Wordfence GDPR Update 2: On Target For May 25th

Preparations to get Wordfence and our organization ready for GDPR continue at Defiant and we are on schedule. Last week we sent out an update that said we are applying for the Privacy Shield certification program for both EU-US and Swiss-US and will soon have available a Data Processing Agreement for our EU customers who need one.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/05/wordfence-gdpr-compliance-update-2/

We have now completed our application for the Privacy Shield certification programs mentioned above. As of this morning, May 16th, our Privacy Shield application has not been processed yet. We expect it to be completed by this coming Monday, the 21st of May.

Once the Privacy Shield application is processed, on Monday, we plan to roll out plugin updates, website updates, policy updates, new ‘Help’ content and a further blog post explaining the updates. Most of this work is already completed, we just need to complete the application process and the rollout.

If for some reason our Privacy Shield application is not processed by early next week, we have a contingency plan in place that would meet the deadline. It will create more work for us, but would ensure that we can continue to serve our European customers and keep ourselves and them GDPR compliant. The contingency plan does not require any changes to our software, only changes to our policies. Hopefully our Privacy Shield application will be processed in a timely fashion and we’ll remain on track. But as they say, hope for the best, plan for the worst.

The bottom line is that by the end of next week, we will have completed our rollout to become fully GDPR compliant. Wordfence remains committed to serving our European customers, along with our US and world-wide customers, and the Defiant team is working hard to ensure that you will remain secure and compliant.

As always, you are welcome to post in the comments below. Just a reminder, I am not a lawyer and, while we have a spectacular legal team of our own (Thank you Charlie, Mark, Corey and K&L Gates!), I can not give you general GDPR advice. I can only advise you on our own progress with regards to GDPR compliance.

The post Wordfence GDPR Update 2: On Target For May 25th appeared first on Wordfence.

Read More

Introducing Discounted Hacked Site Cleanings

Last month we introduced ‘high demand’ pricing for our site cleaning service. We did this because demand for site cleanings is seasonal and it became a challenge for us to deal with the surges in business we would see while maintaining a high level of customer service.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/05/discounted-hacked-wordpress-site-cleanings/

We have always run our site cleaning business at break-even, which is why we are the lowest priced site cleaning service in the industry for such high quality. We clean sites to gain a better understanding of how hackers successfully compromise them, and to gather forensic data to improve our malware detection capability.

We introduced the concept of demand based pricing to regulate the volume of orders we receive. It does not generate significantly more revenue. As demand goes up, by increasing the price we keep the number of orders from overwhelming our team, enabling us to deliver a consistent level of service to our customers.

Before we introduced high demand pricing, we had a system in place that would just extend the wait time for a site cleaning. We would tell customers that it would take 1, then 2, then 4 – and we eventually got up to a 6 business day wait time for turnaround on a hacked site. That was completely unacceptable in our view. We wanted to deliver a consistent level of customer service, even if we were telling our customers what the wait time was and setting their expectations.

Instead, I wanted our team to clean sites with a consistently fast turnaround time that never changed. In the face of fluctuating demand, the only way to regulate the order volume we received was to allow pricing to fluctuate. So we came up with ‘high demand’ pricing which helps keep our order volume at a manageable level during periods of high demand.

Introducing Discounted Site Cleanings

Now that our new pricing model has been live for a month, we have learned that we also have periods of low demand, like weekends. And we also have periods of very high productivity from our team, like Monday mornings. Yesterday morning, a Monday, we saw our team just charge through the site cleaning queue and almost empty it very quickly.

We think that demand driven pricing should work both ways and our customers should benefit during times of low demand. If we’re going to regulate demand in one direction, why not do it in the other? So starting last Friday, we introduced discounted pricing.

When our site cleaning queue falls below a certain threshold, discounted pricing kicks in and the multiplier will drop. So for example, yesterday morning we were selling site cleanings for 0.7X their usual price because the team emptied the queue. So instead of a site cleaning costing you $179 per site, it costs $125.70 if you order during a discount window. That’s a huge discount and without a doubt the best value for a hacked site cleaning in the business.

You’ll know that discounted pricing is in effect on our site cleaning page because you’ll see a notice like this:

Additional Sites Are Only $99 Each

Many people don’t realize that we only charge $99 for each additional site you want cleaned for a given order. If you are an agency or developer, this is an incredible deal if you are working to clean up several hacked sites. You can order up to 10 sites through our standard checkout with this pricing. If you have more, please contact us using the link on the checkout page.

Our work comes with a 90 day guarantee and we don’t lock you into an expensive recurring billing subscription. Our team are also some of the nicest people I’ve had the pleasure to work with and they are mentored by Brad Haas (CISSP, GCIH, and GCFA), one of our very talented senior analysts.

