Known WordPress Threat Actor Under Investigation For Prescription-Free Online Pharmacy

Last September we published a series of three blog posts exposing a threat actor who had purchased a number of WordPress plugins as part of an elaborate supply chain attack. This ownership enabled him to inject SEO spam into hundreds of thousands of websites, boosting search engine rankings for various illicit online businesses.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/08/known-wordpress-threat-actor-under-investigation-for-prescription-free-online-pharmacy/

In the first post we reported that a backdoor had been placed in the Display Widgets plugin by its author. We demonstrated how the backdoor worked and its purpose. We also found evidence that the plugin had recently been sold.

In our second post the following day, we were able to identify the man behind the plugin spam, Mason Soiza. We were also able to tie him to another plugin we had written about back in August of 2016, 404 to 301, which had also been used to inject SEO spam into websites. With the aid of the original plugin authors we were able to gather comprehensive information about the purchases. We were also able to tie Soiza to some of the illicit businesses the SEO spam was benefitting.

We continued our research and published a third and final post a week later. In it we were able to tie together a 4.5 year campaign impacting 9 WordPress plugins, all used by Mason Soiza to serve SEO spam on victim websites. These WordPress supply chain attacks caught the community by surprise.

The Times and BBC Take Things Further

Last week The Times published an article focused on the website UK Meds, which is owned by none other than Mason Soiza. According to The Times, the site is under investigation by regulators for selling prescription medications, including highly addictive opioid painkillers, to customers without a prescription. Customers need only complete a free “online consultation”, which is reviewed by a doctor in Romania.

A spokesman for Mason Soiza who was referenced in The Times article, “[…] accepted that he had bought WordPress plugins and inserted code but disputed that this was malicious code and denied he was a spammer.” The article also suggests the business has been profitable enough to allow Mr. Soiza to purchase a £215,000 Lamborghini and a £100,000 watch.

On Monday, the BBC Panorama series covered the topic of online pharmacies in the UK (linked content only accessible from the UK). Mason Soiza’s site UK Meds is among the four online pharmacy sites profiled.

In the episode, five volunteers order prescriptions, most of which could prove fatal for them. Three of them ordered opioid-based painkillers, one diet pills and another antibiotics. All five were able to successfully place their orders online by answering online questions dishonestly and receive the medications. In the most touching part of the episode, a mother whose son died as the result of a drug overdose is interviewed. Dependent on the drugs, he was able to buy them online for two years after his doctor had cut him off.

They also go undercover to talk to the owner of EuroRX, who explains how online pharmacies can leverage doctors in Romania to circumvent prescription requirements.

Protect the Community by Keeping Your Site Secure

We were happy to see both The Times and BBC take this story further. What they uncovered serves as an important reminder that the people behind the attacks on our websites are generally up to no good. It might just be a website to you, but to a criminal it’s an important resource they can use to further their agenda. Unfortunately, that agenda sometimes includes potentially deadly activities. We can all do our part to help keep the community safe by keeping our sites secure and out of the hands of criminal actors.

The post Known WordPress Threat Actor Under Investigation For Prescription-Free Online Pharmacy appeared first on Wordfence.

Read More

Brad Haas Discusses BabaYaga Malware on the CyberWire Podcast

In early June we published an article and accompanying white paper detailing an interesting malware infection which we’ve internally dubbed BabaYaga. The relatively sophisticated malware is unique because it contains a number of features intended to ensure the infected site remains in working order. It keeps WordPress core up to date, performs and stores backups and even scans for and removes malware.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/07/baba-yaga-cyberwire-podcast/

Brad HaasOn Saturday one of our Senior Security Analysts and the author of the BabaYaga white paper, Brad Haas, sat down for an interview with Dave Bittner on the CyberWire podcast. We think you’ll really enjoy the 20 minute interview. Simply click play below to hear it. If you prefer a written version a full transcript is available here.

As always we’d love to hear your thoughts and questions in the comments.

The post Brad Haas Discusses BabaYaga Malware on the CyberWire Podcast appeared first on Wordfence.

Read More

Your Site Can Help Defend Millions Of Others

As you’re probably aware, Wordfence’s Security Services Team (SST) provides world-class remediation services in the event that your site falls victim to malicious activity.  Our analysts combine their considerable expertise with the best threat intelligence in the industry to deliver results we’re consistently proud to stand behind. To be clear, the word “consistently” is used deliberately here, as the continued reliability of our services is crucial in maintaining the trust placed in us by our users.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/07/your-site-can-help-defend-millions-of-others/

An early struggle with consistency was in handling the volatility of our order volume, where peak volumes would sometimes impact the quality of our service. Limiting these situations became an immediate priority, and in April we introduced ‘high demand’ pricing to better ensure that we never compromise on quality. At the same time, we integrated the SST and Customer Service teams and completely revamped our internal processes to align with this trajectory.

The results of these changes were dramatic. The improvements allowed us to introduce discounted prices during periods of lower demand, which we rolled out in May. Our motivation to discount rates extends beyond pure economics, though, because each closed case is about more than money to us.

Helping Future Victims

Our ability to protect Wordfence users from new and more sophisticated attacks hinges on our ability to absorb the latest intelligence into our Threat Defense Feed. Each incident responded to by our SST analysts advances this process–whether by discovering new or mutated malware samples, contributing forensic data to broader investigations, or by revealing the presence of new threat actors–and directly improves the security of millions of websites as a result. Offering temporary discounts during periods of low volume is an easy choice when it means stimulating an uninterrupted flow of high-value threat intelligence.

