected fewer than 200 sellers. So, now Shopify is working with the FBI and other agencies after terminating the two employees’ access to their systems. Shopify also mentioned that while customer data was exposed, including order details, addresses, names, email addresses, no sensitive, personal or financial information was exposed in the incident.

In our next story this week, a flaw in the Medium Partner Program left writers earnings exposed. Hackers were able to potentially steal Medium writer’s engagement earnings due to a vulnerability in session cookies. This is a program for select writers to earn money monthly while writing and publishing on Medium. And it’s based on the number of readers and subscribers who access their work.

Mohammad-Ali Bandzar found that Medium would embed any user ID cookie value that you transmitted. The fact that Medium did not validate the user’s logged-in session meant that the submitted user ID was blindly accepted and thought to be correct. Bandzar mentioned that this flaw was very easy to exploit and the amount of money that attackers could have stolen while potentially being undetected had no ceiling at the time. Bandzar also received his first bug bounty for finding this issue and was rewarded $250.

Our next story takes a look at the espionage group Palmerworm and how they’ve remained undetected in information stealing campaigns. New malware is being used to infiltrate organizations in the US, Japan, Taiwan and China, where the group known as Palmerworm have infiltrated multiple organizations related to media, finance, and engineering. This group is focused on stealing company information and have recently begun targeting US-based companies as well. Palmerworm, or BlackTech, as they’re sometimes called were able to go unrecognized on some networks for a year or more while covering their tracks and making it more difficult for companies to trace their steps. It was mentioned that the attackers have previously gained entry via spear phishing email attacks. However, it has not been confirmed how access has been gained in the latest round of attacks. So, the group has been around since 2013 and used network reconnaissance tools to gain access and steal information.

The group then utilizes stolen code signing certificates within their malware to further go undetected. They then use backdoors to maintain access to the networks. The cyber security company Symantec have identified victims of the Palmerworm attacks, however, are not sure who the group is working for. It was mentioned that it is likely that the group is still undetected on some networks and that they still remain a threat. It is best that organizations know their usual server activity and what it looks like in order to identify changes, which may be related to a breach in their security. These sorts of attacks typically involve multiple events and tools and may show activity over a long period of time, rather than a single event. Be sure that you’re regularly monitoring your server and network activity to better be able to identify anomalies, which may relate to unauthorized activity.

And our last story for this week, Twitter warns of a caching issue that could have led to developers exposing API keys and tokens. So, the bug was a caching issue affecting the site, developer.twitter.com. And it could have led to exposure of credentials and other sensitive information. The developer site is a hub for users who create applications for Twitter.

Upon visiting the site, information was temporarily stored in browser cache relating to the developer’s application. The attack is said to be difficult to carry out for a few reasons. First, an attacker would need to use a device just after the developer used the device. And second, they would have needed to have access to developer.twitter.com site and used the sensitive information which would have then been stored in the browser cache as mentioned. Depending on the submitted information by the developer, an attacker could have access to the developer’s API keys, the user access token, and the secret for the developer account. Twitter has since fixed the issue with the cache by changing what is able to be stored regarding sensitive information.

Though, the information that could have been accessed is critical and sensitive to developers, Twitter has mentioned that there is no evidence that the developer app keys were compromised and that it is highly unlikely anyone’s credentials were compromised without their knowledge. Twitter mentioned as a part of their statement, “If you used a shared computer to visit developer.twitter.com with a logged in Twitter account, we recommend that you regenerate your app keys and tokens.” That’s all for this week on Think Like a Hacker. I hope the news found your well, check out wordfence.com for our blog and mailing list to stay up to date with all the latest security news. Until next time, I hope you have a great weekend and thanks for listening. We’ll catch you soon.

Follow me on Twitter @wfscottmiller. You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

The post Episode 89: Shopify Rogue Employees, Medium and Twitter Vulnerabilities, and Hackers Hiding Out in Corporate Networks appeared first on Wordfence.

Read More

Episode 88: XCloner Vulnerabilities, LokiBot Malware, & a 14 Year Old Nets a $25K Bug Bounty

Our Threat Intelligence team discovered several vulnerabilities present in XCloner Backup and Restore, a WordPress plugin installed on over 30,000 sites. These vulnerabilities could have allowed an attacker to modify arbitrary files, including PHP files.

The US government Cybersecurity and Infrastructure Security Agency is warning of detected persistent malicious activity traced back to LokiBot infections.

An upcoming API change will break Facebook and Instagram oEmbed links across the web beginning October 24. Google has launched the Web Stories for WordPress plugin with a drag-and-drop, WYSIWYG interface for making full-screen, tappable content.

Drupal patches a critical reflected XSS vulnerability. And a critical stored XSS vulnerability in Instagram’s Spark AR Studio nets a 14-year-old researcher $25,000.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:12 Critical Vulnerabilities Patched in XCloner Backup and Restore Plugin
2:01 CISA warns of notable increase in LokiBot malware
3:05 Upcoming API Change Will Break Facebook and Instagram oEmbed Links Across the Web Beginning October 24
4:08 Drupal patches critical reflected XSS bug and other security flaws
5:25 Google launches Web Stories for WordPress plugin and ‘Web Creators’ community
6:08 Critical stored XSS vulnerability in Instagram’s Spark AR Studio nets 14-year-old researcher $25,000

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 88 Transcript

Scott Miller:

Hey, everyone. It’s Scott from Wordfence. You’re listening to Think Like a Hacker, the weekly podcast about WordPress, security, and innovation. Let’s jump into this week’s stories.

Our first story this week takes a look at the critical vulnerabilities patched in the XCloner Backup and Restore plugin. On August 14th, our Threat Intel team here at Wordfence found multiple vulnerabilities in the XCloner Backup and Restore plugin, which is installed on over 30,000 sites. The plugin is designed to provide WordPress users with easily customizable backups and easy restore functionality. The vulnerability that our Threat Intel team found allowed authenticated attackers with subscriber-level or above capabilities the ability to modify arbitrary files, such as PHP files. These capabilities could allow an attacker to achieve remote code execution, as well as other malicious access. The plugin also contained multiple other endpoints that were vulnerable to Cross-Site Request Forgery or CSRF.

After finding the vulnerabilities on August 14th, we reached out to the plugin’s team on the 17th, and shortly later was able to disclose the details of the issue to their team the next day, on the 18th. The team behind the XCloner Backup and Restore plugin quickly released an initial fix on August 19th, which resolved the most severe issue. An additional patch was released on September 8th to resolve the remaining issues that we had discovered.

Wordfence Premium users received a firewall rule on August 17th to protect against any exploits targeting these vulnerabilities. Sites using the free version of Wordfence received the same protection on September 17th. These issues are considered critical security issues as they could lead to remote code execution on a vulnerable site’s server. We recommend updating to the fully patched version, which is 4.2.153, immediately if you haven’t already.