Integrating The Team

We recently made some additional changes to the Security Services Team (SST), by integrating them with our Customer Service team. Our SST and CS teams now work as a unit, seamlessly working with our site cleaning customers to securely get the required credentials, get the systems set up for the site cleaning and get the job done as quickly, securely and effectively as possible.

We continue to measure, evaluate and improve our processes to ensure that our customers, their data and their customers stay secure and recover from a hack as quickly as possible.

As always, we value your feedback and would love to hear from you, so please go ahead and post in the comments below. I’ll be around to read and reply.

Regards,

Mark Maunder

Defiant Founder & CEO

The post Introducing Discounted Hacked Site Cleanings appeared first on Wordfence.

Read More

Wordfence and GDPR: How The Defiant Team Are Preparing For GDPR

We want to send out an update on the new data protection law, the General Data Protection Regulation (GDPR), going into effect soon and how Defiant is getting ready for it.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/05/wordfence-and-gdpr-how-the-defiant-team-are-preparing-for-gdpr/

This new European law goes into effect on May 25, 2018. It is a new set of rules designed to give European citizens more control over their personal data. Defiant is actively preparing with new website changes and updates to the Wordfence plugin.

Additional changes will include updated privacy policies and terms of use. We are applying for the Privacy Shield certification program for both EU-US and Swiss-US and will soon have available a Data Processing Agreement for our EU customers who need one.

These updates will be made before the deadline. We will send out another notification with a detailed blog post when we have completed preparing for the new privacy regulations. You will begin to see these changes and updates emerge starting next week.

The team at Defiant, makers of Wordfence, care deeply about our customer privacy and data protection. This extends to our European customers and the rest of the globe. To this end, we have been working diligently with our internal team and with outside experts to understand the implications of the GDPR, to perform a comprehensive internal audit and to get our software, systems and processes compliant with the GDPR.

As always I welcome your questions and comments below.

Regards,

Mark Maunder – Defiant Founder & CEO.

 

The post Wordfence and GDPR: How The Defiant Team Are Preparing For GDPR appeared first on Wordfence.

Read More

WordPress: Tracking Emerging Cryptomining Threats

This is a post written by James Yokobosky who works on the Defiant Threat Intelligence team. In his daily job he analyzes new WordPress threats as they emerge and adds detection capability to the Wordfence malware scanner. In addition to making sure we detect new malware, James also researches the pieces of malware we find to learn more about how they work, what they do and who is behind each campaign.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/05/wordpress-tracking-emerging-cryptomining-threats/

This post will give you an idea of what the workflow looks like for one of our Threat Analysts at Defiant, and will give you some insight into the emerging malware variants that we are seeing that target WordPress, how they work and what they do.

In this post, James describes his analysis of a Monero cryptocurrency miner that he recently examined, and explains how he tracked down and communicated with the command and control infrastructure for this malware variant. This post provides a clear illustration of how we rapidly add detection capability to the Wordfence malware scanner for emerging threats.

Fresh Malware Arrives for Analysis

One of our sources of threat data at Defiant is cleaning hacked websites. In this case, Ivan, a member of our SST team had cleaned a hacked site and handed me the forensic data for analysis. The site had been hacked for months before the owner discovered that it had been compromised.

My normal routine is to start by verifying the files we already detect to check if there is any new information inside any of them. Usually there is not, and this infection did not yield any surprises in the files that Wordfence already detected.

What did surprise me is that the server had a large number of malicious files we have not seen before. The server had been infected for a long time, which may have left the attacker feeling confident enough to upload more valuable code. For us, a server with code we have not seen before is a treasure trove, because it immediately allows us to add new detection capability to the Wordfence malware scanner. If an attacker is caught in this situation, they generally have a bad day, because many of their files that may have previously been undetected by malware scanners will now be detected by our scan.

The first thing that made this attacker different from others is that, instead of using a standard javascript code obfuscator that just scrambles the code, they were using a finite wordlist to replace variable and function names in the code. When you look at the code, the variable and function names just seem like gibberish:


function flu(sake,immobilitys)
    {
        chains = neatly / seehis;
        plotted = airs / lucky;
        storm = immediately + lowly;
        guests = soothed - lucie;
    }

I immediately searched for other similar files out of the remaining samples and found several, then proceeded to write new signatures to detect those files. That accomplished, I moved on to the next file in the list. That was a basic PHP file that selectively redirects regular users, not search engines, to a malicious website. This is a standard thing we see, so I wrote a signature to detect this updated malware variant and moved on.

