Search This Blog

Showing posts with label WordPress. Show all posts

Data Breach Targets Fast Company News

Fast Company's Apple News website currently displays a statement from the business confirming that it was hacked on Sunday afternoon, followed by another intrusion on Tuesday night that let threat actors to send bigoted notifications to smartphones via Apple News.

In a press release issued last night, the company claimed that "the statements are repulsive and are not by the contents and culture of Fast Company.  We have suspended FastCompany.com while we look into the matter and will not reopen it until it is resolved."

As soon as individuals on Twitter noticed the offensive Apple News notifications, the company disabled the Fast Company channel on the news network.

Data breach tactics

The website's webpage started to load up with articles headlined "Hacked by Vinny  Troia. [redacted] tongue my [redacted]. Thrax was here. " on Sunday afternoon, which was the first indication that Fast Company had been compromised.

In their ongoing dispute with security analyst Vinny Troia, members of the breached hacking group and the now-defunct RaidForums regularly deface websites and carry out attacks that they attribute to the researcher. Fast Company took the website offline for a while to address the defacement, but on Tuesday at around 8 PM EST, another attack occurred.

Hackers claim that after discovering that Fast Company was using WordPress for their website, they were able to compromise the company. The HTTP basic authentication which was supposed to have protected this WordPress installation was disregarded. The threat actor goes on to claim that they were able to enter the WordPress content management system by utilizing a relatively simple default password used on dozens of users.

Fast Company, according to the post, had a 'ridiculously easy' default password that was used on numerous accounts, including an admin account. The compromised account would have then been utilized by the threat actors to gain access to, among other things, authentication tokens and Apple News API credentials.

They assert that by using these tokens, they were able to set up administrator accounts on the CMS platforms, which were then used to send notifications to Apple News.

Threat actors gained access to an undefined number of customer names, birthdates, contact numbers, email, physical addresses, and personal documents, including license and passport numbers, through this same forum, which was at the center of the previous Optus breach. The hacker in question claims to have made 10,200 records available thus far. It's uncertain whether or when Apple News would reactivate the Fast Company channel.



New Zero-day Flaw in BackupBuddy Plugin Leaves WordPress Users at Risk

 

Wordfence, a WordPress security company, has disclosed that a zero-day vulnerability in the BackupBuddy plugin is being actively exploited. 

"This vulnerability makes it possible for unauthenticated users to download arbitrary files from the affected site which can include sensitive information," it stated.

Users can back up their entire WordPress installation from the dashboard, including theme files, pages, posts, widgets, users, and media files, among other things. The flaw (CVE-2022-31474, CVSS score: 7.5) affects versions 8.5.8.0 to 8.7.4.1 of the plugin, which has an estimated 140,000 active installations. It was fixed in version 8.7.5, which was released on September 2, 2022. 

The problem stems from the "Local Directory Copy" function, which is intended to keep a local copy of the backups. The vulnerability, according to Wordfence, is the consequence of an insecure implementation that allows an unauthenticated threat actor to download any arbitrary file on the server. Additional information about the vulnerability has been withheld due to active in-the-wild abuse and the ease with which it can be exploited.

The plugin's developer, iThemes, said, "This vulnerability could allow an attacker to view the contents of any file on your server that can be read by your WordPress installation. This could include the WordPress wp-config.php file and, depending on your server setup, sensitive files like /etc/passwd."

Wordfence reported that the targeting of CVE-2022-31474 began on August 26, 2022, and that it has blocked nearly five million attacks since then. The majority of the intrusions attempted to read the files listed below -
  • /etc/passwd
  • /wp-config.php
  • .my.cnf
  • .accesshash
Users of the BackupBuddy plugin are encouraged to update to the most recent version. They should determine that they may have been compromised, it's recommended to reset the database password, change WordPress Salts, and rotate API keys stored in wp-config.php.

5 Million Attacks Targeting 0-Day in BackupBuddy Plugin Blocked: Wordfence Report


Vulnerability exploited in the wild 

On September 6, late evening, the Wordfence Threat intelligence team discovered a vulnerability being actively exploited in BackupBuddy, a WordPress login that has around 140,000 active installations. 

The vulnerability allows unauthorised users to download arbitrary from the compromised site which may have sensitive data. It impacts versions 8.5.8.0 to 8.7.4.1, and was fully fixed by September 2, 2022, in version 8.7.5. 

Because of the fact that it is an actively exploited vulnerability, experts recommend users make sure that their site is updated to the latest fixed version 8.7.5 which iThemes has made available to all site owners using a vulnerable version regardless of the licence status.

About the vulnerability

The BackupBuddy plugin for WordPress is made to make backup management easy for owners of WordPress sites. One of the plugin features is storing backup files in various different locations, like AWS, Google Drive, and OneDrive. 

There is also an option to store backup downloads locally through the "Local Directory Copy" option. Sadly, the process to download these locally stored files was not executed safely, which can allow unauthorised users to download any file that is stored on the server.

How is the vulnerability exploited?

Notably, the plugin registers an admin_init hook for the function aimed to download local backup files and the process itself lacks any nonce validation or capability checks. 