We know the immediate aftermath of a WordPress compromise is always a stressful time, and understand that the improved security of the rest of our users isn’t terribly compelling when you’ve got your own situation to take care of. With that in mind we offer thanks to all of our SST customers, whether for responding to a hacked site or performing a site security audit, by including a free one-year license for Wordfence Premium. With an active Premium subscription your site will immediately benefit from up-to-date threat intelligence, where the data gathered from your own case and others like it can be put to work defending your site from future attacks.

Wait No Longer

At this time, the SST’s volume allows us to offer a 30% discount on site cleaning and security audit services. If you believe your site has suffered a successful attack, or are interested in having our experts check under the hood to identify future concerns, there’s no better time to get in touch.

You’ll be joining a network of websites which have all contributed to the improved security of your web presence, and what we learn from your case will in turn go on to help those who need it in the future. Whether we’re publishing analyses of emerging malware trends or using our collected data to identify popular infection vectors, we’re committed to providing the best security solutions in the industry, and we’re thrilled to have your help.

The post Your Site Can Help Defend Millions Of Others appeared first on Wordfence.

Read More

Three Incident Response Preparations You Should Be Making

In the context of cybersecurity, the adage “An ounce of prevention is worth a pound of cure” is a massive understatement. Make no mistake, the easiest way to handle a security incident is to prevent it from ever happening in the first place. We continually remind our readers about security best practices because the time spent implementing them is nominal compared to the time that would be spent responding in the aftermath of a successful attack.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/07/three-incident-response-preparations-you-should-be-making/

The unfortunate reality, however, is that sites continue to fall victim to malicious activity every day. Even perfectly responsible site owners who follow every security guideline in the book need to prepare for the possibility of a critical security incident. Similar to household emergency readiness preparations, like owning an appropriately classed fire extinguisher or keeping a first aid kit, there are a few favors you should be doing for yourself as a site owner to help you get back on your feet in the event of a disaster.

Logs Or It Didn’t Happen

When an owner hears for the first time that their site has been compromised, the first question on their mind is usually the same: How? It’s a natural response, and it’s a question that security firms are commonly brought in to investigate. Forensic review of the breached system can provide answers in some cases, but the efficacy of these efforts frequently hinges on the existence of reliable event logs to be reviewed.

Server logs provide investigators with a dataset they can use to establish a timeline of events leading up to and during an attack. By identifying the activity taking place and its source, it can be possible to determine the scope of the compromise. That intelligence is how you can know whether an attacker had access to your users’ data or if you simply fell victim to a defacement campaign, and being able to confidently disclose these details to your users can be crucial in dampening the impact to your business’s reputation following an attack.

Log retention policies seldom come up in the conversations between new site owners and their prospective hosting companies, so it’s possible to unknowingly be a step behind in this process based simply on your site’s provider. If a host has an opt-in logging policy, or defaults to very short log periods, in all likelihood an inexperienced user will have no usable logs of a security event by the time they’ve been made aware of the issue.

Just how long to retain server logs for security purposes depends heavily on your industry and location. Industry compliance regulations may demand retention minimums or specific destruction timeframes, and regional regulations can introduce their own requirements. If you believe that your site might fall under such restrictions, consult with a legal expert familiar with your particular case. Otherwise, the amount of log history to maintain depends on how closely you monitor your site in other ways. If a site doesn’t see much attention under the hood it’s much more likely that a compromise can go undetected for months, so lower-maintenance sites might opt to retain logs longer to shore up that disadvantage a bit.

If your site is running on shared web hosting, take a moment to identify how your host handles access logging. Standard cPanel-based hosting accounts are becoming more and more common and default to a functional logging policy unless the host enforces changes, but proprietary hosting solutions may not play so nicely in every case. Either way, ensure that you’re able to archive and retain logs for an appropriate amount of time for your needs.

If your site lives on a server you have more direct control over, you can really roll up your sleeves and set up your logging however you like. For example, your run of the mill Linux webserver is probably making use of logrotate to manage the storage and archival of various logfiles. Logrotate leans on a fairly simple scripting syntax to build rotation rules, so it’s easy to configure retention policies for just about any purpose. Windows servers typically handle event logs directly, so there isn’t as much to worry about on a private Windows system in terms of storage and rotation.

If You Have One Backup, You Have No Backups

If the scope of an attack isn’t conclusively determined, or if a compromise has left a site owner uncertain of the continued integrity of their environment, it often becomes necessary to revert to a known-good backup of the site. This also facilitates the process of migrating a site from a compromised server to a new host while minimizing the potential to include infected code in the migration.

Of course, an owner’s ability to restore a site from backup depends entirely on whether they were making the backups to begin with. This, again, is a problem many unfortunate business owners fail to identify until it’s too late to be of use. Maybe they assumed their hosting provider was handling their backups for them, or that their site was so stable that they’d never need backups to begin with. Either way, a site needs backups.

To be clear, we’re using the plural “backups” very intentionally. Your filesystem and database contents are typically changing constantly, especially with a dynamic web application like WordPress running the site, so as backups get older they begin to lose usefulness. At the same time, having backups across a span of time can help ensure there’s a clean backup if a breach went unnoticed for too long.