A Cryptomining Binary is Found

The third file was a bit more interesting. It was an ELF 64-bit LSB shared object, x86-64, dynamically linked and stripped executable. It is a compiled file designed to run on a Linux system with a specific architecture, which has meaningful debugging data removed. It is similar to a Windows .exe file. These are relatively rare to see on WordPress infections because most web servers are not set up to allow arbitrary executables to run, and for this to work, an attacker needs to do more work on their end.

Because we already know this mystery file is doing something malicious, a good first step is to see if other antivirus software has already identified it. VirusTotal is an industry-standard way to achieve this, and sure enough a handful of the supported vendors do detect and identify the file.

The names VirusTotal returned provide a hint of what the file is:

  • Misc.Riskware.BitCoinMiner.Linux,
  • LINUX/BitCoinMiner.dbwhf,
  • not-a-virus:HEUR:RiskTool.AndroidOS.Miner.b,

and similar suggest this is a cryptocurrency miner. At this point I performed a cursory inspection of the binary file to search for plaintext strings or recognizable disassembly and quickly identified the specific build: This is a mostly-stock xmrig ( https://github.com/xmrig/xmrig ) Monero-focused miner, well known in that community. Other artifacts inside the file allow me to confirm it was compiled on 2018-01-16 with a modern version of GCC.

I could tell there had been some modifications from the original source code. A quick look revealed that the change was hardcoding the addresses to send results – the pool addresses – so anyone running this specific file will be sending money to the attacker. At this point I had more than enough information to write a reliable signature to detect this malware, and I quickly did. We have more samples and I had yet to discover how the attacker runs and manages this hacked, zombie miner.

Analyzing the Configuration File

The next unique file shows another unusual level of technical sophistication from the “average” WordPress attacker: A separate configuration! Having just seen xmrig, it is easy to tell this JSON file contains instructions for how to run the mining executable.

It includes instructions to run in the background (hidden), use only 40% of the maximum available CPU, to slow down if the machine is otherwise busy, and other specific technical details related to the mining process. Luckily for us it is normally a terrible idea to run cryptominers on your WordPress web server if you are the person paying for it, so I can safely add a signature to identify this otherwise-benign configuration code without creating false positives.

Discovering the Command and Control Servers

With our next sample we hit the jackpot. It is a Python backdoor script that, while running, will check for new instructions against a centralized command and control server every 5 minutes. The backdoor itself is written to hide from system administrators. It masquerades as php-fpm ( https://php-fpm.org ) which is a normal process to be running on that server, and it is “well-behaved.” That is to say, it sits quietly and most of the time is not doing anything unusual or malicious.

Built into the backdoor is a report function, used to give the attacker data about the hacked machine and status updates on any activity, and a variety of normal system administration tasks related to downloading files, controlling processes, and executing commands. The code is well-formed and has obvious updates and adjustments made, implying the attacker has been developing and using this backdoor for some time. The method of hiding and the interval to check for new commands are easily configurable to evade intrusion detection systems and firewalls.

Most importantly, the command and control server’s IP address and method of communication is now available to us. I checked that it is still “up” – online and responding to requests – and put a pin in it. First I needed to develop a signature so that Wordfence detects this backdoor, then I inspected the remaining samples for more hints about the attacker before I risked exposing myself as infiltrating his botnet.

Only one of the remaining samples is noteworthy and related to the backdoor. It is a short Bash script used to start the backdoor running. Two things here again indicate a relatively sophisticated attacker: The backdoor is installed to look like a common part of a Linux shell and is executed in such a way that it looks like the legitimate owner of the server ran an innocuous command. This is easy to write a signature to detect, now that we have seen it. But this technique is an effective misdirect for a sysop trying to identify where the malicious activity is coming from. Had the attacker deleted this remnant file it would probably have been impossible to identify how the backdoor started, given the lack of forensic logging on the server.

Deploying Signatures to our Premium Customers

I confirmed that all of the previously undetected samples are detected by Wordfence with our new signatures and I immediately entered them into our Premium BETA feed. This allows us to receive instant feedback about possible bugs or false positives from our users who are aware of the Wordfence beta feed for scan signatures.

We do a more rigorous QA over the following hours and, once completed, the signatures proceed out into our production Premium feed so that our Premium customers receive this new detection capability in real-time. The important part is getting that protection to our users as quickly as possible before engaging in other research.

Going Deeper Down the Rabbit Hole

But now, of course, I was free to spend some time doing that research! As mentioned earlier, I had all of the information I needed to communicate with the attacker’s command and control server (C&C server). Rather than setting up a controlled infection and monitoring how the script runs, I can manually act as the “infected server” and see what other data I can gather by sending my own status updates.