It means that the function can be activated via any administrative page, this includes the ones that can be called without any verification, allowing unauthorised users to call the function.

The backup location isn't validated; thus, an arbitrary file could be sneaked and downloaded. 

Because of this vulnerability being exploited in the wild, due to its ease of exploitation, Wordfence has shared some details about the vulnerability.

How to stay safe?

Wordfence suggests for looking up the 'local download 'or the 'local-destination-id' parameter when checking requests in your access logs. "Presence of these parameters along with a full path to a file or the presence of ../../ to a file indicates the site may have been targeted for exploitation by this vulnerability," it says. 

If the site is breached, it may mean that BackupBuddy was the reason for the breach.

In its report, Wordfence concludes:

"we detailed a zero-day vulnerability being actively exploited in the BackupBuddy plugin that makes it possible for unauthenticated attackers to steal sensitive files from an affected site and use the information obtained in those files to further infect a victim. This vulnerability was patched yesterday and we strongly recommend updating to the latest version of the plugin, currently version 8.7.5."





 Bogus DDoS Protection Alerts Distribute RATs

Researchers from Sucuri cautioned that malware distributors are luring users into downloading and running malware on their computers by taking advantage of their expertise and innate trust in DDoS protection pages.

DDoS protection alerts are web pages that users' browsers deliver when checks are made to ensure that the visitor is actually a human and not a bot or a DDoS assault participant.

Tactics of the scam 

These warnings would appear to be an inconvenience, but their sole purpose was to serve as preliminary checks before the user accessed the intended web page. They are also important to ensure malicious traffic is blocked before it reaches its objectives.

The attacks start with a malicious JavaScript injection intended to target WordPress sites, which causes a bogus Cloudflare DDoS protection pop-up, according to Sucuri's experts.

When the user clicks on the bogus popup, an ISO file containing a remote access trojan (RAT) is downloaded onto their machine. In addition, the victim is told to open the file to get a verification code needed to access the target website.

The NetSupport RAT, RaccoonStealer information stealer, and two more payloads were seen being dropped by the ISO file.

The RAT is frequently used to screen victims before the distribution of ransomware and has been related to FakeUpdates/SocGholish. According to Malwarebytes researcher Jerome Segura, the ISO file contains a shortcut that pretends to be executable and executes PowerShell from another text file.

NetSupport RAT, which was at first a genuine program called NetSupport Manager, gives hackers remote access to the victim's computer, allowing them to install more malware, steal sensitive data, or even entangle the system in a botnet.

As website owners struggle to distinguish genuine visitors from the voluminous bot traffic, these have grown in popularity in recent years.

"Remote access trojans (RATs) are among the most harmful infections a computer can contract as they offer the attackers total control of the system. The victim is now entirely at their mercy. Both site owners and visitors can take all necessary safety procedures", as per Sucuri.

Users are advised to avoid downloading and opening odd files, update their operating system and applications frequently and consider installing a script-blocking browser extension.




Alert WordPress Admins! Uninstall the Modern WPBakery Plugin Immediately

 

WordPress administrators have been cautioned to uninstall a problematic plugin or risk a total site takeover. This threat is associated with a plugin that is no longer in use: Modern WPBakery page builder extensions. CVE-2021-24284 is a vulnerability in the plugin that allows "unauthenticated arbitrary file upload through the 'uploadFontIcon' AJAX action." 

As a result, attackers might upload malicious PHP scripts to the WordPress site, resulting in remote code execution and site takeover. There has been a significant surge in attacks due to this defunct WordPress relic. 

Researchers detected "many vulnerable endpoints" in Modern WPBakery in 2021, which might lead to the injection of malicious JavaScript or even the deletion of arbitrary data. The goal of the game this time is to upload rogue PHP files and then inject malicious JavaScript into the site. 

Approximately 1.6 million sites have been examined for the presence of the plugin by malicious actors, and current estimates imply that 4,000 to 8,000 websites are still hosting the plugin. Check and delete immediately. 

The current recommendation is to search for the plugin and then uninstall it as quickly as possible. It has been entirely abandoned, and no security updates will be sent. If anyone has it installed, it's only a matter of time until the exploiters find their way to your Modern WPBakery hosting website and begin collecting information. It's advised to as soon as possible, remove this out-of-date invitation to site-wide compromise.

Defective WordPress Plugin Permits Full Invasion

 

According to security researchers, a campaign scanning almost 1.6 million websites was made to take advantage of an arbitrary file upload vulnerability in a previously disclosed vulnerable WordPress plugin.

Identified as CVE-2021-24284, the vulnerability that affects Kaswara Modern WPBakery Page Builder Addons, when exploited, gives an unauthorized attacker access to sites using any version of the plugin and enables them to upload and delete files or instead gain complete control of the website.

Wordfence reported the vulnerability over three months ago, and in a new alert this week it warned that attackers are scaling up their attacks, which began on July 4 and are still active. The WordPress security provider claims to have halted 443,868 attacks on client websites per day and strives to do the same till date. Daily, on average, 443,868 tries are made.

Malicious code injection  

The hacker attempts to upload a spam ZIP payload that contains a PHP file using the plugin's 'uploadFontIcon' AJAX function by sending a POST request to 'wp-admin/admin-ajax/php'.