In our next story, the CISA warns of notable increase in LokiBot malware. The Cybersecurity and Infrastructure Security Agency, or CISA, issued an advisory warning of an increase in the use of LokiBot malware by malicious actors. LokiBot is a widespread Trojan and so-called information stealer, and since July, we’ve seen an increase in attacks. Once the malware is on your device, it uses its capabilities to check applications and exfiltrate information and credentials from applications. LokiBot also has backdoor capabilities, which can allow attackers to perform additional malicious tasks. The CISA developed a snort signature for use in detecting network activity, which would be associated with LokiBot, and that can be found on the CISA.gov site. Be sure you’re maintaining up-to-date antivirus signatures and an up-to-date operating system as well to combat this.

In our third story this week, upcoming API changes will break Facebook and Instagram oEmbed links across the web. In an upcoming change on October 24th, Facebook and Instagram will be removing unauthenticated oEmbed support causing issues for content across millions of websites. Users will then be required to generate an app ID with a dev account in order to proceed in embedding links via oEmbed. As a response, WordPress will also be removing Facebook as an oEmbed provider in an upcoming release. This is also expected to cause issues with a great deal of content. In the Gutenberg plugin, Facebook and Instagram blocks were removed in a recent release. Current oEmbed links will continue to function until the Facebook API changes go live.

This is undoubtedly going to frustrate users when they run into issues and can no longer embed Facebook and Instagram links as easily as they were in the past. Additionally, these changes are going to challenge publishers going forward and how they share media links in their content.

Up next, Drupal patches a critical reflected cross-site scripting bug and some other security flaws. The popular open-source content management system Drupal has recently patched a XSS or cross-site scripting vulnerability as well as some less severe issues. These issues could allow an attacker the ability to leverage the way that HTML is rendered for affected forms in order to exploit the cross-site scripting vulnerability, according to a recent statement by Drupal.

This was deemed as a critical issue, and Drupal, which powers nearly 600,000 sites, patched this issue alongside four others which were classified to be moderately critical. Security patches were added into software updates issued on September 16th. All of the mentioned flaws here impact the Drupal 8 and 9 release lines. If you’re currently running Drupal 8.8.9 or 8.7.9 or an earlier version, it’s recommended to upgrade to Drupal 8.8.10. Versions 8.9.5 and older require an update to 8.9.6, and versions 9.0.5 and older are recommended to update to 9.0.6.

Moving on to some good news, Google has launched a Web Stories for WordPress plugin. The Web Stories for WordPress plugin will feature a drag and drop easy-to-use interface built for making full-screen interactable content. Included with the Web Stories for WordPress plugin are some templates, as well as a photo library and free stock video from Coverr. The plugin features advanced customization tools as well as comprehensive visual editing capabilities. The plugin is open-source, so there will be more templates and community content added going forward. The plugin looks to potentially be a great way to engage with your audience on your site.

In our last story for this week, Andres Alonso, a 14-year-old researcher, cashed in on a $25,000 bug bounty after discovering a critical cross-site scripting vulnerability in Instagram’s Spark AR Studio. Instagram’s Spark AR Studio is used to create augmented reality effects for photos and videos. Alonso said that he wasn’t hunting for vulnerabilities, but instead, he was making Instagram filters for himself. Alonso was exploring how Spark AR generates the filter links to test the filter on a smartphone when he ran into a flaw, prompting him to unsuccessfully attempt cross-site scripting, but eventually led to a successful open redirect. Once submitted to Facebook, their security team further investigated the flaw and found that it could be escalated to cross-site scripting. Facebook then notified Alonso that he would be awarded the $25,000 for the bounty and also confirmed that the vulnerability was not exploited in the wild.

That’s all for this week on Think Like a Hacker. I hope the news found you well. Check out the Wordfence mailing list on wordfence.com to stay up to date with the latest security news. In the meantime, have a great weekend. Thanks for listening. We’ll catch you soon.

Follow me on Twitter @wfscottmiller. You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

The post Episode 88: XCloner Vulnerabilities, LokiBot Malware, & a 14 Year Old Nets a $25K Bug Bounty appeared first on Wordfence.

Read More

Episode 87: Vulnerabilities Affect Discount Rules for WooCommerce Plugin, ModSecurity & Windows

Vulnerabilities were recently patched in the Discount Rules for WooCommerce plugin installed on over 40,000 WordPress sites. Developers from OWASP Core Rule Set said ModSecurity v3 is exposed to denial of service exploits, though the maintainers of ModSecurity reject that claim.

A severe vulnerability called Zerologon in Windows Netlogon was patched in August; this bug could be exploited to attack enterprise servers. And a security researcher also discovered that the Windows TCPIP Finger command can also function as a file downloader and a makeshift command and control server.

Last weekend, nearly 2,000 Magento stores were compromised in the largest hacking campaign since 2015.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:13 High-Severity vulnerabilities patched in Discount Rules for WooCommerce
2:26 ModSecurity maintainers contest denial-of-service vulnerability claims
4:43 Netlogon cryptographic weakness has critical impact on enterprise servers
6:30 Windows 10 ‘Finger’ command can be abused to download or steal files
7:29 Magento online stores hacked in largest campaign to date

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 87 Transcript

Scott Miller:

Hey everyone. It’s Scott from Wordfence, you’re listening to Think Like a Hacker, the weekly podcast about WordPress security and innovation. Let’s jump into this week’s stories.

Our first story of the week takes a look at several vulnerabilities found in the Discount Rules for WooCommerce plugin. On August 20th, our Threat Intel team here at Wordfence was made aware of multiple vulnerabilities that had recently been patched in the Discount Rules for WooCommerce plugin, which is installed on over 40,000 sites. We initially released a firewall rule to protect against these vulnerabilities on that same day. During our investigation, we also discovered multiple other unpatched vulnerabilities, and released a firewall rule to protect against these issues the next day, on August 21st. We then, reached out to the Flycart team on the same day and received a reply almost immediately. They were aware of one of the additional issues that we had found and released an interim patch the next day, on the 22nd, followed by a more comprehensive patch on September 2nd. They then addressed the last of the issues on September 9th.

The Discount Rules for WooCommerce plugin works alongside the WooCommerce e-commerce plugin to create custom rules for discounts such as a two-for-one special discount. So, their initial patch added a check to prevent switching between the V1 and V2 code bases which, at the time, were both accessible. At this point, sites using the V1 code were still vulnerable. Once the plugin was set to use the V1 code base, a number of AJAX actions became available providing similar functionality to the patched actions in V2.

Ultimately, the end result is that attackers were able to send a post request and inject malicious JavaScript into one of the fields of a discount rule, which would be done simply by adding it to the data parameter. Following that, the next time an administrator viewed or edited discount rules the malicious JavaScript would then be executed in their browser and could ultimately lead to a site takeover by adding a backdoor plugin, or theme file, or potentially adding malicious administrator among other malicious actions.

Sites still running the free version of Wordfence will receive these rules after 30 days on September 19th and September 20th. If you’re using the discount rules for WooCommerce plugin, be sure you’re updated to the latest version.

In our second story of the week, ModSecurity maintainers contest denial of service vulnerability claims. You likely know ModSecurity as the popular firewall that’s designed to stop attacks against applications by monitoring HTTP traffic in real-time. This project is open source and maintained by Trustwave’s SpiderLabs. Now, the ModSecurity firewall works off of WAF rules, and admins can create their own rules, or deploy one of many existing libraries to block malicious attacks and attempts on the server.