The C&C server works via HTTP and includes several different endpoints. For the developers in the audience, it’s a REST-like API. When an infected server first executes, it encodes a set of values that give the attacker information about the operating system, hardware, and active processes and requests a configuration file.

I started by sending a false report for a non-existent server and I receive a customized configuration. What I receive is very similar to the JSON configuration file I examined earlier, with lower settings to match the lower quality machine I’m pretending to be, along with some other settings tailored to improve that machine’s specific performance during cryptomining. At this point the backdoor will wait quietly for several minutes so I did the same.

On the next report I sent the same machine information and a plausible change in the active processes and this time receive a set of commands. The C&C server instructed the backdoor to download a file, apply basic cloaking techniques, execute the file, and report the output of that file on the next instruction. I downloaded the file and it is another more recently compiled xmrig build. It also matches the different architecture I am claiming to have. The initial command is a test to confirm the program works correctly, and I simulated this and at the next report interval sent the expected data.

Finally the C&C server sent back an instruction set to run the miner, reconfigure the interval to send status reports, and to continue checking for a change of commands every 5 minutes. The goal of the attacker is to make money and this miner will use the server resources to mine Monero, a cryptocurrency which we have written about extensively in the past.

Monero is uniquely suited for this sort of hack for two reasons. Firstly, it is designed for individual anonymity and identifying the person who is receiving the mined coins is extremely difficult. Secondly, the mining algorithm is meant to be run on a CPU rather than GPU. Most web servers don’t have GPUs, and so mining a currency that allows you to effectively use a CPU is an ideal way to turn stolen web server processing power into hard cryptocurrency. When you aggregate a thousand or tens of thousands of hacked web servers together, that can result in a significant profit for an attacker.

Wrapping Up

Once I completed my analysis and ensured that Wordfence detects all variants of this new malware, I documented the tactics, techniques and procedures (TTPs) of this new attacker along with logging the malware and other indicators of compromise (IOCs) into our internal threat intelligence platform.

It’s worth noting that the attacker who controls machines compromised by this infection is controlling a large cluster of stolen compute power. You can think of this as a private AWS cloud that the attacker can use for anything that needs computing resources. They are currently using their stolen cluster for cryptocurrency mining, but there is nothing preventing them from using these resources to conduct DDoS attacks, email spam campaigns, to brute force crack stolen password hashes or use the machines as proxies for misdirection while attacking other sites. They could even lease the compute resources to other attackers.

That is why I am excited whenever we have an opportunity to add detection for these kinds of new infections to the Wordfence malware scan. By analyzing a single compromised website and deploying detection to Wordfence, we have a good chance of shutting down this attacker once all sites running Wordfence detect this infection.

Closing Notes

I’d like to thank James for taking the time out of his busy schedule chasing malware to write this comprehensive post. If you have any questions, please don’t hesitate to post them in the comments below. Both James and I will be around to answer any questions. ~Mark Maunder

This post was written by James Yokobosky and edited by Mark Maunder with assistance from Dan Moen.

The post WordPress: Tracking Emerging Cryptomining Threats appeared first on Wordfence.

Read More

WordPress: Tracking Emerging Cryptomining Threats

This is a post written by James Yokobosky who works on the Defiant Threat Intelligence team. In his daily job he analyzes new WordPress threats as they emerge and adds detection capability to the Wordfence malware scanner. In addition to making sure we detect new malware, James also researches the pieces of malware we find to learn more about how they work, what they do and who is behind each campaign.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/05/wordpress-tracking-emerging-cryptomining-threats/

This post will give you an idea of what the workflow looks like for one of our Threat Analysts at Defiant, and will give you some insight into the emerging malware variants that we are seeing that target WordPress, how they work and what they do.

In this post, James describes his analysis of a Monero cryptocurrency miner that he recently examined, and explains how he tracked down and communicated with the command and control infrastructure for this malware variant. This post provides a clear illustration of how we rapidly add detection capability to the Wordfence malware scanner for emerging threats.

Fresh Malware Arrives for Analysis

One of our sources of threat data at Defiant is cleaning hacked websites. In this case, Ivan, a member of our SST team had cleaned a hacked site and handed me the forensic data for analysis. The site had been hacked for months before the owner discovered that it had been compromised.

My normal routine is to start by verifying the files we already detect to check if there is any new information inside any of them. Usually there is not, and this infection did not yield any surprises in the files that Wordfence already detected.

What did surprise me is that the server had a large number of malicious files we have not seen before. The server had been infected for a long time, which may have left the attacker feeling confident enough to upload more valuable code. For us, a server with code we have not seen before is a treasure trove, because it immediately allows us to add new detection capability to the Wordfence malware scanner. If an attacker is caught in this situation, they generally have a bad day, because many of their files that may have previously been undetected by malware scanners will now be detected by our scan.