There’s a commonly repeated guideline for backups called the 3-2-1 rule which suggests keeping three copies of your data, on two different media, with one off-site. It’s a pretty basic guideline, one which has been around for a while and may be due for a revamp in the age of cloud storage, but its basic tenets are sound. You can pull the numbers from the rule and still end up with sound advice: Keep redundant copies of your data, diversify how your data is stored, and make sure at least some backups are accessible regardless of the nature of the disaster.

One point that the 3-2-1 rule does fail to address is the need to test your backups. The aftermath of a cyberattack is the worst possible time for you to learn that your backup script broke five months ago. Periodically check your backups for integrity and watch closely for errors reported by any automated scripts you’re running. For critical systems, consider performing complete disaster recovery tests by spinning up a temporary server and restoring a backup to a running environment.

It sounds boring, but spending the time every now and then to make sure your backups are reliable brings with it a great deal of peace of mind. Simply put, it’s better to have them and not need them than to need them and not have them.

Hope For The Best, Plan For The Worst

While there are precautionary measures in place to prevent fire hazards in an office building, the workers in the building need to know there are fire alarms and an emergency exit plan just in case. By the same token, the members of your organization need to have a security incident response plan in place to ensure the issue is handled appropriately.

Depending on the size of your business, your incident response plan can be as simple as a sheet of instructions or a massive PDF document with diagrams and walkthroughs. Regardless of size, this document should clearly establish at least these few important pieces of information pertinent to the immediate aftermath of an incident:

Who is the person or team in charge of responding to security incidents?
Include any relevant contact information. If you retain the services of a third party team for your security, be sure to make note of who is authorized to contact them.

Which other parties need to be involved in which situations?
Above a certain scale, where your infrastructure relies on multiple teams, the security team handling the incident may not be directly familiar with the affected systems. Identify who needs to be called for each system, so your incident handler knows how to contact your database administrator for a database breach without pinging your entire IT staff.

What defines success in your response?
The key is to have measurable goals. These goals could be to limit service disruptions, or to publish a public disclosure of the event within a certain timeframe, et cetera.

Are there any mandatory steps that need to be taken?
If your region or industry imposes disclosure timeframes or other incident handling regulations, put these in plain language in your plan. Assign ownership of these steps to relevant parties to ensure they don’t slip through the cracks.

Include this information alongside details of where backups and logs are stored, and any other information that may be pertinent to your organization’s response. Having a predefined plan accessible to your team allows your organization to hit the ground running after a successful attack takes place, where time is critical. Even if your team is small and the contents of a plan could probably just be assumed, putting it on paper helps to remove any ambiguity in what is already a stressful event.

Conclusion

A common thread in the world of security advice is that any effort you’re able to give is going to be more effective than not doing anything. Even if you don’t have the capital to implement a redundant and scalable automated backup strategy for your site, you can at least set a reminder to yourself to pull a backup of your site down to a local drive once a week. Just put something into place sooner rather than later, because you can always improve it further down the road.

The post Three Incident Response Preparations You Should Be Making appeared first on Wordfence.

Read More

Details of an Additional File Deletion Vulnerability – Patched in WordPress 4.9.7

Today WordPress released version 4.9.7, a security release which addresses two separate arbitrary file deletion vulnerabilities requiring Author privileges. Some details can be found on the WordPress.org blog.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/

The first arbitrary file deletion vulnerability was disclosed June 26, 2018 on the RIPS Tech blog with no official patch to WordPress in place. We released a firewall rule the same day to protect Wordfence users from attacks against this vulnerability.

A Second Vulnerability Discovered

After developing a proof of concept of the attack to aid in writing the Wordfence firewall rule, we decided to have a closer look at the code used to create and delete attachments. During this review, we discovered a second arbitrary file deletion vulnerability exploitable by authors. We released a Wordfence firewall rule to our Premium customers on July 2nd to protect against this vulnerability.

The details of the second vulnerability are as follows: In WordPress core, there is an “upload-attachment” AJAX action used by the media uploader. The AJAX call will handle the file upload and pass an array of additional data about the attachment to wp_insert_post, since media attachments are a specific post type within WordPress.

function wp_ajax_upload_attachment() {
    
    ...
    
    // Post data from user input.
	$post_data = isset( $_REQUEST['post_data'] ) ? $_REQUEST['post_data'] : array();

	// If the context is custom header or background, make sure the uploaded file is an image.
	if ( isset( $post_data['context'] ) && in_array( $post_data['context'], array( 'custom-header', 'custom-background' ) ) ) {
		$wp_filetype = wp_check_filetype_and_ext( $_FILES['async-upload']['tmp_name'], $_FILES['async-upload']['name'] );
        
        ...
        
	}

	$attachment_id = media_handle_upload( 'async-upload', $post_id, $post_data );

The vulnerability lies in the way wp_insert_post populates the meta data for the attachment. The path to the attachment file is stored in the meta key _wp_attached_file. By supplying post_data[meta_input][_wp_attached_file] in the request to the “upload-attachment” AJAX action, we can pass in ../../wp-config.php which WordPress will treat as the attachment file.

Similar to the first arbitrary file deletion vulnerability, when an author deletes this attachment, the wp-config.php is deleted allowing the author to go through the initial WordPress installation process which allows them to fully compromise the site.