Afterward, this file pulls the NDSW trojan, which inserts code into the target sites' legitimate Javascript files to reroute users to dangerous websites including phishing and malware-dropping sites. You've likely been infected if any of your JavaScript files contain the string "; if(ndsw==" or if these files themselves contain the "; if(ndsw==" string.

All versions of the software are vulnerable to an attack because the bug was never patched by the software creators, and the plugin is currently closed. The bug hunters stated that although 1,599,852 different sites were hit, a bulk of them wasn't hosting the plugin, and they believed that between 4,000 and 8,000 sites still have the vulnerable plugin installed.

Blocking the attackers' IP addresses is advised even if you are not utilizing the plugin. Visit Wordfence's blog for additional information on the indicators and the sources of requests that are the most common.

If you're still using it, you need to remove the Kaswara Modern WPBakery Page Builder Addons plugin from your WordPress website.

 Hazardous Redirect Web Server Evokes Malicious Campaigns On Over 16,500 Sites

 

Parrot is a novel TDS system for online traffic redirection that runs on a few servers hosting over 16,500 sites from government agencies, universities, adult platforms, and personal blogs. The service was apparently also utilized in the context of various cyber-attacks aiming at diverting victims to phishing or sites which result in malware being installed on the systems. Reportedly, all of this is dependent on individual user characteristics such as location, language, operating system, and browser.

TDS services are purchased by threat actors undertaking malicious campaigns to filter incoming traffic and route it to a final destination which serves harmful material. Advertisers and marketers utilize TDS legitimately. Most TDS services are used regularly by professionals in the marketing industry, which is why there are credible reports demonstrating how similar campaigns were executed in the recent past. 

Security analysts working with Avast have revealed that the Parrot has been identified as they recently made assertions about how the campaign was used for FakeUpdate, which delivered update warnings regarding remote access trojans, sometimes known as RATs, using fake browsers. 

Avast threat experts found Parrot TDS, which is presently being utilized for a campaign called FakeUpdate, which distributes remote access trojans (RATs) via phony browser update alerts. The effort appears to have begun in February 2022, however, there have been traces of Parrot activity dating back to October 2021.

"One of the primary differences between Parrot TDS and other TDS is its broad nature and a large number of possible victims," says Avast in the research. "Apart from servers hosting poorly secured CMS sites, such as WordPress sites, the hijacked websites we discovered appear to have nothing in common."

Avast services prevented more than 600,000 of its users from visiting these compromised sites in March 2022 alone, demonstrating the Parrot redirection gateway's huge reach. The majority of the people who were redirected were from Brazil, India, the United States, Singapore, and Indonesia. 

They have been known to accomplish this by redirecting the victim to special URLs with extensive network profiles and meticulously built software. While the TDS may be primarily focused on the RAT initiative, security experts believe some of the impacted servers also serve as hosts for various phishing sites.  

Those landing sites seem just like a genuine Microsoft login page, prompting visitors to input there login credentials. The best strategy to deal with malicious redirections for web users is to keep an up-to-date internet security solution running at all times. Avast advises administrators of possibly compromised web servers to take the following steps: 

  •  Use an antivirus to scan all files on the webserver. 
  •  Replace all original JavaScript and PHP files on the webserver. 
  •  Use the most recent CMS and plugin versions. 
  •  Look for cron jobs or other automatically executing processes on the webserver. 
  •  Always use unique and strong credentials for all services and accounts, and utilize two-factor authentication whenever possible. 
  • Use some of the security plugins for WordPress and Joomla which are available.

Cyber Attacks Targeted on Websites Using Wordpress

Thirty Ukrainian Universities were hacked as a result of the targeted cyberattack supporting Russia's attack on Ukraine. In the latest report, experts from Wordfence said that the cyber attack had massive repercussions on Ukrainian Education organizations by hackers known as Monday Group. The threat actor has openly supported Russia's invasion of Ukraine. The members of the hacking group identify themselves as 'the Mxonday' has attacked the websites using WordPress hosting more than in the past two weeks, since the start of the Russian invasion of Ukraine. 


As per the Wordfence blog, the firm protects more than 8,000 Ukranian websites, around 300 of these belong to education websites. Wordfence also offers assistance to government agencies, police, and military websites. The security firm also mentioned that it experienced a rise of 144,000 cyber attacks on February 25, the second day of the Kinetic attack. The rise is three times the number of regular attacks compared to the starting of the month across the Ukranian websites that Wordfence protects. According to founder and CEO Mark Maunder, a threat actor was continuously trying to attack Ukranian websites, immediately after the Ukranian invasion. 

An inquiry into the issue found four IP addresses associated with the campaign, these are distributed through a VPN service from Sweden. The hacking group also has ties with Brazil, Wordfence is supposed to be operating from here. But the threat actors behind the cyber attack are yet to be known. The report comes after ESET's new research, which mentioned various malware families that are used in targeted cyber attacks against organizations in Ukraine. An ESET blog reported a destructive campaign that used HermeticWiper that targets different organizations. 