The first thing that made this attacker different from others is that, instead of using a standard javascript code obfuscator that just scrambles the code, they were using a finite wordlist to replace variable and function names in the code. When you look at the code, the variable and function names just seem like gibberish:


function flu(sake,immobilitys)
    {
        chains = neatly / seehis;
        plotted = airs / lucky;
        storm = immediately + lowly;
        guests = soothed - lucie;
    }

I immediately searched for other similar files out of the remaining samples and found several, then proceeded to write new signatures to detect those files. That accomplished, I moved on to the next file in the list. That was a basic PHP file that selectively redirects regular users, not search engines, to a malicious website. This is a standard thing we see, so I wrote a signature to detect this updated malware variant and moved on.

A Cryptomining Binary is Found

The third file was a bit more interesting. It was an ELF 64-bit LSB shared object, x86-64, dynamically linked and stripped executable. It is a compiled file designed to run on a Linux system with a specific architecture, which has meaningful debugging data removed. It is similar to a Windows .exe file. These are relatively rare to see on WordPress infections because most web servers are not set up to allow arbitrary executables to run, and for this to work, an attacker needs to do more work on their end.

Because we already know this mystery file is doing something malicious, a good first step is to see if other antivirus software has already identified it. VirusTotal is an industry-standard way to achieve this, and sure enough a handful of the supported vendors do detect and identify the file.

The names VirusTotal returned provide a hint of what the file is:

  • Misc.Riskware.BitCoinMiner.Linux,
  • LINUX/BitCoinMiner.dbwhf,
  • not-a-virus:HEUR:RiskTool.AndroidOS.Miner.b,

and similar suggest this is a cryptocurrency miner. At this point I performed a cursory inspection of the binary file to search for plaintext strings or recognizable disassembly and quickly identified the specific build: This is a mostly-stock xmrig ( https://github.com/xmrig/xmrig ) Monero-focused miner, well known in that community. Other artifacts inside the file allow me to confirm it was compiled on 2018-01-16 with a modern version of GCC.

I could tell there had been some modifications from the original source code. A quick look revealed that the change was hardcoding the addresses to send results – the pool addresses – so anyone running this specific file will be sending money to the attacker. At this point I had more than enough information to write a reliable signature to detect this malware, and I quickly did. We have more samples and I had yet to discover how the attacker runs and manages this hacked, zombie miner.

Analyzing the Configuration File

The next unique file shows another unusual level of technical sophistication from the “average” WordPress attacker: A separate configuration! Having just seen xmrig, it is easy to tell this JSON file contains instructions for how to run the mining executable.

It includes instructions to run in the background (hidden), use only 40% of the maximum available CPU, to slow down if the machine is otherwise busy, and other specific technical details related to the mining process. Luckily for us it is normally a terrible idea to run cryptominers on your WordPress web server if you are the person paying for it, so I can safely add a signature to identify this otherwise-benign configuration code without creating false positives.

Discovering the Command and Control Servers

With our next sample we hit the jackpot. It is a Python backdoor script that, while running, will check for new instructions against a centralized command and control server every 5 minutes. The backdoor itself is written to hide from system administrators. It masquerades as php-fpm ( https://php-fpm.org ) which is a normal process to be running on that server, and it is “well-behaved.” That is to say, it sits quietly and most of the time is not doing anything unusual or malicious.

Built into the backdoor is a report function, used to give the attacker data about the hacked machine and status updates on any activity, and a variety of normal system administration tasks related to downloading files, controlling processes, and executing commands. The code is well-formed and has obvious updates and adjustments made, implying the attacker has been developing and using this backdoor for some time. The method of hiding and the interval to check for new commands are easily configurable to evade intrusion detection systems and firewalls.

Most importantly, the command and control server’s IP address and method of communication is now available to us. I checked that it is still “up” – online and responding to requests – and put a pin in it. First I needed to develop a signature so that Wordfence detects this backdoor, then I inspected the remaining samples for more hints about the attacker before I risked exposing myself as infiltrating his botnet.

Only one of the remaining samples is noteworthy and related to the backdoor. It is a short Bash script used to start the backdoor running. Two things here again indicate a relatively sophisticated attacker: The backdoor is installed to look like a common part of a Linux shell and is executed in such a way that it looks like the legitimate owner of the server ran an innocuous command. This is easy to write a signature to detect, now that we have seen it. But this technique is an effective misdirect for a sysop trying to identify where the malicious activity is coming from. Had the attacker deleted this remnant file it would probably have been impossible to identify how the backdoor started, given the lack of forensic logging on the server.