A recent discovery suggests that ModSecurity opened itself up to denial of service vulnerabilities. And, as a response, a Trustwave spokesperson said that while changes were made to the ModSecurity engine, they did not introduce a security vulnerability. The Trustwave spokesperson stated that there was a change in regular expression matching in ModSecurity 3.x that provided additional functionality, and that is not considered a vulnerability for a few reasons, such as an attacker would need to know that a rule using a potentially problematic regular expression was in place. Also, the attacker would need to know the basic nature of the regular expression itself in order to exploit any resource issues. And while those resource issues may cause a slow down, they have not been able to replicate.

Christian Folini, the co-lead of the OWASP Core Rule Set development team, challenged this response saying, “As ModSecurity is only the engine. You need rules to expose the vulnerability. And, also, to blame the problem on the rules does not make much sense in this architecture.” He mentioned that it’s like stating that the server would be secure if nobody was hooked in on the internet. The co-lead of the OWASP development team has insisted that ModSecurity maintainers fast track a release to include mitigations to the alleged vulnerability.

SpiderLabs, as a response, is maintaining the changes made, have not introduced any security flaws. The OWASP development team has since said that it would roll out its own changes to mitigate the issues saying that it will release a patch, so users can fix this themselves, as well as providing work arounds for users being stuck on the old and insecure ModSecurity 3.0.4.

In our next story, the Zerologon vulnerability in Netlogon could allow attackers access to Windows Domain Controller Netlogon is an authentication protocol that will verify users and services by way of secure channel between a machine and a domain controller. This Windows service is a background process, and is important for authentication on networks. Microsoft patched a severe vulnerability described as a privilege escalation vulnerability in their August patch, which could be exploited by attackers to take over enterprise servers. And this was due to cryptographic weaknesses in Netlogon. The vulnerability was discovered by Secura’s Tom Tervoort.

So, if you’re not familiar, the Netlogon remote protocol is used to alter account credentials within a domain. And can also be used to establish user domain control relationships. Secura’s technical paper, which examined this vulnerability, mentions that all an attacker needs is access to a network to establish a link to a domain controller using MS-NRPC. So, the paper then mentions that no credentials are required to perform an attack. The vulnerability itself in the newest encryption was caused by incorrect use of an AES operational mode and allows attackers to, “spoof the identity of any computer account, and set an empty password for that account in the domain.”

Microsoft notes that the flaw is going to be addressed in a two-stage rollout due to the scope of the vulnerability. And it looks like it might be awhile before it’s fully patched. At the moment, domain controllers need to be patched as soon as possible. And Secura has released a tool on GitHub, which allows administrators to see if a domain controller is vulnerable.

In our next story this week, the Windows 10 Finger command can be abused to steal files. So, sticking with Windows finger.exe is a command in Windows that allows you to grab information about users on remote computers, running the finger service or daemon. The communication is carried out via the name/finger network communication protocol.

John Page, a security researcher, found that the Microsoft Windows TCPIP Finger command can also allow access to download files, as well as function as a command and control server that can ultimately allow an attacker to send commands and retrieve data. According to Page, the C2 commands can be disguised as Finger queries sent to retrieve files and pull data all without Windows Defender intervening or alerting a user of the activity. One thing to be sure of is that you are blocking port 79, which is used by the Finger protocol.

In our last story of the day Magento online stores are hacked in the largest campaign to date. Over 2,000 stores were hacked over the weekend in, what researchers called, the largest campaign ever. So, this was a Magecart scheme where hackers compromised sites and used malicious scripts that stole payment information, which shoppers were inputting during checkout. Now, most of the compromised sites were running on version 1 of Magento’s online store software. The, now, depreciated Magento version 1 software was seen as a target as early as last year when Adobe, who owns Magento, put out an alert, telling users running version 1 to update to the version 2 branch. Mastercard, and Visa, both echoed those warnings to update to branch two over the spring. Over the past year or so, the number of Magento version 1 users have dropped from over 200,000 to less than 100,000 recently.

Attackers seemingly waited for version 1 to be depreciated, or for the end of life of the software before exploiting the vulnerabilities. At this point, Adobe would no longer be patching their bugs. The Magento version 1 zero-day vulnerability has been seen posted on underground hacking forums last month. And it confirms that attackers had been waiting for the end of life to come. It was also noted that some high-traffic sites are still running on version 1, and relying on their firewall, now, to keep the sites protected, which is mentioned to be a risky strategy. If you’re still running Magento version 1, it’s recommended to update to version 2 as soon as possible to mitigate risk.

That’s all for this week on Think Like a Hacker. I hope the news found you well. Check us out on Tuesday at noon Eastern time on YouTube for Wordfence Live, where we always discuss best security practices, and how to keep your sites safe. In the meantime, be sure you’re subscribed to our mailing list. It’s in the footer of the wordfence.com homepage. Until next time, have a great weekend, and thanks for listening. We’ll catch you soon.

Follow me on Twitter @wfscottmiller. You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

The post Episode 87: Vulnerabilities Affect Discount Rules for WooCommerce Plugin, ModSecurity & Windows appeared first on Wordfence.

Read More

Episode 86: War of the Hackers

Millions of attacks have been targeting the recent File Manager plugin zero-day vulnerability discovered last week. Two attackers are vying for control over sites compromised through the vulnerability.

A security researcher has revealed that specially crafted Windows 10 themes can be used to perform Pass-the-Hash attacks.

A database belonging to the Digital Point webmaster forum leaked records of over 800,000 web professionals that are members of the forum. Visa is warning of a new Baka Javascript credit card skimmer that removes itself from memory after exfiltrating stolen data, making it difficult to detect.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:12 Attackers Fight for Control of Sites Targeted in File Manager Vulnerability
2:02 Windows 10 themes can be abused to steal Windows passwords
3:45 Webmaster forum database exposed data of 800,000 users
5:12 Visa warns of new Baka credit card JavaScript skimmer

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 86 Transcript

Scott Miller:

Hey, everyone. It’s Scott from Wordfence. You’re listening to Think Like a Hacker, the weekly podcast about WordPress, security and innovation. Let’s jump into this week’s stories.

My first story of the week is an update on the File Manager plugin vulnerability. So last week we covered the zero-day vulnerability in the File Manager plugin. The plugin is installed on over 700,000 sites, and since September 4th, we’ve seen the number of attacked sites go from 1.7 million to 2.5 million sites. We’ve also uncovered evidence that there are multiple threat actors involved, one of which was previously responsible for attacking millions of other sites.

Now, the vulnerability has been used by multiple attackers at this point who have successfully been stealing passwords and scattering back doors among the sites. Once a site is infected, passwords are stolen by adding code using Telegram Messenger’s API, which pulls credentials of anyone logging into the site. This code is being added to the user.php file, and in cases where WooCommerce is installed, there could be changes made to WooCommerce files to pull out the credentials there as well.