WordPress Releases a Fix in 4.9.7

The WordPress security team has just released version 4.9.7 which addresses both of these issues by performing some additional checks before deleting attachment files. Specifically, they have added the function wp_delete_file_from_directory which they use to verify the file is within the uploads directory before deleting it.

/**
 * Deletes a file if its path is within the given directory.
 *
 * @since 4.9.7
 *
 * @param string $file      Absolute path to the file to delete.
 * @param string $directory Absolute path to a directory.
 * @return bool True on success, false on failure.
 */
function wp_delete_file_from_directory( $file, $directory ) {
	$real_file = realpath( wp_normalize_path( $file ) );
	$real_directory = realpath( wp_normalize_path( $directory ) );

	if ( false === $real_file || false === $real_directory || strpos( wp_normalize_path( $real_file ), trailingslashit( wp_normalize_path( $real_directory ) ) ) !== 0 ) {
		return false;
	}

	wp_delete_file( $file );

	return true;
}

Timeline

  • 2018-06-29 11:26 AM (-500) – Initial report of second arbitrary file deletion vulnerability submitted to WordPress security team.
  • 2018-07-02 1:14 PM (-500) – Firewall rule released to Wordfence Premium customers to address second vulnerability.
  • 2018-07-05 12:00 PM (-500) – WordPress releases version 4.9.7 which fixes both vulnerabilities.

What To Do

We strongly encourage you to update to 4.9.7 as soon as possible. If you have automatic updates enabled, your site should update within the next 24 hours. Automatic updates are enabled by default in WordPress for minor releases.

Credits: Congrats to Matt Barry, our lead developer at Wordfence for finding this vulnerability and writing up technical details. Thanks to Mikey Veenstra for editing this post. As always, thanks to the WordPress security team for being super responsive and for their hard work helping secure WordPress core.

The post Details of an Additional File Deletion Vulnerability – Patched in WordPress 4.9.7 appeared first on Wordfence.

Read More

Optimizing Wordfence Security Settings: Brute Force Protection

As a part of the Wordfence Client Partner initiative, we’ve recently had some in depth conversations with organizations using Wordfence at scale. These conversations have been enlightening, and we wanted to share some of the stories we’ve heard about how different organizations use Wordfence.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/07/optimizing-wordfence-security-settings-brute-force-protection/

Wordfence is the most robust security solution available for WordPress site owners, and the number of security features available is unparalleled. This ensures that Wordfence can be customized to be an optimal security solution for your specific environment and security needs.

Wordfence Brute Force Protection

Getting Started with Wordfence

When you install Wordfence for the first time, the plugin defaults to recommended settings that are a perfect starting place for customization. You won’t need to do much else. However, Wordfence is highly configurable, allowing you to tailor how it works to meet your needs.

How our Customers Use Brute Force Protection:

Wordfence includes a number of powerful brute force protection features that can be used to prevent malicious bots from gaining access to your site, including the integration with Troy Hunt’s version 2 of the Pwned Passwords API that prevents access using passwords previously seen in a breach. In this post we will focus on Brute Force Protection and how our customers can customize this feature, based on their security needs.

Factors to consider when modifying your site’s Brute Force Protection settings include:

  1. How adept are your users? Do you have users that forget their passwords often? Are they logging in sporadically and have a high probability of losing their passwords? You’ll want to take them into consideration and allow room for user error.
  2. Is this a high traffic, high profile site that often experiences hacking attempts?
  3. Is your site under repeated attack from brute force attempts?

The following customer scenarios serve as great real-world examples of how Wordfence can be customized to meet specific needs.

Kyle’s Agency Customer Site

One of our agency partners, Kyle, manages a number of WordPress installations for his customers. His customers rarely perform any administrative tasks, but they have editor access in order to add and modify new content. The agency has administrator access, and they have set up Wordfence Premium to protect the site. In addition to the premium features of country blocking and two-factor authentication for administrators only, he has tightened Brute Force Protection. Some of his customers often forget their passwords, and he wants to ensure they can still access the site to post content without causing too much administrative work for his team.

Kyle sets up his sites so that failed logins lockout after 5 attempts, forgot password attempts are set to 10 and a user is locked out for 24 hours. He does not set the site to immediately lock out invalid usernames, but he immediately blocks anyone who uses ‘admin’, ‘administrator’, or any other failed logins he sees. He routinely audits his site’s failed logins and adjusts this setting accordingly.

brute force protection

Maria’s Membership Site

Maria uses Wordfence on a WordPress membership site. She has a team of publishers and administrators and a large number of members who need to login in order to access content. Some of them use good password hygiene, but others do not. Maria’s site is also protected by Wordfence Premium, and she has made some adjustments to her brute force protection settings.

Maria has set her failed logins lockout to 5 attempts, forgot password attempts are set to 10, and a user is locked out for 24 hours. She does not set the site to immediately lock out invalid usernames because she has a large user base. She immediately blocks anyone who uses ‘admin’ or ‘administrator’, but does not go further than that. She uses Wordfence Premium’s two-factor authentication and some minor country blocking to augment her site’s security.

brute force protection

Dave’s Personal Site

Dave has a personal blog. He has one login for himself and no other users. He knows his password, and also has access to FTP in order to easily deactivate Wordfence if he ever locks himself out. He has tightened his Brute Force Protection settings because he’s quite confident in his ability to store his password safely.