Deploying Signatures to our Premium Customers

I confirmed that all of the previously undetected samples are detected by Wordfence with our new signatures and I immediately entered them into our Premium BETA feed. This allows us to receive instant feedback about possible bugs or false positives from our users who are aware of the Wordfence beta feed for scan signatures.

We do a more rigorous QA over the following hours and, once completed, the signatures proceed out into our production Premium feed so that our Premium customers receive this new detection capability in real-time. The important part is getting that protection to our users as quickly as possible before engaging in other research.

Going Deeper Down the Rabbit Hole

But now, of course, I was free to spend some time doing that research! As mentioned earlier, I had all of the information I needed to communicate with the attacker’s command and control server (C&C server). Rather than setting up a controlled infection and monitoring how the script runs, I can manually act as the “infected server” and see what other data I can gather by sending my own status updates.

The C&C server works via HTTP and includes several different endpoints. For the developers in the audience, it’s a REST-like API. When an infected server first executes, it encodes a set of values that give the attacker information about the operating system, hardware, and active processes and requests a configuration file.

I started by sending a false report for a non-existent server and I receive a customized configuration. What I receive is very similar to the JSON configuration file I examined earlier, with lower settings to match the lower quality machine I’m pretending to be, along with some other settings tailored to improve that machine’s specific performance during cryptomining. At this point the backdoor will wait quietly for several minutes so I did the same.

On the next report I sent the same machine information and a plausible change in the active processes and this time receive a set of commands. The C&C server instructed the backdoor to download a file, apply basic cloaking techniques, execute the file, and report the output of that file on the next instruction. I downloaded the file and it is another more recently compiled xmrig build. It also matches the different architecture I am claiming to have. The initial command is a test to confirm the program works correctly, and I simulated this and at the next report interval sent the expected data.

Finally the C&C server sent back an instruction set to run the miner, reconfigure the interval to send status reports, and to continue checking for a change of commands every 5 minutes. The goal of the attacker is to make money and this miner will use the server resources to mine Monero, a cryptocurrency which we have written about extensively in the past.

Monero is uniquely suited for this sort of hack for two reasons. Firstly, it is designed for individual anonymity and identifying the person who is receiving the mined coins is extremely difficult. Secondly, the mining algorithm is meant to be run on a CPU rather than GPU. Most web servers don’t have GPUs, and so mining a currency that allows you to effectively use a CPU is an ideal way to turn stolen web server processing power into hard cryptocurrency. When you aggregate a thousand or tens of thousands of hacked web servers together, that can result in a significant profit for an attacker.

Wrapping Up

Once I completed my analysis and ensured that Wordfence detects all variants of this new malware, I documented the tactics, techniques and procedures (TTPs) of this new attacker along with logging the malware and other indicators of compromise (IOCs) into our internal threat intelligence platform.

It’s worth noting that the attacker who controls machines compromised by this infection is controlling a large cluster of stolen compute power. You can think of this as a private AWS cloud that the attacker can use for anything that needs computing resources. They are currently using their stolen cluster for cryptocurrency mining, but there is nothing preventing them from using these resources to conduct DDoS attacks, email spam campaigns, to brute force crack stolen password hashes or use the machines as proxies for misdirection while attacking other sites. They could even lease the compute resources to other attackers.

That is why I am excited whenever we have an opportunity to add detection for these kinds of new infections to the Wordfence malware scan. By analyzing a single compromised website and deploying detection to Wordfence, we have a good chance of shutting down this attacker once all sites running Wordfence detect this infection.

Closing Notes

I’d like to thank James for taking the time out of his busy schedule chasing malware to write this comprehensive post. If you have any questions, please don’t hesitate to post them in the comments below. Both James and I will be around to answer any questions. ~Mark Maunder

This post was written by James Yokobosky and edited by Mark Maunder with assistance from Dan Moen.

The post WordPress: Tracking Emerging Cryptomining Threats appeared first on Wordfence.

Read More

Hacked by an 11 Year Old

The Wordfence team recently sponsored and attended WordCamp Atlanta. Instead of doing the usual boring corporate thing with our booth, we decided to host a capture the flag, or CTF contest. A CTF is essentially a hacking contest. It is a series of puzzles that the contestant needs to solve. They might include decrypting an encrypted piece of text, performing a challenge involving a browser and website, or hacking into something we set up.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/05/hacked-by-an-11-year-old/

CTFs have been held at security conferences for decades. We decided to bring a CTF to WordCamp in order to help WordPress site owners learn to think like hackers. If you know how hackers think, you can do a better job of defending your site.  We made this CTF very accessible, so that people with a wide range of abilities could participate.