After cleaning a number of sites infected with these issues, our cleaning analysts had determined that malware was present from multiple threat actors. In total, we’ve seen over 370,000 different IPs being used in these attacks as well as obfuscated back doors located in ICO files. Make sure to check for any new administrator accounts on the site as well, as we have also seen malicious administrators added in some attack cases.

Also, be sure your Wordfence firewall is optimized, and your File Manager plugin is up to date. As we mentioned previously, these sorts of plugins are best to only be installed when needed, and they can be removed otherwise. If you’re curious about more information about this attack, check our original blog post on the vulnerability and also our updated post for more information on the attacks.

In our second story this week, Windows 10 themes are being used to steal users Windows passwords. So, Windows account credentials are being stolen from unsuspecting users in pass-the-hash attacks where the specially built Windows 10 themes are being designed to steal user’s credentials. If you’re not familiar, you can customize a theme’s color, sound, cursors, wallpaper, etc. for your system to use on Windows 10. These attacks are specifically to steal Windows login credentials and password hashes, hence the name pass-the-hash, and it’s done by getting a user to access a server message block share requiring authentication.

First, an attacker then creates a .theme file and changes the desktop wallpaper setting to use a remote authentication required resource. At that point, when Windows attempts to access the remote authentication required resource, Windows will automatically try to remotely log in which sends over the Windows credentials and NTLM hash of their password. This information is then gathered by the attackers who try to de-hash and use the credentials.

It’s also worth noting that in some cases, dehashing a password can take just a few seconds to do. So, to protect yourself against these sorts of theme file attacks, you can block or re-associate the .theme pack and .desktop theme pack file extensions to a different program. It’s worth noting that when you do this, it will break the Windows 10 theme feature, so it would only be recommended to do if you do not need to switch to a different theme afterwards.

In our next story for this week, a Webmaster forum database exposed data of 800,000 users. A database belonging to Digital Point exposed user email addresses names, and more for over 800,000 users. The San Diego, California-based Digital Point describes itself as the largest webmaster community in the world, and it brings together a variety of professionals ranging from freelancers, marketers, programmers, and alike. So, on July 1st, Jeremiah Fowler and the WebsitePlanet research team found an unsecured elastic search database, which contained over 62 million records, including data from 860,000+ Digital Point users.

Shortly after on the same day, the research team sent over a disclosure notice to Digital Point and access to the database was revoked within hours. After that point, there was however no followup or communication from Digital Point with the researchers who disclosed the issue. Now, of course, there are many ramifications from users data being accessed in a situation like this, such as further data theft and phishing. It is definitely recommended to always use a unique password for each site that you access. So in the event of something like this occurring, the password cannot then be paired with your email and login names to access other sites.

In our last story this week, Visa warns of a new credit card JavaScript skimmer. So, Visa has issued a warning regarding a new JavaScript e-commerce skimmer known as Baka that will remove itself from memory after exfiltrating stolen data. The script which was designed to steal credit card data was found by researchers with the Visa’s Payment Fraud Disruption or PFD initiative in February 2020, and was found while examining a command and control or a C2 server that had previously had an ImageID web skimming kit.

The baka features configurable target form files and data removal using image requests as well as advanced design, including a unique obfuscation method, which suggests it’s the work of someone with great knowledge of malware and these sorts of attacks. Now, Visa put out an alert directly, and it mentions the skimmer loads dynamically to avoid static malware scanners and uses unique encryption parameters for each victim to obfuscate the malicious code.

Visa also recommends to consider using a fully hosted checkout solution where customers enter their payment details on another webpage hosted by that checkout solution specifically, which would be separate from the merchant’s site. This is the most secure way to protect the merchant and their customers from eCommerce skimming malware. We have seen these sorts of issues on eCommerce sites in the past and it’s a reminder to always keep plugins up to date and be sure you have an active firewall on your site to scan for vulnerabilities and changes. It’s also recommended to require strong passwords for all administrator accounts and of course, limit who you give admin access to.

That’s all for us this week on Think Like a Hacker, stay safe and join us every Tuesday for Wordfence Live on YouTube at noon Eastern, 9:00 AM Pacific Time. We’ll be back with some more news next week, but until then have a good weekend, and we’ll catch you soon.

Follow me on Twitter @wfscottmiller. You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

The post Episode 86: War of the Hackers appeared first on Wordfence.

Read More

Episode 85: 0Day in File Manager Plugin and WordPress 5.5.1 Fixes Broken Sites

Over 700,000 WordPress users were affected by a zero-day vulnerability in the File Manager plugin, and the WordPress 5.5.1 release fixed millions of sites affected by deprecation of jQuery Migrate. SendGrid is under siege from spammers using hacked accounts, and Apple approves a notorious malware variant to run on Macs.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:00 700,000 WordPress Users Affected by Zero-Day Vulnerability in File Manager Plugin
1:36 WordPress 5.5.1 Fixes Millions of Broken Sites
3:06 SendGrid Under Siege from Hacked Accounts
4:28 Apple approves notorious malware to run on Macs

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 85 Transcript

Scott Miller:

Hello everyone. It’s Scott from Wordfence. This is Think like a Hacker, the weekly podcast about WordPress, security, and innovation. Let’s get caught up with this week’s stories.

First up, our Threat Intelligence team here at Wordfence was alerted of a vulnerability being actively exploited in FileManager, a WordPress plugin with over 700,000 active installations. Now, the vulnerability allowed unauthenticated users to execute commands and gave the ability to attackers to upload malicious files on a target site. Thankfully, Wordfence premium users, as well as those still using the free version, are protected against the attack campaign via the Wordfence firewall’s built-in file upload protection, though the Wordfence firewall will need to be optimized in order to protect your site from this vulnerability. So if you’re not currently using the extended protection for the firewall, go ahead and set that up in the Wordfence firewall section.

If you’re using a utility plugin like FileManager, Wordfence recommends installing the plugin when you need it, but then removing it when you’re done. This is due to the functionality that these kinds of plugins have within them, which can expose your site to more damage if a vulnerability is found within those plugins, as we saw here. So pretty much, if a plugin isn’t needed for the front end functionality of your site, install it when you need to use it, then uninstall it when you’re done.

Join us on Tuesday for Wordfence Live, where we’re going to have more advice on how to choose the right plugins for your site.

In our next story, a WordPress 5.5.1 maintenance release fixed problems introduced by deprecation of jQuery Migrate. In the new 5.5.1 release, there were 34 bug fixes as well as five enhancements. There were also five bug fixes for the block editor as well. Now, these bugs affect WordPress version 5.5, which came out on August 11th, so you’ll want to upgrade to 5.5.1 if you’ve already upgraded to 5.5.

Another thing to take note of is that there were no security fixes included in WordPress version 5.5.1. Some of the bugs that were fixed relate to the deprecation of jQuery Migrate, which we reported on recently. The jQuery Migrate plugin released by the WordPress team had 10,000 plus downloads when we last reported on it, and fixed various conflicts on sites that were using plugins or themes with older code. There initially was some speculation that the impact was limited to thousands of websites, which correlated with the download number we were seeing for that jQuery Migrate plugin. However, looking at the full review of data shows WordPress 5.5 negatively impacted millions of websites, and was a widespread issue.

make.wordpress.org published a spreadsheet, detailing the number of plugins and themes affected by the deprecation, showing millions of sites affected. And you can take a look at that by visiting make.wordpress.org.