The cyberattacks comprised of three elements; HermeticWiper, which corrupts a system making it inoperable, HermeticWizard, which spreads HermeticWiper across the local network via WMI and SMB, and lastly, HermeticRansom. According to the blog, the cyberattack was preceded by a few hours from the start of the Russian invasion of Ukraine. The malware used in these attacks suggests that the planning of the campaign was done months ago. HermeticWiper has been found in hundreds of systems in the last five Ukrainian organizations, says ESET. It also mentioned that no tangible connection with a known threat actor has been found yet.

FBI Issued a Warning to U.S Firms Concerning Iranian Hackers

 

The FBI issues a warning concerning Iranian hackers, posing as radical right organization Proud Boys during the 2020 presidential election, have now broadened operations, launching cyberattacks against a variety of industry divisions and spreading propaganda hostile to Saudi Arabia. 

"Over time, as Iranian operators have evolved both the strategic priorities and tradecraft, the hackers have matured into more proficient malicious attackers being capable of performing a whole spectrum of operations," read a Microsoft report.

Ransomware works by encrypting a device's data and making it inaccessible until the hacker receives a ransom payment. 

In a recent alert, the FBI stated, in addition to its election-related operation, the Emennet malicious attacker has been engaged in "conventional cyber exploitation activity," targeting industries such as news, transportation, tourism, oil and petrochemicals, telecoms, and financial services. It has been using VPNs to launch attacks on websites operated by certain software applications, such as WordPress, which cybercriminals can exploit to launch hacks in countries other than the United States, Europe, and the Middle East. 

The hackers employed multiple free source and commercial tools in activities, including SQLmap, Acunetix, DefenseCode, Wappalyzer, Dnsdumpster, Netsparker, wpscan, and Shodan, to mask location. The threat actor picked possible victims during the discovery phase of the hacking operations by browsing the web for prominent corporations representing various sectors. For initial access, the hackers would try to locate flaws in the program. 

"In certain cases, the goal may have been to target a large assortment of networks/websites inside a specific sector rather than a specific target company. Emennet would also attempt to discover hosting/shared hosting services in other scenarios," according to the FBI. 

Users must keep personal anti-virus and anti-malware products up to date, patch obsolete software, and make use of reliable web hosting companies, according to the authorities. In any case, Iran's state-sponsored hacker organizations aren't the only ones who have exploited the BIG-IP flaw.

20K WordPress Sites Exposed by Insecure Plugin REST-API

 

The WordPress WP HTML Mail plugin is prone to a high-severity issue that can lead to code injection and the distribution of persuasive phishing emails. It is used by over 20,000 sites. 

'WP HTML Mail' is a plugin that allows creating customized emails, contact form notifications, and other messages that online platforms deliver to their users. 

WooCommerce, Ninja Forms, BuddyPress, and other plugins are all functional with the plugin. While the volume of sites that utilise it isn't big, many of them have a large audience, causing the vulnerability to impact a large number of people. 

According to research by Wordfence's Threat Intelligence team, an unauthenticated actor might use the vulnerability dubbed "CVE-2022-0218" to change the email template to include arbitrary information. 

Cybercriminals can also utilise the same flaw to send phishing emails to anyone who has registered on the hacked sites. The problem is with how the plugin registers two REST-API routes for retrieving and updating email template settings. 

Unauthorized users can call and execute the functions since these API endpoints aren't appropriately protected from unauthorised access. 

In its report, Wordfence explains in detail: “The plugin registers the /themesettings endpoint, which calls the saveThemeSettings function or the getThemeSettings function depending on the request method. The REST-API endpoint did use the permission_callback function, however, it was set to __return_true which meant that no authentication was required to execute the functions. Therefore, any user had access to execute the REST-API endpoint to save the email’s theme settings or retrieve the email’s theme settings.” 

Aside from phishing assaults, an adversary might inject harmful JavaScript into the email template, which would run whenever the site administrator accessed the HTML mail editor. This might lead to the creation of new admin accounts, the redirection of site visitors to phishing sites, the injection of backdoors into theme files, and even the entire takeover of the site. 

On December 23, 2021, Wordfence detected and reported the vulnerability to the plugin's creator, but they didn't hear back until January 10, 2022. With the release of version 3.1 on January 13, 2022, a security fix addressed the vulnerability. 

As a result, all WordPress site owners and administrators should make sure they have the newest version of the 'WP HTML Mail' plugin installed.

All In One SEO Plugin Affects Millions of WordPress Websites

 

All in One SEO, a popular WordPress SEO-optimization plugin, contains a combination of security flaws that, when coupled into an exploit chain, might expose website owners to website takeover. 

As per Sucuri researchers, an attacker with an account on the site – such as a subscriber, shopping account holder, or member – can exploit the weaknesses, which is a privilege-escalation bug and a SQL-injection problem. 

“WordPress websites by default allow any user on the web to create an account,” researchers said in a posting on Wednesday. “By default, new accounts are ranked as a subscriber and do not have any privileges other than writing comments. However, certain vulnerabilities, such as the ones just discovered, allow these subscriber users to have vastly more privileges than they were intended to have.” 