The CTF started at 10am on Saturday morning and ran until noon Sunday. It was hosted online and anyone could participate, although we only promoted it to WordCamp attendees. You also had to be at WordCamp Atlanta to be eligible for a prize.

We had some amazing prizes including coffee mugs if you passed level 1, lock pick sets if you passed level 3, and then game consoles as the top prizes including a full Playstation VR setup and game for first prize.

It was a huge amount of fun because to promote the CTF, we gave lock picking lessons at our booth. It’s really cool to see someone pick a lock for the first time. They’re always so surprised when it pops open.

By the time Sunday morning rolled around, we looked at the leaderboard and realized we had a real contest on our hands. A young man by the name of Grayson came to our booth and said he was competing. We asked him what his username was and were surprised to learn he went by ‘Unstoppable’ and was in 6th place. That was really impressive because we had quite a few contestants.

I chatted with his Dad and suggested we might give him a prize for making it so far as an 11 year old. Well… that wasn’t necessary.

At about 11:30am on Sunday, Matt Barry, our lead developer and the contest designer, started calculating who the winners were. We had to eliminate people who weren’t physically at the conference. Once we had the final list, Grayson our 11 year old contestant, had arrived in third place and he remained there as the contest ended.

I got on stage to hand out the top three prizes to first, second and third. I told the room with about 400 people the story of how we assumed an 11 year old would need a consolation prize and that, actually he just hacked his way into third place to take one of our top prizes. The crowd went kinda wild as Grayson stepped onto the stage to collect. Here he is (published with Dad’s permission):

I’m expecting this young man will soon start his career as a world-class security researcher. We had an opportunity to chat about security as a career and how researchers think – and I’m sure he has an amazing future ahead of him.

I’d like to thank our other contestants and congratulate Mike V who took our top prize and our second prize winner Adam S. Thanks very much to all of our other participants, you guys made it an amazing game.

This is a photo of Tim Cantrell from the Wordfence team teaching a group of kids about cyber security at WC Atlanta. On his right is Matt Barry, our CTF designer.

 

This is Tim Cantrell and his son Evan manning the Wordfence booth:

Late on Saturday night we threw an impromptu lock picking party with some of our fellow sponsors who are also security researchers along with a few attendees. I won’t post any photos from that to protect the not-so-innocent, but here is a photo of one of our newly minted lock-pickers in action.

Attending and sponsoring WordCamp Atlanta was a huge success for us for many reasons. What we learned from our customers and from the WordCamp community alone made the event an incredible success for us.

From myself and our team, I’d like to extend our heartfelt thanks to the organizers and volunteers who made WordCamp Atlanta possible. It’s an incredible amount of work and without you the event would not be possible.

My team and I are looking forward to attending more WordCamps this year and, who knows, we might even bring our lock-picking gear and a few other fun hacker toys with us.

The post Hacked by an 11 Year Old appeared first on Wordfence.

Read More

Solved: Jetpack Generating Mysterious Admin Email Change Messages

We’ve received quite a few questions about this in the past 24 hours, either via forums, email or twitter. Roughly 14 hours ago we started seeing reports that WordPress site owners running Jetpack were receiving emails that stated the following:

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/05/jetpack-admin-email-change/


You recently requested to have the administration email address on your site changed.

If this is correct, please click on the following link to change it: [link]

You can safely ignore and delete this email if you do not want to take this action.

This email has been sent to [email]


This has been reported and discussed on Reddit here and here.

It was also reported on the WordPress forums where Brandon Kraft, who works at Automattic as customer happiness team lead, posted the following update just over an hour ago:


Howdy y’all,

This is something we missed. We started noting the admin email address which ended up triggering WordPress.com’s notification system unintentionally, which sent the e-mails you saw. I disabled the notifications about 12 hours ago (02:32 UTC) so you will not see any additional e-mails.

There is no security threat or breach and no action is required for those messages. I’m sorry for the hassle and worry. We take testing releases very seriously and it was a bit of a perfect storm that led to the particular condition that triggered the notification to be missed pre-release.


It sounds like the window during which this occurred was just a few hours, so the impact may not include the full Jetpack ecosystem, but just those sites that updated during that time.

As a precaution the Wordfence team looked at Jetpack’s source along with other possible vectors before we received Brandon’s update and didn’t find anything. So it looks like this was just a case of a bug that slipped through QA and made it into production.

Thanks Brandon and the Jetpack team for the update. We will now return to our regularly scheduled programming.

The post Solved: Jetpack Generating Mysterious Admin Email Change Messages appeared first on Wordfence.