In our next story this week, SendGrid is under siege from hacked accounts. The popular email service provider, SendGrid has seen a large number of their customer accounts have their passwords cracked. Those cracked passwords are then sold to spammers and used for sending phishing and malware attacks. So if you’re not familiar with SendGrid, it’s a transactional email service provider. You may be familiar with their parent company, Twilio, which has begun working on a plan to require multifactor authentication for all of their customers, as a response to these recent issues. The worry is that this proposed solution might not be implemented fast enough for businesses and customers having issues due to these problems in the meantime.

An anti-spam company, whose solutions are deployed by several Fortune 100 companies commented that no other email service provider has come close to generating the volume of spam that’s been generated from SendGrid’s accounts since this issue began. Due to the fact that SendGrid obfuscates links in emails, it’s a very attractive target to hackers looking to get users to click on malicious links. The takeaway here is to be very careful in general while clicking links in emails with SendGrid links. Also, be sure to use 2FA on all of your accounts, especially if you’re using SendGrid.

In our last story of the week, Apple approves notorious malware to run on Macs. So Apple has strict rules in place to prevent malware from being present in its app store. Last year, Apple began requiring developers to submit apps for security checks. Apple calls the process notarization, which consists of scanning applications for malware and other security issues. It is only after being approved through this process that the app can then be run. Of course, submitted applications that failed this notarization review are then denied and not able to be used and run.

Recently, security researchers have found that the first Mac malware that made its way through the notarization process from Apple. This came in the form of common malware disguised as an Adobe Flash installer and ended up leading to code used by the popular malware called Shlayer malware being approved by Apple. This Shlayer malware has mentioned to be the most common threat that Macs faced last year, and is a sort of adware that has the ability to intercept encrypted traffic, even if a site is sending the data through HTTPS. It then replaces the websites and search results with its own ads, making ad money along the way. Mac users have not seen anything similar to this since the notarization process was introduced, and it shows that a process like this can be exploited.

It’s recommended to be conscious as to what you’re downloading and installing, and just because it’s on a trusted service with a process like this, things can still slip by. Always research what you’re installing, when at all possible.

That covers it for this week on, Think like a Hacker. Remember if you’re not subscribed to our mailing list, you might be missing some important and breaking security news. Until next week, I hope the news found you well this time and from all of us here at Wordfence, have a great weekend, and we’ll catch you soon.

Follow me on Twitter @wfscottmiller. You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

The post Episode 85: 0Day in File Manager Plugin and WordPress 5.5.1 Fixes Broken Sites appeared first on Wordfence.

Read More

Episode 85: 0Day in File Manager Plugin and WordPress 5.5.1 Fixes Broken Sites

Over 700,000 WordPress users were affected by a zero-day vulnerability in the File Manager plugin, and the WordPress 5.5.1 release fixed millions of sites affected by deprecation of jQuery Migrate. SendGrid is under siege from spammers using hacked accounts, and Apple approves a notorious malware variant to run on Macs.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:00 700,000 WordPress Users Affected by Zero-Day Vulnerability in File Manager Plugin
1:36 WordPress 5.5.1 Fixes Millions of Broken Sites
3:06 SendGrid Under Siege from Hacked Accounts
4:28 Apple approves notorious malware to run on Macs

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 85 Transcript

Scott Miller:

Hello everyone. It’s Scott from Wordfence. This is Think like a Hacker, the weekly podcast about WordPress, security, and innovation. Let’s get caught up with this week’s stories.

First up, our Threat Intelligence team here at Wordfence was alerted of a vulnerability being actively exploited in FileManager, a WordPress plugin with over 700,000 active installations. Now, the vulnerability allowed unauthenticated users to execute commands and gave the ability to attackers to upload malicious files on a target site. Thankfully, Wordfence premium users, as well as those still using the free version, are protected against the attack campaign via the Wordfence firewall’s built-in file upload protection, though the Wordfence firewall will need to be optimized in order to protect your site from this vulnerability. So if you’re not currently using the extended protection for the firewall, go ahead and set that up in the Wordfence firewall section.

If you’re using a utility plugin like FileManager, Wordfence recommends installing the plugin when you need it, but then removing it when you’re done. This is due to the functionality that these kinds of plugins have within them, which can expose your site to more damage if a vulnerability is found within those plugins, as we saw here. So pretty much, if a plugin isn’t needed for the front end functionality of your site, install it when you need to use it, then uninstall it when you’re done.

Join us on Tuesday for Wordfence Live, where we’re going to have more advice on how to choose the right plugins for your site.

In our next story, a WordPress 5.5.1 maintenance release fixed problems introduced by deprecation of jQuery Migrate. In the new 5.5.1 release, there were 34 bug fixes as well as five enhancements. There were also five bug fixes for the block editor as well. Now, these bugs affect WordPress version 5.5, which came out on August 11th, so you’ll want to upgrade to 5.5.1 if you’ve already upgraded to 5.5.

Another thing to take note of is that there were no security fixes included in WordPress version 5.5.1. Some of the bugs that were fixed relate to the deprecation of jQuery Migrate, which we reported on recently. The jQuery Migrate plugin released by the WordPress team had 10,000 plus downloads when we last reported on it, and fixed various conflicts on sites that were using plugins or themes with older code. There initially was some speculation that the impact was limited to thousands of websites, which correlated with the download number we were seeing for that jQuery Migrate plugin. However, looking at the full review of data shows WordPress 5.5 negatively impacted millions of websites, and was a widespread issue.

make.wordpress.org published a spreadsheet, detailing the number of plugins and themes affected by the deprecation, showing millions of sites affected. And you can take a look at that by visiting make.wordpress.org.

In our next story this week, SendGrid is under siege from hacked accounts. The popular email service provider, SendGrid has seen a large number of their customer accounts have their passwords cracked. Those cracked passwords are then sold to spammers and used for sending phishing and malware attacks. So if you’re not familiar with SendGrid, it’s a transactional email service provider. You may be familiar with their parent company, Twilio, which has begun working on a plan to require multifactor authentication for all of their customers, as a response to these recent issues. The worry is that this proposed solution might not be implemented fast enough for businesses and customers having issues due to these problems in the meantime.

An anti-spam company, whose solutions are deployed by several Fortune 100 companies commented that no other email service provider has come close to generating the volume of spam that’s been generated from SendGrid’s accounts since this issue began. Due to the fact that SendGrid obfuscates links in emails, it’s a very attractive target to hackers looking to get users to click on malicious links. The takeaway here is to be very careful in general while clicking links in emails with SendGrid links. Also, be sure to use 2FA on all of your accounts, especially if you’re using SendGrid.

In our last story of the week, Apple approves notorious malware to run on Macs. So Apple has strict rules in place to prevent malware from being present in its app store. Last year, Apple began requiring developers to submit apps for security checks. Apple calls the process notarization, which consists of scanning applications for malware and other security issues. It is only after being approved through this process that the app can then be run. Of course, submitted applications that failed this notarization review are then denied and not able to be used and run.