Dave sets up his sites so that failed logins lockout after 2 attempts, forgot password attempts are set to 3, and IP addresses that reach these limits are locked out for one month. He immediately locks out any invalid users and also immediately blocks anyone who uses ‘admin’, ‘administrator’, or any other failed logins he sees.

He also uses two-factor authentication to ensure that logging in is difficult for anyone other than himself should his credentials ever be discovered.

brute force protection

Sam’s Small e-commerce Site

Sam has a small e-commerce site that is growing rapidly. He has a number of contractors on the site updating product information. He has users that need to login for various business functions and needs to ensure that everyone can log in, but doesn’t want to risk his site’s security given how sensitive e-commerce data is. He’s invested in Wordfence Premium and requires his administrators to use two-factor authentication for logging in.

Sam sets up his sites so that failed logins lockout after 5 attempts, forgotten password attempts are set to 5, and a user is locked out for 4 hours. He does not set the site to immediately lock out invalid usernames. He has set his Wordfence installation to block any passwords from data breaches to anyone who can publish as well as administrators because of the turnover in the contractors he is using to update product information.

brute force protection

How are you using Brute Force Protection?

We hope this deeper look at our Brute Force Protection settings has been helpful. If you’ve been using Wordfence for a while, how are you using Brute Force Protection? Are there rules you’ve set that work well for your unique site requirements?

Are you seeing any new brute force attack patterns that concern you? Let us know in the comments.

We’ll be covering more ways that our customers use Wordfence in upcoming posts.

The post Optimizing Wordfence Security Settings: Brute Force Protection appeared first on Wordfence.

Read More

Optimizing Wordfence Security Settings: Brute Force Protection

As a part of the Wordfence Client Partner initiative, we’ve recently had some in depth conversations with organizations using Wordfence at scale. These conversations have been enlightening, and we wanted to share some of the stories we’ve heard about how different organizations use Wordfence.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/07/optimizing-wordfence-security-settings-brute-force-protection/

Wordfence is the most robust security solution available for WordPress site owners, and the number of security features available is unparalleled. This ensures that Wordfence can be customized to be an optimal security solution for your specific environment and security needs.

Wordfence Brute Force Protection

Getting Started with Wordfence

When you install Wordfence for the first time, the plugin defaults to recommended settings that are a perfect starting place for customization. You won’t need to do much else. However, Wordfence is highly configurable, allowing you to tailor how it works to meet your needs.

How our Customers Use Brute Force Protection:

Wordfence includes a number of powerful brute force protection features that can be used to prevent malicious bots from gaining access to your site, including the integration with Troy Hunt’s version 2 of the Pwned Passwords API that prevents access using passwords previously seen in a breach. In this post we will focus on Brute Force Protection and how our customers can customize this feature, based on their security needs.

Factors to consider when modifying your site’s Brute Force Protection settings include:

  1. How adept are your users? Do you have users that forget their passwords often? Are they logging in sporadically and have a high probability of losing their passwords? You’ll want to take them into consideration and allow room for user error.
  2. Is this a high traffic, high profile site that often experiences hacking attempts?
  3. Is your site under repeated attack from brute force attempts?

The following customer scenarios serve as great real-world examples of how Wordfence can be customized to meet specific needs.

Kyle’s Agency Customer Site

One of our agency partners, Kyle, manages a number of WordPress installations for his customers. His customers rarely perform any administrative tasks, but they have editor access in order to add and modify new content. The agency has administrator access, and they have set up Wordfence Premium to protect the site. In addition to the premium features of country blocking and two-factor authentication for administrators only, he has tightened Brute Force Protection. Some of his customers often forget their passwords, and he wants to ensure they can still access the site to post content without causing too much administrative work for his team.

Kyle sets up his sites so that failed logins lockout after 5 attempts, forgot password attempts are set to 10 and a user is locked out for 24 hours. He does not set the site to immediately lock out invalid usernames, but he immediately blocks anyone who uses ‘admin’, ‘administrator’, or any other failed logins he sees. He routinely audits his site’s failed logins and adjusts this setting accordingly.

brute force protection

Maria’s Membership Site

Maria uses Wordfence on a WordPress membership site. She has a team of publishers and administrators and a large number of members who need to login in order to access content. Some of them use good password hygiene, but others do not. Maria’s site is also protected by Wordfence Premium, and she has made some adjustments to her brute force protection settings.

Maria has set her failed logins lockout to 5 attempts, forgot password attempts are set to 10, and a user is locked out for 24 hours. She does not set the site to immediately lock out invalid usernames because she has a large user base. She immediately blocks anyone who uses ‘admin’ or ‘administrator’, but does not go further than that. She uses Wordfence Premium’s two-factor authentication and some minor country blocking to augment her site’s security.

brute force protection

Dave’s Personal Site

Dave has a personal blog. He has one login for himself and no other users. He knows his password, and also has access to FTP in order to easily deactivate Wordfence if he ever locks himself out. He has tightened his Brute Force Protection settings because he’s quite confident in his ability to store his password safely.

Dave sets up his sites so that failed logins lockout after 2 attempts, forgot password attempts are set to 3, and IP addresses that reach these limits are locked out for one month. He immediately locks out any invalid users and also immediately blocks anyone who uses ‘admin’, ‘administrator’, or any other failed logins he sees.