Furthermore, the pair is ideal for straightforward exploitation, thus users must upgrade to the patched version, v. 4.1.5.3. The issues in the plugin utilized by more than 3 million websites, were discovered by Marc Montpas, an Automattic security researcher. 

The more serious of the two issues is the privilege-escalation problem, which affects All in One SEO versions 4.0.0 and 4.1.5.2. It has a significant vulnerability-severity rating of 9.9 out of 10 on the CVSS vulnerability-severity scale, owing to its simplicity of exploitation and the possibility to install a backdoor on the webserver. 

Sucuri researcher indicated that the vulnerability "can be exploited by simply changing a single character of a request to upper-case." 

Fundamentally, the plugin can send commands to different REST API endpoints while also performing a permissions check to ensure that no one is doing anything they are not authorized to do. According to the post, the REST API routes are case-sensitive, thus an attacker only needs to change the case of one character to circumvent the authentication checks. 

“When exploited, this vulnerability can overwrite certain files within the WordPress file structure, effectively giving backdoor access to any attacker,” Sucuri researchers said. “This would allow a takeover of the website, and could elevate the privileges of subscriber accounts into admins.” 

The second bug has a CVSS severity of 7.7 and impacts All in One SEO versions 4.1.3.1 and 4.1.5.2. The problem is on an API endpoint called "/wp-json/aioseo/v1/objects." As per Sucuri, if attackers abused the prior vulnerability to get admin capabilities, they would gain entry to the endpoint and also be capable of sending malicious SQL instructions to the back-end database to collect user passwords, admin information, and other sensitive information. 

In order to safeguard themselves, All in One SEO customers should update to the patched version, researchers advised.

1.6 Million Vulnerable Websites hit by Cyber Attack

 

Wordfence researchers indicate that in the last few days, they have spotted a significant series of attacks emerging from 16,000 IP addresses and targeting over 1.6 million WordPress websites. 

Four WordPress plugins including fifteen Epsilon Framework themes are targeted by the malicious attackers, one of which has no patch available. Some of the vulnerable plugins have been fixed recently as of this week, while others were updated as recently as 2018. 

The affected plugins and their versions are: 
  • PublishPress Capabilities 
  • Kiwi Social Plugin 
  • Pinterest Automatic 
  • WordPress Automatic 
The targeted Epsilon Framework themes are: 
  • Shapely 
  • NewsMag 
  • Activello 
  • Illdy 
  • Allegiant 
  • Newspaper X 
  • Pixova Lite 
  • Brilliance 
  • MedZone Lite 
  • Regina Lite 
  • Transcend 
  • Affluent 
  • Bonkers 
  • Antreas 
  • NatureMag Lite – No patch available 

"In most cases, the attackers are updating the users_can_register option to enabled and setting the default_role option to administrator," Wordfence explains. "This makes it possible for attackers to register on any site as an administrator effectively taking over the site." 

To see if one's site has already been infiltrated, one should go through all user accounts and search for any unauthorized modifications that need to be removed right away. 

Next, go over to "http://examplesite[.]com/wp-admin/options-general.php" and look through the Membership as well as the new user default role settings. Even if the plugins and themes aren't on the list, it's a good idea to upgrade them as soon as possible. If one is using NatureMag Lite, which has no solution, then they should uninstall it right away. 

It is critical to note that upgrading the plugins would not remove the threat if the site has already been hacked. In this scenario, it is recommended that first follow the methods provided in detailed clean-up manuals. In general, one must aim to minimize the number of plugins on the WordPress site to a bare minimum, as this significantly reduces the possibility of being attacked and hacked in the first place.

PHP Re-Infectors: The Malware that Never Goes Away

 

Threat actors typically infect sites for monetary gain, to improve their SEO rankings for malware or spam campaigns, and for a variety of other objectives. If the malware is readily and swiftly removed, the attack's objective is defeated. Researchers discovered a modified index.php in the majority of cases of this form of infection. According to the researchers, it makes little difference if your site is not using WordPress; attackers will normally replace the index.php with an infected copy of the WordPress index.php file. 

The index.php file is a PHP file that serves as the entrance for any website or application. It is a template file that contains a variety of codes that will be given as PHP code. Because the system will be used by anyone with a simple HTML website, it will also be modified before delivery. 

It has also been observed that hundreds, if not thousands, of infected.htaccess files are dispersed throughout the website directories. This is intended to block custom PHP files or tools from executing on the site or to enable dangerous files to run if some mitigation is already in place. In rare cases, the attackers will leave a copy of the original index.php file entitled old-index.php or 1index.php on the server. In most situations, the infected files will have 444 permissions, and attempting to remove or clean those files directly is futile because the malware will immediately make a new infected duplicate. 

In rare situations, malware will be found in the memory of php-fpm. If index.php is still being recreated, run top to see if php-fpm is present. According to the researchers, you can try to delete OPCache, albeit this normally does not solve the problem. 

OPcache boosts PHP performance by keeping pre-compiled script bytecode in shared memory, eliminating the need for PHP to load and parse scripts on every request. As a result, malware can remain in OPcache after being removed from the site files or database. 