Recently, security researchers have found that the first Mac malware that made its way through the notarization process from Apple. This came in the form of common malware disguised as an Adobe Flash installer and ended up leading to code used by the popular malware called Shlayer malware being approved by Apple. This Shlayer malware has mentioned to be the most common threat that Macs faced last year, and is a sort of adware that has the ability to intercept encrypted traffic, even if a site is sending the data through HTTPS. It then replaces the websites and search results with its own ads, making ad money along the way. Mac users have not seen anything similar to this since the notarization process was introduced, and it shows that a process like this can be exploited.

It’s recommended to be conscious as to what you’re downloading and installing, and just because it’s on a trusted service with a process like this, things can still slip by. Always research what you’re installing, when at all possible.

That covers it for this week on, Think like a Hacker. Remember if you’re not subscribed to our mailing list, you might be missing some important and breaking security news. Until next week, I hope the news found you well this time and from all of us here at Wordfence, have a great weekend, and we’ll catch you soon.

Follow me on Twitter @wfscottmiller. You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

The post Episode 85: 0Day in File Manager Plugin and WordPress 5.5.1 Fixes Broken Sites appeared first on Wordfence.

Read More

Episode 84: Google Chrome Plans to Implement Insecure Form Warnings

The Google Chrome web browser has a high-severity vulnerability that could be used to execute arbitrary code, which has been fixed in Chrome version 85. Google also announced that Chrome 86 will alert users if a form submission is using the insecure HTTP protocol, making it a good time to audit older sites that may have migrated to HTTPS, but still have forms submitting via HTTP.

A security researcher found a flaw in Apple’s Safari browser that could allow an attacker to access files on a Mac or iOS device.

The FBI and CISA have issued a joint alert to warn about the growing threat from vishing attacks targeting companies.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:12 Chrome patches vulnerability that could be used to execute arbitrary code
1:20 Google announces Chrome 86 will alert users to insecure form submissions
2:55 Safari browser zero-day vulnerability could lead to leaking files to an attacker
4:40 FBI-CISA joint alert about growing vishing threat

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 84 Transcript

Scott Miller:

Hello everyone. It’s Scott from Wordfence. This is Think Like a Hacker, the weekly podcast about WordPress security and innovation. Let’s get right into this week’s stories.

First up a couple of stories relating to the Google Chrome browser. A patch was released for Google Chrome this week, which fixed a vulnerability that could potentially allow code execution. The flaw, which is called a use-after-free vulnerability was in the graphics library component of Chrome. This was part of the functionality that lets users render 2D and 3D graphics. The issue came about from improperly handling memory. If the memory layout of the browser were manipulated by an attacker, they could gain control and ultimately it could lead to arbitrary code execution. An attacker could execute code via one of the vulnerable functions, which was used to sync data. When that was done, it then creates the use-after-free condition mentioned earlier. This can occur from attempts to access memory after it’s been freed up, which can then result in a program crashing or potentially result in execution of arbitrary code. So currently the thing to do here is check your current browser version and make sure that you’ve updated to Chrome 85, which should be available for you now.

In another story regarding the popular web browser, Google said in an upcoming release of Chrome, that they will be restricting forms that are sent via HTTP protocol. This is a push to have site owners review their site and be sure that forms are transmitting data via the secure HTTPS protocol. It’s important to be sure that all of the data on your site is being transmitted securely. And if you’ve recently migrated to HTTPS, double check to be sure that your forms are transmitting data securely to reduce any chance of being alerted or warned by Google of the issue, which could potentially end up resulting in a loss of revenue, depending on what your forms are used for.

If your forms are not transmitting data securely, you’ll see a message alerting you that the form is not secure. And you’ll also see an alert that autofill has been disabled for the form. Your visitors will also see these messages as well. An additional warning will be then shown to the site visitor when they attempt to submit data via that form and the warning will give the visitor an opportunity to continue with the data submission or cancel the submission at that point. One thing to consider as a site owner is checking your browser console for warnings that mention mixed content being loaded on the site. If you’re seeing that message, you can then find some tools with a Google search or via the WordPress plugins area to help automatically fix insecure and mixed content being loaded. Chrome 86 will feature these changes and it’s due to be released on October 6th, 2020.

Sticking with browser related news, Safari has a zero day vulnerability affecting the Mac OS and iOS browsers. The vulnerability allows an attacker to access files that are stored on the user’s local hard drive. This bug was discovered by the polar security firm REDTEAM.PL. The vulnerability resides in the Safari web share API, which introduces the ability to share text, links, files, and other things cross-browser. Visiting a malicious site set up for this vulnerability could open your device to this issue and result in leaking out the private stored local files from your device. After repeatedly chasing Apple about this vulnerability, the researcher who discovered the zero day was notified by Apple, that it would not be patched until the April 2021 security update and then he took it upon himself to disclose the issue in advance. Now, the researcher who disclosed the bug has described it as not very serious due to the fact that the user would need to be tricked into a situation to leak out the files.

However, the attack itself can be hidden well. The vulnerability is not easy to carry out, and it does require some user interaction, as I mentioned, which draws comparison to a social engineering attack. But the founder of the issue mentions that barriers for the bug are far from insurmountable and demonstrates the bug and a proof of concept video, which you can check out on YouTube. So as this has not yet been patched and may not be for some time, it’s always a good rule of thumb to double check where you’re browsing at any given time and always be aware on what you’re clicking and who you’re giving information to.

In our last story for this week, the FBI and CISA, which is the Cyber Security and Infrastructure Security Agency, issued an alert warning about the growing threat of voice phishing, or vishing, attacks. Now you might be wondering what is vishing? Vishing is a form of fishing where during a voice call, a scammer will attempt social engineering to get you to share personal information or company information, to help them with their attack. This can result in an attacker gaining access to employee tools with the end goal of monetizing the access. KrebsOnSecurity took a look at a crime group, which is offering to steal VPN credentials and other data from employees working remotely during the pandemic. In their article they mentioned in the joint FBI-CISA alert that the vishers are said to be compiling information on the employees using public profiles on social media sites and other readily available services, such as background checks.

In the alert it’s noted that in some cases, unsuspecting employees granted access to these vishers, even helping them bypass 2FA and/or one-time passwords (OTP). In other cases, attackers were able to gain access to the necessary one-time codes by targeting the employee with SIM swapping, which is a technique that involves social engineering an employee at a mobile phone company, which would then result in the employee giving them control of the target’s phone number, allowing them to access the 2FA code. One way around this for companies that are working remotely is the approach that Google took in requiring all employees to use physical security keys in place of one-time codes. You can check out USB and USBC versions of these physical security keys from the company Yubico who offers the YubiKey.

That’s all this week for Think Like a Hacker. Take a second to subscribe to our mailing list in the footer of the Wordfence.com homepage and keep up to date with any breaking security news there. Until next week from all of us here at Wordfence, have a great weekend and we’ll catch you soon.