He also uses two-factor authentication to ensure that logging in is difficult for anyone other than himself should his credentials ever be discovered.

brute force protection

Sam’s Small e-commerce Site

Sam has a small e-commerce site that is growing rapidly. He has a number of contractors on the site updating product information. He has users that need to login for various business functions and needs to ensure that everyone can log in, but doesn’t want to risk his site’s security given how sensitive e-commerce data is. He’s invested in Wordfence Premium and requires his administrators to use two-factor authentication for logging in.

Sam sets up his sites so that failed logins lockout after 5 attempts, forgotten password attempts are set to 5, and a user is locked out for 4 hours. He does not set the site to immediately lock out invalid usernames. He has set his Wordfence installation to block any passwords from data breaches to anyone who can publish as well as administrators because of the turnover in the contractors he is using to update product information.

brute force protection

How are you using Brute Force Protection?

We hope this deeper look at our Brute Force Protection settings has been helpful. If you’ve been using Wordfence for a while, how are you using Brute Force Protection? Are there rules you’ve set that work well for your unique site requirements?

Are you seeing any new brute force attack patterns that concern you? Let us know in the comments.

We’ll be covering more ways that our customers use Wordfence in upcoming posts.

The post Optimizing Wordfence Security Settings: Brute Force Protection appeared first on Wordfence.

Read More

Arbitrary File Deletion Flaw Present in WordPress Core

The security community has been abuzz this week following the disclosure of a vulnerability present in all current versions of WordPress. The flaw, published in a detailed report by RIPS Technologies, allows any logged-in user with an Author role or higher to delete files on the server.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/06/arbitrary-file-deletion-flaw-present-in-wordpress-core/

By exploiting this arbitrary file deletion vulnerability, malicious actors can pivot and take control of affected sites. The report contains the complete details of the vulnerability, but we’ve summarized it for more casual consumption.

It’s important to note that while the impact of this flaw can be severe on affected sites, the requirement that attackers secure valid Author-level credentials greatly limits the overall attack surface of this vulnerability.

Vulnerability Summary

In a standard WordPress installation any logged-in user with a role of Author or higher has the ability to upload media attachments and edit their metadata, like images and their descriptions. A flaw in the process of updating attachment metadata allows a malicious user to submit unsanitized input in defining a thumbnail for the media file. By defining relative paths to targeted files as the “thumbnail” of an image, these files would be deleted alongside the actual thumbnails when the image is deleted from the media library.

Several potential consequences of an arbitrary file deletion vulnerability were discussed in the disclosure report but, most critically, a site’s wp-config.php file can be deleted. With no wp-config.php in place, WordPress is forced to assume that a fresh installation is taking place. From this point, the attacker can configure their own WordPress installation with themselves as an administrator, which they can then use to upload and execute any other scripts they wish.

What To Do

Until an official update is released to patch the flaw, we’ve pushed an update to the Wordfence firewall to prevent this vulnerability from being exploited. Premium Wordfence users will have received the update before this article publishes, while free users will receive it thirty days later.

In the absence of the protection of our firewall, remember that an attacker must have access to a user account with Author permissions or higher. While this does strictly limit the attack surface of this vulnerability, be advised that credential stuffing attacks have increased in value, as there are now a larger pool of active accounts with the effective ability to take down a site. Wordfence includes robust login security features, including leaked password protection which we released in March.

Please help create awareness of this vulnerability in the WordPress community, because many WordPress site owners are not aware of the risks of unsecured ‘Author’ level accounts.

The post Arbitrary File Deletion Flaw Present in WordPress Core appeared first on Wordfence.

Read More

Top Tools for Security Analysts in 2018

Last spring, after discussing the tools and tech used by our team, we published a list of 51 Tools for Security Analysts. The article was well-received, and the comments offered some great suggestions to top it all off.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/06/top-tools-for-security-analysts-in-2018/

In the spirit of that list we’d like to offer our updated 2018 edition, featuring the Defiant team’s top three picks for useful tools across five categories: Information Gathering & Analysis, Penetration Testing, Forensics & Log Analysis, Malware Analysis and the illustrious Other category.

With as multifaceted as the information security sphere is, you’ll probably notice a bit of bias from our roots in web application security. A researcher who spends their time reverse-engineering Windows malware binaries will surely have a different opinion on the best tools for malware analysis. What are your picks? We’d love to hear them in the comments.

Note: While each category contains our top three picks, the selections themselves are presented in no particular order.

Information Gathering & Analysis

Google

Since Google is effectively the source of all knowledge, it should be no surprise that we consider it one of the most valuable resources for finding information on the internet. In the scope of security analysis, however, Google’s star shines brightest when it’s used to find things that aren’t intended to be found.

Google Dorking (using advanced search operators to identify sensitive information or vulnerable hosts) can be a powerful technique for those of both good and ill intent. Researchers can leverage Google and other search engines to dig up web-accessible backup files, indicators of insecure web applications, and more. For more specific examples, a popular database of useful dork strings can be found in Exploit-DB’s Google Hacking Database.

Shodan

Where Google crawls the internet to make an index of websites, Shodan’s mission is to index internet-connected devices themselves. Shodan sells itself as “The Search Engine for the Internet of Things”, and it delivers on that promise in some interesting ways.