Though attackers are constantly seeking new ways to infect websites, there are several typical procedures that customers may take to reduce the number of infections. Put your website behind a firewall and change all admin passwords on a regular basis. This includes the admin dashboard, CPanel/FTP, ssh, and email; always keep all plugins, themes, and CMS up to date; and delete any unnecessary plugins or themes.

WordPress Sites Hacked in Fake Ransomware Attacks

 

A new wave of cyberattacks began late last week, hacking over 300 WordPress sites and displaying fraudulent encryption notifications in an attempt to mislead site owners into paying 0.1 bitcoin for recovery. 

These ransom requests include a countdown timer in order to create a feeling of urgency and perhaps terrify a web administrator into paying the ransom. While the 0.1 bitcoin ($6,069.23) ransom demand is little in contrast to what is seen in high-profile ransomware operations, it may still be a significant sum for many website owners. 

Sucuri, a cybersecurity firm hired by one of the victims to conduct incident response, identified these attacks. The researchers revealed that the websites had not been encrypted, but rather that the threat actors had altered an installed WordPress plugin to show a ransom message and countdown when the page was accessed. 

In addition to presenting a ransom note, the plugin would change the 'post status' of all WordPress blog entries to 'null,' leading them to become unpublished. As a result, the cyber actors developed a simple but strong illusion that gave the impression that the site had been encrypted. 

The site was restored to its usual state after deleting the plugin and running a command to republish the posts and pages. Sucuri discovered that the first place where the actor's IP address showed in the network traffic records was the wp-admin panel. This suggests that the infiltrators gained access to the site as administrators, either by brute-forcing the password or by obtaining stolen credentials from dark web markets. 

This was not an isolated attack, but rather part of a larger campaign, giving legitimacy to the second scenario. Sucuri discovered a plugin called Directorist, which is a tool for creating online company directory listings on websites. 

Sucuri has identified around 291 websites hit by this attack, with a Google search revealing a mix of cleaned-up and still-displaying ransom letters. All of the sites BleepingComputer found in search results utilise the same Bitcoin address, 3BkiGYFh6QtjtNCPNNjGwszoqqCka2SDEc, which has not received any ransom payments. 

Safeguarding against website encryptions

Sucuri recommends the following security procedures to keep WordPress sites safe from hackers: • Review the site's admin users, delete any fraudulent accounts, and update/change any wp-admin passwords. 
  • Protect the wp-admin administrator page. 
  • Modify the passwords for all other access points (database, FTP, cPanel, etc). 
  • Protect your website using a firewall. 
  • Adhere to dependable backup techniques that will make restoration simple in the event of a genuine encryption incident. 
Because WordPress is frequently targeted by threat actors, it is also critical to ensure that all of your installed plugins are up to date. 

BleepingComputer was notified about a recent fix for the Directorist plugin, which addressed an issue that enabled low-privilege users to run arbitrary code. While Sucuri's analysis does not identify the plugin as an infiltration point, the presence of this vulnerability makes sense in the context of the specific assault. 

This also implies that eradicating the virus and restoring the site would not prevent the attackers from striking again as long as the Directorist plugin is still in an older, vulnerable version.

1.2 Million users Affected by GoDaddy Data Breach

 

GoDaddy, the web hosting provider, has announced a data breach as well as warned that data on 1.2 million clients might be compromised. 

GoDaddy Inc. is a publicly listed American Internet domain registration and web hosting firm based in Tempe, Arizona, and incorporated in Delaware. GoDaddy has over 20 million clients and over 7,000 employees globally as of June 2020. 

Demetrius Comes, GoDaddy's chief information security officer, said in a statement with the Securities and Exchange Commission that the business discovered unauthorized access to its networks in which it hosts and administers its customers' WordPress servers. 

WordPress is a web-based content management system that millions of people use to create blogs and web pages. Users can host their WordPress installations on GoDaddy's servers. 

According to GoDaddy, an unauthorized user gained access to GoDaddy's systems around September 6th. GoDaddy stated that the breach was detected last week, on November 17. It is unclear whether the hacked password was secured using two-factor authentication. 

According to the complaint, the hack impacts 1.2 million current and inactive WordPress users, whose email accounts and customer numbers were disclosed. According to GoDaddy, this disclosure may put users at increased risk of phishing attacks. As per the web host, the initial WordPress admin password generated while WordPress had been installed, which could be used to manage a customer's WordPress server, had also been exposed. 

Active users' FTP credentials (for file transfers) as well as the login information for their WordPress accounts, that store all of the user's content, were compromised in the incident, according to the business. In certain situations, the user's SSL (HTTPS) private key was revealed, which might allow an attacker to mimic the customer's website or services if misused. 

According to GoDaddy, it has updated client WordPress passwords and private keys and is now in the process of providing new SSL certificates. Meanwhile, Dan Race, a GoDaddy spokeswoman, refused to respond, citing the company's ongoing investigation.

WordPress WP Fastest Cache Plugin Discovered With Multiple Vulnerabilities

 

WP Fastest Cache is among a handful of WordPress plugins meant to improve the performance of a website. It seeks to reduce the frequency of database queries necessary to render the website and related server load by producing and maintaining a static replica of the articles and webpages. 