Follow me on Twitter @wfscottmiller. You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

The post Episode 84: Google Chrome Plans to Implement Insecure Form Warnings appeared first on Wordfence.

Read More

Episode 83: 100,000 Sites Impacted by Vulnerabilities in Advanced Access Manager

The Wordfence Threat Intelligence team discovered vulnerabilities in the Advanced Access Manager plugin installed on over 100,000 WordPress sites. A high severity authorization bypass could lead to privilege escalation and site takeover. Critical vulnerabilities found in the Quiz and Survey Master plugin could also lead to site takeover on the 30,000 WP sites using the vulnerable version of this plugin.

Thousands of sites broke after updating to WordPress 5.5 due to deprecated support for jQuery Migrate, and the release of the Enable jQuery Migrate Helper plugin reached 10,000 active installations to help fix these sites using older themes or plugins.

As cryptocurrency values rise, we’re seeing a wave of new scams and hacking campaigns with cryptocurrency as a driving force, such as the recent Twitter hack and a botnet campaign called Fritzfrog that is breaching SSH servers to mine Monero.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:10 High-Severity Vulnerability Patched in Advanced Access Manager
2:05 Critical Vulnerabilities Patched in Quiz and Survey Master Plugin
3:43 Sites updating to WordPress 5.5 breaking due to deprecated jQuery migrate, new plugin released as a fix
6:27 Fritzfrog campaign breaching SSH servers, similar to previous cryptocurrency hacking campaigns

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 83 Transcript

Scott Miller:
Hey everyone, it’s Scott from Wordfence. This is Think Like a Hacker, the weekly podcast covering WordPress security and innovation. Let’s get right into this week’s stories.

Our first story of the week is the high severity vulnerability patched in the Advanced Access Manager plugin, Ram Gall, and our Threat Intel team here at Wordfence found vulnerabilities in the Advanced Access Manager plugin, which is installed on over 100,000 sites.

This high-severity Authorization Bypass vulnerability could lead to a privilege escalation and a site takeover. This plugin allows users to log in via the WordPress REST-API and unfortunately the plugins REST end points were set to respond to a successful login with a JSON-encoded copy of all metadata about the user, which can potentially expose users’ information to an attacker or a low-privileged user.

This information includes items such as the user’s hashed password and their capabilities and roles, as well as any custom metadata that might’ve been added by other plugins. Wordfence premium users received a firewall rule protecting against the Authorization Bypass vulnerability on August 14th, and sites that are still running the free version of Wordfence will receive this rule 30 days later on September 13th, 2020.

Now, lots of plugins and management systems give you the ability to customize roles for users on your site, whether you’re running a blog, an eCommerce store, or a membership site, or just adding a specific capability for certain users on your site. These additional roles require additional thought and attention, much like the plugins and management systems that are offering the features.

From a security standpoint, when it comes to issues and vulnerabilities like this regarding roles and capabilities, it’s typically recommended limiting the roles of users to only what is necessary and staying as close to the core functionality in WordPress as possible.

Our next story this week is the critical vulnerabilities patched in the Quiz and Survey Master plugin. On July 17th, our Threat Intel team found two vulnerabilities in the Quiz and Survey Master plugin, which is installed on 30,000 sites.

The Quiz and Survey Master plugin is a plugin built to allow users the ability to easily add quizzes and surveys to their site. One of the features of the plugin allows file upload implementation for quizzes and surveys. This upload feature, however, was not secure. The checks performed during a file upload only evaluated how the general settings were configured for the file upload itself.

During the upload, checks were made primarily to see if the file type and size were valid. The issue we discovered allows for unauthenticated attackers to upload arbitrary files and achieve Remote Code Execution, as well as remove arbitrary files, such as a site’s wp-config.php file, which could result in site downtime or a site takeover.

It’s recommended to update to version 7.0.1 as soon as possible. And thankfully the default Wordfence firewall rules protecting against malicious file uploads, local file inclusion, and directory traversal will protect both free and premium users from attackers targeting these vulnerabilities.

As a rule of thumb, be selective with who you provide access to your site. And more importantly, who is giving access levels greater than subscriber level. Users with these levels should always have unique and complex passwords.

Our next story this week looks at the increase in broken sites since the WordPress 5.5 core update due to depreciated support for jQuery Migrate. So, a few weeks ago, WordPress 5.5 shipped without a JavaScript library called jQuery Migrate.

jQuery Migrate is a library that basically helps old code function correctly on WordPress sites. This means if you have a plugin or a theme that is potentially no longer supported, or in other words, it’s out-of-date, it may have worked fine until updating to 5.5 where the library to help the code work was no longer included.

The result of the library not being included in the core updates so far has been 10,000 plus sites having issues. On one hand, this looks like the fault of WordPress for not including the library, but one of the real issues here is the number of sites using old themes and plugins.

Since the WordPress core update, there’s been a jQuery helper plugin released, which has surpassed the 10,000 [site] installation mark. This plugin, which was developed by the WordPress core team has provided some relief for users who have seen their site break due to the jQuery Migrate library not being included in the 5.5 core update.

This issue has exposed sites that are using older themes and plugins. And if your site was affected by these issues in 5.5, it may be a good time to look at finding replacements for those themes and plugins that are no longer supported.

If your site currently has plugins and themes that are still supported, but just out-of-date, there’s plenty of tools out there now that can help you manage updates. The new features and core that were added in 5.5 will allow you to update themes and plugins automatically and you can also use Wordfence alerts on your site to stay in tune with available updates for your themes and plugins.

You can also consider using Wordfence Central, which is a hub to add all of your Wordfence-protected sites, both free and premium and keep track of the scans and security of all the sites in one place. There’s a cool option for a summary of alerts in central that will help you with alert fatigue, and keep you up-to-date with what needs attention on your sites. The best part of it is, it’s completely free to use.

If you’re interested in some more information on auto-updates, we also have a good blog post on wordfence.com from August 6th, which is titled WordPress Auto-Updates, What Do You Have to Lose? And it details how you should go about the automatic update feature, which was introduced in WordPress 5.5. You can also check out the Wordfence livestream on YouTube from August 11th, where we go into this in depth.

In our last story this week, we take a look at the increasing value of cryptocurrency and how it’s increasing the number of attacks we’re seeing in various formats. Cryptocurrency has been increasing in value in the past few months, including the privacy focused cryptocurrency Monero.

It’s currently ranked as the 16th most valuable cryptocurrency on CoinMarketCap And it’s a favorite currency for those looking to hide their transactions, including hackers. With this rise in value, we believe we’ll start seeing more attacks using Monero mining much like what we saw with a massive crypto mining campaign, which affected WordPress sites in 2017.

We’ll include that link to our blog post in the show notes. Now, we’re already starting to see some of these attacks that have cryptocurrency as a driving force, including the recent Twitter hack, which focused on Bitcoin. In a similar story, a botnet campaign named Fritzfrog was discovered breaching SSH servers dating back to at least January 2020.

Fritzfrog used brute force to breach SSH. And once their malware was present, the malware replicated and grew in order to perform additional tasks. After some of the higher resource tasks were killed off on the server by the malware, it deployed tasks of its own, which focused on mining the Monero cryptocurrency.