If you’re not familiar, consider stories emerging over the past few years of malicious manipulation of gas pumps worldwide. Nearly all of these stories make reference to the attackers’ use of Shodan in target identification, including an exhaustive whitepaper on the subject by TrendMicro.

Maltego

Maltego is an exceptional resource for investigations and general open-source intelligence (OSINT) alike. It provides a platform upon which to aggregate and organize data in order to analyze associations between all sorts of entities like email addresses, social media accounts and web sites.

“Maltego helps us explore the web of malware, attacking hosts, command & control servers, related emails and everything else that goes into our research. It’s a great tool to collaborate on investigating malicious activity, while making sure we don’t leave any loose ends.” – Brad Haas, Senior Security Analyst at Defiant

Penetration Testing

Burp Suite and ZAP

When it comes to full-featured web application penetration testing platforms, the two biggest names are PortSwigger’s Burp Suite and OWASP’s Zed Attack Proxy (ZAP). Most users will find these to be roughly interchangeable, both tools featuring a powerful assortment of features like an intercepting proxy, web spider, and fuzzer. ZAP is completely free and open source, while Burp is a commercial product with a free, slightly limited community edition.

Intercepting and manipulating the requests being sent to a target from your browser is a great first step for any penetration testing exercise, and quality-of-life tools like the Burp Repeater and Zap’s Manual Request Editor allow you to tweak payloads on the fly without interrupting your workflow to make script changes. Overall, it doesn’t hurt to keep both of them handy.

sqlmap

SQL injection vulnerabilities can be devastating if exploited, and for better or worse, sqlmap is really good at finding them. It features a bevy of tests against a variety of DBMS backends from MySQL to Oracle, and can be used to automate much of the process of identifying and attacking injectable points on a site.

Given a list of domains, sqlmap can crawl the sites and automatically perform a series of heuristic tests against any input methods it can identify. Once an injection point is identified, sqlmap remembers it and can then be used to launch a number of attacks. Depending on the security measures in place on the host, sqlmap can perform tasks from dumping the vulnerable database to opening a meterpreter shell to be used as a backdoor.

WPScan

With WordPress pulling in a respectable 59.9% of the CMS market share, it was inevitable that a highly specialized vulnerability scanner like WPScan would be developed for it. Launching WPScan is a common first step in black box audits of WordPress sites, due to its ability to divulge a great deal of information about a typical installation.

WordPress core versions, as well as lists of installed plugins and themes along with their versions can be quickly enumerated with WPScan, and with some additional flags it can reliably enumerate a list of usernames present on the site. WPScan then rounds out the suite with a number of features to evade detection, including User-Agent randomization and a simple proxy implementation that gets along well with Tor routing.

Forensics & Log Analysis

Highlighter

FireEye’s Highlighter is a graphically-focused log analysis utility which can be of great use to administrators and incident response personnel in the wake of an attack.

Viewing a histogram of log activity over time can provide a unique perspective on the timeline of a breach, and the ability to pinpoint keywords and whitelist known good items from your dataset can streamline the analysis process. Unfortunately, Highlighter hasn’t seen a new release since 2011 and thus only officially supports Windows 7 and below, but it certainly holds loyalty from those who started using it a few years ago.

lnav

For the Linux and Mac log reviewers, you can’t beat lnav. It presents itself as a small-scale log viewer, more suitable for quick review of specific data on a single host than tools like Splunk, which are firmly enterprise-scale and often require their own infrastructure.

Cool features like SQL query implementations and easy-to-read syntax highlighting make lnav a no-brainer to implement in log review processes, especially in cases where you’re performing a postmortem review for a third party and no formal log aggregation was in place before you got involved.

The Command Line

This one might be a bit of a cheat, but we couldn’t pass it up with all the write-ins for grep, awk, and the like on our team survey. Regardless of your workflow or your technology stack, it’s crucial to know your way around the utilities commonly built into the systems with which you interact.

In most cases, it’s also important to leave your comfort zone and familiarize yourself with operating systems you encounter less frequently. For instance, Linux-using researchers may find themselves wishing they knew more PowerShell when encountering a Windows system in an engagement. To help you brush up, the SANS Institute has published a number of easily digestible reference materials, including the Linux Shell Survival Guide and the PowerShell Cheat Sheet.

Malware Analysis

UnPHP

Web-based malware is commonly masked by one or more layers of obfuscation, where the code is deliberately made to be difficult or impossible for humans to read. UnPHP is a solid first-run choice for analysts who encounter obfuscated PHP scripts without the time or experience to deobfuscate them manually.

UnPHP isn’t a panacea, and there are a number of evasions used in malware obfuscation which it can’t quite crunch at this time, but it handles many common techniques with ease. Of particular note is its recursive deobfuscation, as UnPHP can identify when a decoded output is itself obfuscated and automatically process the new layer. Even though it may not solve everything you throw at it, it’s still a valuable time-saver for anyone who comes across obfuscated PHP.

CyberChef

Where clean interface design and an “automate the boring stuff” mindset collide, we get CyberChef. CyberChef is an easy-to-use web application built to accommodate a number of data manipulation tasks, from simple encoding and decoding to encryption and compression, in a repeatable format.