JetPack security experts uncovered several vulnerabilities in the popular WordPress plugin WP Fastest Cache that might enable an attacker to fully exploit admin rights. Outcomes have an impact on over a million WordPress installations. 

There are several flaws that have been discovered by the researchers, two of the many are: 

  • Authentic MySQL Injection 

Using an authenticated MySQL injection login, users can gain access to administrator-level data in the system. A MySQL injection vulnerability is a cyberattack on a database server that stores website components such as credentials and usernames. An effective MySQL injection attack might result in a total website takeover. 

“If exploited, MySQL injection bugs can give attackers access to privileged information from the affected site’s database (such as username and hash password). This can only be exploited if the Classic Editor plugin is also installed and activated on the site,” stated The Jetpack Security Bulletin. 

XSS was stored through cross-site request forgery 

XSS (cross-site scripting) flaws are rather widespread and stem from flaws in website input correction. If somehow the user inserts something into the website, such as a contact form, and the data is not deleted, the user may be attacked by XSS. 

Sanitization entails limiting what may be submitted to a single intended input, such as text, rather than a script or command. A faulty input enables the attacker to insert malicious scripts, which might also subsequently be used to target administrators who visit the site and install malicious files into their browsers; appears as though they are loading or blocking their credentials. 

Whenever an intruder convinces a user, such as a login administrator, into accessing the site and executing different actions, it is referred to as a cross-site application forgery. 

Such vulnerabilities are difficult to exploit since they rely on the traditional editor plugin being loaded and the attacker having some type of user verification. However, these flaws are still significant, and JetPack advises that customers must update their WP Fastest Cache plugins to at least version 0.95, which was released on October 14, 2021. 

According to the jet pack: “If exploited, MySQL injection bug attackers can gain access to privileged information from the affected site’s database (such as username and hash password). Successful exploitation of the vulnerabilities of CSRF and Stored XSS can allow bad actors to login to the administrator on the targeted site.”

WordPress Sites Affected by Bugs in Gutenberg Template Library and Redux Framework

 

The Gutenberg Template Library & Redux Framework plugin for WordPress, which is deployed on over 1 million websites, has two vulnerabilities. According to the researchers, these might enable arbitrary plugin installation, post deletions, and access to potentially sensitive information about a site's configuration. Redux.io's plugin provides a variety of templates and building blocks for developing web pages in WordPress' Gutenberg editor. 

This plugin is a collection of WordPress Gutenberg blocks that allow publishers to quickly create websites using pre-built “blocks” while utilizing the Gutenberg interface. 

The first vulnerability (CVE-2021-38312) is rated as high-severity on the CVSS scale, with a score of 7.1 out of 10. It's caused by the plugin's use of the WordPress REST API, which handles requests to install and manage blocks. According to Wordfence, it fails to properly allow user permissions. 

The WordPress REST API allows apps to communicate with the user's WordPress site by sending and receiving data in JSON (JavaScript Object Notation) objects. It's the backbone of the WordPress Block Editor, and it may also help the user's theme, plugin, or custom app create new, more sophisticated interfaces for managing and publishing the user's site's content. 

“While the REST API Endpoints registered under the redux/v1/templates/ REST Route used a permission_callback to verify a user’s permissions, this call-back only checked whether or not the user sending the request had the edit_posts capability,” Wordfence researchers said in a Wednesday posting. Users with lower rights, such as contributors and authors, may utilize the redux/v1/templates/plugin-install endpoint to install any plugin from the WordPress repository, or the redux/v1/templates/delete_saved_block endpoint to delete posts, according to the researchers. 

The second vulnerability, a medium-severity flaw (CVE-2021-38314), has a CVSS score of 5.3. It exists because the Gutenberg Template Library & Redux Framework plugin registers numerous AJAX actions that are available to unauthenticated users, one of which is deterministic and predictable, allowing for the discovery of a site's $support_hash. 

“This $support_hash AJAX action, which was also available to unauthenticated users, called the support_args function in redux-core/inc/classes/class-redux-helpers.php, which returned potentially sensitive information such as the PHP version, active plugins on the site and their versions, and an unsalted md5 hash of the site’s AUTH_KEY and SECURE_AUTH_KEY,” according to Wordfence. An attacker may use the information to plot a website takeover using other vulnerable plugins, according to the researchers.

WooCommerce Patched a Bug that Threatened Databases of Prominent Sites

 

According to researchers, a significant SQL-injection security vulnerability in the WooCommerce e-commerce platform and a related plugin has been exploited as a zero-day flaw. WooCommerce released an emergency remedy for the bug late on Wednesday as a result of the exploitation. Unauthenticated cyber attackers might use the flaw to steal a slew of data from an online store's database, including customer information, payment card information, and employee credentials. 

WooCommerce, a prominent open-source e-commerce platform for WordPress websites, is used by over 5 million websites worldwide. It enables online merchants to establish storefronts with a variety of customisable features, such as accepted payment kinds, shipping options, and sales tax calculations, among others. The WooCommerce Blocks feature, which is installed on over 200,000 sites, is the linked plugin affected by the flaw. It aids retailers in displaying their goods on websites. 