In cases like these and as currency evolves, hackers won’t be far behind and there’s always a use for powerful servers, websites, and user accounts for hackers and botnets. It’s always important to monitor your server resources regularly, as well as harden your security and keep administrator, FTP, SSH, and other important accounts locked down or inaccessible until they’re needed.

That’s all for this week. Don’t forget to subscribe to our mailing list on wordfence.com, as well as check us out on Wordfence, live on YouTube every Tuesday at noon, Eastern 9:00 AM Pacific time where we talk all things WordPress and security. From all of us here at Wordfence, thanks for tuning in to Think Like a Hacker. And we look forward to catching up with you next week.

Follow me on Twitter @wfscottmiller. You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

The post Episode 83: 100,000 Sites Impacted by Vulnerabilities in Advanced Access Manager appeared first on Wordfence.

Read More

Episode 82: Important Changes in the WordPress 5.5 Update

WordPress 5.5 was released on August 11 with a number of important updates, including a new feature allowing auto-updates of themes and plugins as well as changes to the block editor. The popular Astra theme was suspended from the repository for having affiliate links in the code.

A vulnerability found in Google Chromium browsers could allow attackers to bypass content security policy in order to steal data and execute rogue code, this vulnerability affects billions of users. The Wall Street Journal reported that government tracking software is embedded in over 500 mobile apps.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:12 WordPress Auto-Updates: What do you have to lose?
2:17 Astra theme suspended and reinstated
3:57 Google Chrome browser bug exposes billions of users to data theft
5:35 WSJ Report: Hundreds of apps have hidden tracking software used by the government

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 82 Transcript

Scott Miller:
Hey everyone, it’s Scott from Wordfence. This is another edition of Think Like a Hacker, the weekly podcast about WordPress, security and innovation. let’s get right into the news.

Our first story of the day is the WordPress 5.5 update. So on Tuesday, August 11th, WordPress released their 5.5 update, and it allows automatic updates to be enabled for individual plugins and themes. Auto-updates will be disabled by default, but you can enable the ability for those plugins to update automatically by the plugin section of your site. Now, the addition of auto-updates improves site security by shortening the time that it takes to get plugins updated. And this can be big if there are security updates in those plugins. Now auto-updates do pose some problems, and we talked about that at length on our Office Hours stream this week, and you can find that on the Wordfence YouTube channel by searching Wordfence Office Hours on YouTube.

So depending on the kind of site that you’re running and how often you log in to check on things, auto-updates might be a good idea to keep things up to date and protected. If you’re a larger business and you have eyes on the site very frequently, it might be best to start off slow and continue updating your plugins manually for now. If you’d like to read more about how these auto-updates can impact your site, we have a great blog post on wordfence.com titled WordPress Auto-Updates: What do you have to lose? That was posted on August 6th and you can head over there and check it out on the blog.

Also introduced in WordPress 5.5 were multiple user interface changes to the block editor, which was initially introduced in WordPress 5.0 in 2018. These UI changes make adding, editing, and moving blocks in your posts and pages a bit more fluid. Also included in WordPress 5.5 were site maps, which WordPress will generate for you by default and a new lazy-load feature, which aims to save on bandwidth and speed your site up. How this works is it basically only loads images that are in view of the browser window for your visitor at any given time. So this is a nice impact on speed and performance.

Our second story this week is the Astra theme suspension. This is the first non-default WordPress theme to break the 1 million install mark and not long after it did, it was suspended due to breaking a rule on having affiliate links in the code. Shortly after a back and forth between the themes team and the theme authors, the theme was then reinstated. However, the ongoing penalty at the moment is that the theme is absent from the popular themes list. The way the popular themes list works is it uses the themes date of publication, as well as the number of downloads to determine a theme’s popularity. So what the theme team did was they changed the date for the theme to push it down the popular list. Delisting a theme like this is a way for the themes team to deal with guideline violations while not outright suspending a theme. And such as in this case, the users will still then have access to new updates.

It’s worth noting that this is the company’s first violation and while Brainstorm Force, the team behind the Astra theme, didn’t directly add affiliate links, they did inject the company’s referral ID into affiliate links for third party plugins. Since the initial encounter, an additional week has been added to the suspension when another affiliate related violation was found. These penalties can result in a large loss in revenue. And in a similar case, the Zerif Lite theme received a suspension and it resulted in a significant revenue loss. The Zerif Lite theme had only about one third of the active users that Astra has.

Next up, a vulnerability was found in the Google Chromium browsers, which would allow attackers to bypass CSP, content security policy, in order to steal data and execute rogue code. This vulnerability affects Chrome, Opera and Edge on Windows, Mac, and Android, which spans to potentially affect billions of users. The affected versions are Chrome version 73 through version 83. The issue was patched in Chrome version 84, which was released last month in July. The vulnerability was then present for more than a year before the patch. Now content security policy is a standard method to enforce data security and it’s used by a lot of major companies, such as Facebook, ESPN, Gmail, to just name a few.

And it’s used to prevent attacks such as cross-site scripting and data injection attacks. In order for this vulnerability to have been exploited, an attacker would have first had to have gained access to the web server. And that could have been done via social engineering or brute forcing, among other things. After gaining access, attackers could have then altered the JavaScript code that the server uses to load and inject code resulting in a bypass of the CSP. So a couple things, be sure to check and see if you’re on the latest version of your web browser, and it’s also advised to audit your browser by checking your browser extensions and remove anything that you either aren’t familiar with or that you no longer use.

And our last story for this week, a new report by The Wall Street Journal has exposed government tracking software in over 500 mobile apps. Anomaly Six, a Virginia-based company included it’s tracking code within their mobile apps, which then collected data from mobile devices and that data was then sold to the US government. In the report, it’s mentioned that Anomaly Six would not name any of the apps that their software is currently included in. Now, if there’s a bright side, it’s that the data collected is anonymous. Though, as we’ve seen in cases in the past, there are methods along the way for identifiers to be used to associate data with an individual. It appears that at the current time, what is being done here is legal and it’s also mentioned that it’s clear that we’re behind on laws and regulations with regard to collecting this kind of information, even anonymously.

Currently, there is no way to tell if we’re even using one of these apps right now. So it might be a good time to audit our phones as well. So you can do that by just going through and looking at some apps that you don’t commonly use, or you don’t use it all and go ahead and get rid of those. You also might be asking, “What is the government doing with this anonymous information?” And I think a lot of us are wondering the same thing. So drop us a comment in our show notes on wordfence.com/podcast and give us your thoughts on this or any of our other stories today.

That does it for this week’s edition of Think Like a Hacker. Be sure to check us out on Wordfence Office Hours, which airs every Tuesday at noon, Eastern 9:00 AM Pacific, where we talk all things WordPress and Wordfence security. I hope today’s news found you well, and we’ll be back next week on Think Like a Hacker. From all of us here at Wordfence, have a great weekend and we’ll see you next time.

Follow me on Twitter @wfscottmiller. You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

The post Episode 82: Important Changes in the WordPress 5.5 Update appeared first on Wordfence.

Read More
Page 1 of 212»