To this end, CyberChef allows the user to create and save “recipes” out of a series of operations. Instruction sets like “Gunzip, then ROT13, then Base64 decode, then ROT13 again” can be stored and reloaded to “bake” new inputs repeatedly. These operations can scale up to complete a number of tasks, especially with built-in functions to extract useful strings like IP addresses and emails from the decoded input.

JS Beautifier

JavaScript minification is a standard process for just about every front-end web developer in the market, and malware developers are no stranger to this. JS Beautifier is a simple online tool used to automate the formatting of minified and obfuscated JavaScript into a human-readable document.

For the purposes of malware deobfuscation in particular, JS Beautifier can detect and reverse common obfuscation methods (notably packer, by Dean Edwards) as well as handling various character encodings like hexadecimal. Like UnPHP above, JS Beautifier isn’t a silver bullet that will take all of the work out of JS malware analysis, but it’s an excellent first step in almost every case.

Other

Regex101

Whether writing a regular expression is a daily task or an occasional solution to a problem, Regex101 is sure to be of use. Users inexperienced with regex will quickly appreciate the availability of quick reference materials and a powerful Explanation view, which provides you with a breakdown of why your expression behaves the way it does.

Experienced users can make great use of Regex101 as well. The built-in debugger allows developers to observe their regex as it runs step-by-step, which helps to identify performance improvements. Even simply watching Regex101 follow along as you write an expression, highlighting matching content in your test string as you go, can be of great assistance in preventing simple issues in complex regular expressions that may have been considerably more difficult to debug if written unassisted.

Have I Been Pwned?

Troy Hunt’s massive breach data aggregation project Have I Been Pwned? is a staple in information security awareness efforts. HIBP gives anyone on the internet the chance to know whether their personal data was associated with a publicly-known security breach. It provides a user-friendly breakdown of what particular data may have been stolen, as well as the source of each breach, if known. There’s also a separate API to check whether a given password has appeared in a breach, which we’ve built into Wordfence in an effort to prevent WordPress users from using compromised passwords.

While HIBP is of some use as a research tool, it excels at helping the layperson grasp the importance of security best practices. After all, there’s really no better way to convince your relatives that password reuse is dangerous than by showing them their data has probably already been breached.

Noscript / uMatrix

Spending any amount of time interacting with infected websites has the potential to be unsafe, or at the very least annoying. Malicious scripts on the sites in question will be attempting a number of behaviors, like browser redirects and cryptomining, so having a readily-configurable browser extension to protect yourself from these scripts is important.

NoScript has been the giant in this market since the mid-2000s, providing users with the ability to automatically block all scripts from executing until whitelisted by domain or on a per-script basis. However, it’s currently only compatible with Firefox and other Mozilla software, which can be a limiting factor for many users.

The browser gap is largely filled by uMatrix, a browser firewall developed by the creator of the popular ad blocker uBlock Origin. uMatrix is compatible with Firefox, Chrome, and Opera, and offers similar functionality to NoScript in terms of unwanted script filtering. While it offers a bit more to the power-user, uMatrix is definitely less user-friendly than NoScript, and you’ll find “For Advanced Users” warnings across its entries in browser addon repositories and its GitHub project alike.

Conclusion

To reiterate, this list is far from exhaustive. There are tools built to solve all sorts of problems, from the generic to specific, across every niche security specialty imaginable. This post simply serves as a handy reference for the utilities that we find ourselves using most commonly.

Lastly, it should go without saying that a number of these tools have the potential to be dangerous if used unethically. Never launch a penetration test against a system you don’t have explicit authority to be testing. These powers should only be used for good.

The post Top Tools for Security Analysts in 2018 appeared first on Wordfence.

Read More

New Feature: Custom Premium Development Subdomains

Two weeks ago we announced the release of a new Wordfence feature that automatically allows Wordfence Premium customers to use their premium license key to secure a specific list of staging, development or test subdomains. This week we’ve taken that a step further, releasing a feature to allow your Wordfence Premium license to secure custom staging, development and staging domains.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/06/new-feature-custom-premium-development-subdomains/

Custom Premium Development Subdomains

We designed our premium licensing to secure one site for each license key. Of course, each site may have several copies for testing and development. In response to your feedback, we’ve made it possible for Wordfence premium license keys to be reused across custom staging and development environments.

To enable these custom staging environments, you’ll need to contact premium support with a link to your staging and/or development environment. We’ll review the site to ensure it matches the production environment currently protected by Wordfence Premium. If it matches, we will enable those environments to use the production premium license key.

Examples of Staging Environments

The standard staging and development environments listed in the previous blog post will work automatically. However, there are a number of custom staging environments that don’t match predictable patterns. Some of our beta testers had environments such as:

  • sandbox.domainname.com
  • staging12.domainname.com
  • www.domainname.com/staging/
  • a05.xx.domainname.com

Our premium support team can assist in ensuring Wordfence Premium is enabled, no matter how unique your secondary environment is, as long as it matches your production site.

More features coming

This is the first of many new features we’re working on to make it easier for our more advanced customers to manage Wordfence. Stay tuned for more exciting announcements in the months to come.

Are there other features we could add to Wordfence that would make managing your site’s security easier? Need help managing Wordfence at scale? Let us know!


The post New Feature: Custom Premium Development Subdomains appeared first on Wordfence.

Read More
Page 1 of 1,00912345»102030...Last »