“Our investigation into this vulnerability and whether data has been compromised is ongoing,” Beau Lebens, head of engineering for WooCommerce, said in an advisory. “We will be sharing more information with site owners on how to investigate this security vulnerability on their site. If a store was affected, the exposed information will be specific to what that site is storing but could include order, customer, and administrative information.” According to Wordfence experts, there is “extremely limited evidence of [exploitation] attempts and it is likely that such attempts were highly targeted.”

However, one user commented in the WooCommerce advisory's comments section that strange activity had been seen. “Just hours before your announcement and email, the site I manage saw a massive spike in network traffic before effectively locking out administrative logins and presenting various bizarre messages,” the user said. “When I SSH’d into the live environment, the console reported that there were 4 failed login attempts since my last login. So far as I could tell there was no apparent vandalism and the failed logins had their IP banned. It seems a little too coincidental.” 

The issue affects WooCommerce plugin versions 3.3 to 5.5, as well as WooCommerce Blocks 2.5 to 5.5. According to Lebens, the company developed a patch remedy “for every impacted version (90+ releases) that was automatically sent to vulnerable stores.” However, because the automatic deployment isn't instantaneous, and users in the advisory's comments section were claiming that they hadn't received the upgrades as of Thursday afternoon, WooCommerce advised that "we're urging everyone to check and manually update if needed just in case."

800+ Million WordPress Users Records Leaked Online

 

On 16 April 2021, security researcher Jeremiah Fowler together with the Website Planet Research Team revealed a non-password secured database with less than one billion records. The leaked documents included WordPress account user names, display names, and emails. 

Over 800 million WordPress-linked records are leaked in this misconfigured cloud database. There are many internal documents leaked that should not be available to the general public in the monitoring and file logs. 

Multiple references to DreamHost were discovered upon further study. The well-known hosting company for over 1.5 million websites is also an easy way to install, the famous WordPress blog platform. DreamPress is Dream Host's Managed WordPress hosting, as per their website. It's a scalable solution that can administer WordPress websites for users. 

They uncovered 814 million records from the managed WordPress hosting company DreamPress, which appeared to be from 2018. 

Allegedly, there were administration and user data in the 86GB database, containing URLs for WordPress login, first and last names, email addresses, user names, roles, IP addresses of the Host, time stamps, and settings and security information. 

Fowler said that some of the disclosed data were associated with users using .gov and .edu email addresses. 

Nevertheless, within hours of receiving a timely notice by Dream Host from Fowler, the database was secured. 

However, the study stated the duration of exposure was not apparent, and users could be in danger of phishing. Threat actors that scan for unprotected databases such as this have also seized and ransomed the data contained within. 

Fowler also pointed out "actions," for example domain registers and renewals, in a database record.

“These could potentially give an estimated timeline of when the next payment was due and the bad guys could try to spoof an invoice or create a man-in-the-middle attack,” he argued. “Here, a cyber-criminal could manipulate the customer using social engineering techniques to provide billing or payment information to renew the hosting or domain registration.” 

This type of problem becomes increasingly widespread due to the complexity of modern cloud environments.

Blind SQL Injection Flaw in WP Statistics Affected 600K+ Sites

 

According to researchers from Wordfence Threat Intelligence, WP Statistics has a Time-Based Blind SQL Injection vulnerability which is a WordPress plugin with over 600,000 active downloads. VeronaLabs developed the plugin, which provides site owners with comprehensive website statistics.

An unauthenticated attacker may use the vulnerability to extract sensitive information from a WordPress website using the vulnerable plugin. The vulnerability has a CVSS score of 7.5 (high severity), and it affects plugin versions prior to 13.0.8. 

Accessing the WP Statistics "Pages" menu item, which produces a SQL query to provide statistics, allows site administrators to see comprehensive statistics about their site's traffic. Researchers discovered that even without admin rights, it was possible to access the WP Statistics "Pages." 

The analysis published by Wordfence states, “While the “Pages” page was intended for administrators only and would not display information to non-admin users, it was possible to start loading this page’s constructor by sending a request to wp-admin/admin.php with the page parameter set to wps_pages_page.” 

“Since the SQL query ran in the constructor for the “Pages” page, this meant that any site visitor, even those without a login, could cause this SQL query to run. A malicious actor could then supply malicious values for the ID or type parameters.” 

As the SQL query did not use a prepared statement, an attacker could easily exploit the input parameter to circumvent the esc sql function and generate queries that could enable an attacker to extract sensitive data from the site, such as user addresses, password hashes, and encryption keys and salts. 

“In a targeted attack, this vulnerability could be used to extract personally identifiable information from commerce sites containing customer information. This underscores the importance of having security protections with an endpoint firewall in place wherever sensitive data is stored,” the post further read. 

The timeline for the vulnerability is as follows: 

March 13, 2021 – The Wordfence Threat Intelligence team finishes researching a vulnerability in the WP Statistics plugin and contacts VeronaLabs. VeronaLabs responds and Security Affairs provides full disclosure. 

March 15, 2021 – VeronaLabs replies with a fixed version for Security Affairs to test and they verify that it corrects the issue. 

March 25, 2021 – A patched version of the plugin, 13.0.8, is released.