Read More

Windows 10 Update on Hold Due to ‘Blue Screen of Death’ Issues

Microsoft's big spring update for Windows 10 had been set to start rolling out last week, but the launch was put off after the machines of the developers testing the new version of the operating system encountered the "blue screen of death" (BSOD).

Rather than try to fix the version that caused those problems, Microsoft instead opted to create a new build released yesterday to Windows Insiders in the "fast" ring for testing software updates.

Because of the delay, the final version of the update will likely roll out to general users later than expected, possibly sometime in May. It might also prompt Microsoft to assign a new name to what it had been calling the "Spring Creators Update" or, more recently, the "Windows 10 April 2018 Update."

Insiders' Discovery of 'Blocking Bug'

The build that had been set for general release last week showed some reliability issues that required fixing, Windows Insider program head Dona Sarkar and senior program manager Brandon LeBlanc said in a Microsoft blog post yesterday.

"In certain cases, these reliability issues could have led to a higher percentage of (BSOD) on PCs for example," they said. "Instead of creating a Cumulative Update package to service these issues, we decided to create a new build with the fixes included."

Sarkar and LeBlanc added that the discovery of those problems, widely described as a "blocking bug," underscored the importance of the Windows Insider program.

"This just reinforces that Windows Insiders are critical to helping us find and fix issues before releasing feature updates to all our customers so thank you!" they noted.

Previous updates this month have addressed a number of other Windows 10 problems, including several affecting security in the Microsoft Edge and Internet Explorer browsers.

New Security Services for Cloud, Edge Devices

When it does arrive, the next...

Read More

FBI Asked Anew About San Bernardino Shooter’s iPhone

Lawmakers from both sides of the aisle are asking the FBI to explain what they called a "troubling" recent report that appears to show the agency failed to exhaust all technical possibilities before pushing Apple to unlock the iPhone of one of the San Bernardino shooters.

The lawmakers, including U.S. Rep. Zoe Lofgren, D-San Jose, on Friday sent a letter to FBI Director Christopher Wray, citing a report by the Department of Justice Office of Inspector General that was published in March.

Statements made by officials involved in the investigation "appear to indicate that the FBI was more interested in forcing Apple to comply than getting into the device," the letter says.

"It was not until the night before the FBI's suit against Apple, which was predicted 'on the notion that technical assistance from Apple was necessary to search the contents of the device,' that the FBI first consulted the third-party vendor that it knew had nearly completed a solution," the lawmakers also said.

In December 2015, Syed Farook and his wife, Tashfeen Malik, shot and killed 14 people at Farook's workplace in San Bernardino. After the couple was killed in a shootout with police, Farook's passcode-protected iPhone became the center of an encryption battle between the FBI and Apple, which refused to help unlock the phone -- setting off a heated debate over privacy vs. national security.

In February 2016, Apple CEO Tim Cook said in a letter: "The U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone."

Malik was said to have pledged allegiance to ISIS and her husband, a U.S. citizen, was said to have been radicalized. Cook stressed that Apple had "no sympathy for terrorists." But Apple's chief executive characterized...

Read More

How Do Facebook Ads Target You? The Surprising Truth

If you want to tailor a Facebook ad to a single user out of its universe of 2.2 billion, you could. Trying to pitch your boutique bed and breakfast to a 44-year-old "trendy mom" who lives in Seattle, leans conservative and is currently traveling in the Toronto area but hasn't booked a hotel for the night yet? Go right ahead. Interested in mail-ordering pet treats to a 32-year-old cat owner in Madison, Wisconsin who enjoys Japanese food, doesn't like pizza and has an anniversary coming up in the next two months? Not a problem.

Targeting ads, it turns out, is almost infinitely customizable -- sometimes in surprising ways. The ads you might see can be tailored to you down to the most granular details -- not just where you live and what websites you visited recently, but whether you've gotten engaged in the past six months, are interested in organic food or share characteristics with people who have recently bought a BMW, even if you've never expressed interest in doing so yourself.

Facebook made $40 billion in advertising revenue last year, second only to Google when it comes to its share of the global digital advertising market. Even with a recent decision to stop working with outside data brokers to help advertisers target ads based on things like offline purchases or credit history, this number is expected to grow sharply this year.

Here are some ways advertisers can target you through Facebook:

Monitoring Your Facebook Activity

By now you've probably gathered that Facebook uses things like your interest, age and other demographic and geographic information to help advertisers reach you. Then there's the stuff your friends do and like -- the idea being that it's a good indicator for what you might do and like. So, if you have a friend who has liked the...

Read More
Page 5 of 1,012« First...«34567»102030...Last »