More than one million WordPress sites attacked over the weekend of late May 2020

WordPress throughout its history has always found itself appearing in the news for its security vulnerabilities. The most recent vulnerability incident with WordPress is with a plugin call Page Builder by SiteOrigin.

Attackers mount a campaign over the weekend of 29 – 31 May against more than one million WordPress sites in an attempt to download wp-config.php, a file critical to all WordPress installations. This file contains sensitive information such as database credentials, connection information as well as unique authentication salt and keys. Therefore, anyone with access to the file could gain access to the database where the site content and users are stored.

To download that file, the attackers targeted cross-site scripting (XSS) vulnerabilities found in older plugins or themes that allow files to be downloaded or exported.

The attacks came from more than 20,000 IP addresses, which were also implicated in a previous attack that happened earlier in May 2020 used by the same threat actor.

The earlier attack targetted a different set of XSS vulnerabilities with the intention of having visitors redirected to malvertising sites. This set of vulnerabilities were found in plugins that have mostly been patched or plugins that have been removed from the WordPress plugin repository. Below is the list of plugins and their respective vulnerabilities that were popular with the attackers.

  • Easy2Map plugin — Removed from WordPress plugin repository due to XSS vulnerability
  • Blog Designer — XSS vulnerability that was patched in 2019
  • WP GDPR Compliance — Options update vulnerability that was patched in late 2018
  • Total Donations — Removed from Envato Marketplace permanently. It had a critical options update vulnerability.
  • Newspaper theme — XSS vulnerability that was patch in 2016.

The good news is that WordPress site owners who uses Wordfence are protected. According to Ram Gall at Wordfence, the Wordfence firewall blocked over 130 million attacks intended on harvesting database credentials.

How do you know if you were attacked?

The attack should be logged. You could look for any log entries that contain wp-config.php in the query string with the HTTP response code 200.

Below are the top 10 IP addresses used for this attack campaign.

  • 200.25.60.53
  • 51.255.79.47
  • 194.60.254.42
  • 31.131.251.113
  • 194.58.123.231
  • 107.170.19.251
  • 188.165.195.184
  • 151.80.22.75
  • 192.254.68.134
  • 93.190.140.8

What should you do next?

WordPress sites running Wordfence are protected from the attack. For the other users, you should change the database password and the unique authentication keys and salt immediately if you believe you are compromised.

The reason is simple.

WordPress servers that have been configured to allow remote database access could easily allow an attacker with the database credentials to add an administrative user, extract sensitive data or delete the site. Even if remote database access is not enabled, an attacker who knows the authentication keys and salts could bypass other security mechanisms that protect your site more easily.

And what if you are not comfortable making changes mentioned above?

Then you should contact your host or service provider since changing the database password without updating the wp-config.php file can render your site offline temporarily.

Last but not least, you should also update any plugins and themes. You may also want to consider changing the plugins or themes if these are no longer maintained by the original developers.


This article uses material from Wordfence.

Bugs in WordPress page builder plugin leave 1 million sites vulnerable to full takeover

Are you using WordPress? If you are and have installed SiteOrigin’s Page Builder plugin, your site could be vulnerable to full takeover by hackers.

To the uninitiated, Page Builder is a WordPress plugin created by SiteOrigin that is used to build websites using drag-and-drop functionality. It currently has a million active installations.

Researchers at Wordfence found two security bugs in the plugin that can lead to cross-site request forgery (CSRF) and reflected cross-site scripting (XSS). These two bugs allow attackers to forge requests on behalf of a site administrator and execute malicious code in the administrator’s browser.

The bugs have been assigned with a severity rating of 8.8 out of 10 by the researchers, but no CVEs have yet been assigned.

The details of the flaws

The two flaws can be used by attackers to redirect a site’s administrator, create a new administrative user account or inject a backdoor on a site. The details of the flaws could be found in the link provided above.

The first flaw affect the built-in live editor within the plugin.

For the plugin to show the modifications done in the live editor in real time, it registers the is_live_editor() function to check if a user is in the live editor. If the user is in the live editor, the siteorigin_panels_live_editor parameter will be set to “true” and register that a user is accessing the live editor. The plugin will then attempt to include the live editor file which renders all of the content. Then, the “live-editor-preview.php” rendering file updates the page preview with changes made in real time.

This is all good but the problem lies in the lack of nonce protection. It is a method that could be used to verify that an attempt to render content in the live editor came from a legitimate source.

According to the researchers, some of the available WordPress widgets, such as the ‘Custom HTML’ widget, could be used to inject malicious Javascript into a rendered live page.

The second flaw is also a CRSF to XSS issue and it lies with the action_builder_content function of the plugin.

The purpose of the function was to transmit submitted content as panels_data from the live editor to the WordPress editor in order to update or publish the post using the content created from the live editor. Although the function did have a user permission check, there was no nonce protection to verify the request source, causing a CSRF flaw.

The researchers found that the “Text” widget could be used to inject malicious Javascript due to the ability to edit content in a “text” mode rather than a “visual” mode. With this, potentially malicious Javascript could be allowed to be sent unfiltered.

What should you do?

The flaws affect SiteOrigin’s Page Builder version 2.10.15 and below. In order to avoid full site takeover, admins should upgrade the plugin to version 2.10.16.

And it should be noted that an attacker needs to trick a site administrator into executing an action like click on a link or an attachment for the attack to succeed. Therefore, it is advisable not to click on any link or open any attachments that you are unsure of.

Official government COVID-19 apps comes with security threats

COVID-19 is one of the worst public health crisis ever faced by humans since the 1918 flu pandemic.

Governments around the world launched their own version of mobile apps to help their citizens track symptoms and virus infections. However, security researchers at ZeroFOX Alpha Team uncovered various privacy concerns and security vulnerabilities —including backdoors with these apps.

The Iranian government released an Android app called AC19 on the Iranian app store known as CafeBazaar. The app claimed that it can detect whether or not people are infected by the virus and was released by the Ministry of Health. It was to take advantage of the confusion and fear gripping many parts of Iran about COVID-19 to boost Tehran surveillance capabilities.

When Iranian users downloaded the app, they are prompted to verify their phone number despite the fact that the government has access to all phone numbers via its control of the country’s cell providers. Once users provided their phone number, they are prompted to give the app permission to send precise location data to the government servers.

In addition, there is a copycat app called CoronaApp created by threat actors that is available for direct download by Iranian citizens rather than via the Google Play Store. As a result, the app is not subjected to the normal vetting process that might protect these users from malicious intentions. However, many citizens in Iran cannot access the official Google Play store due to sanctions, so they are more likely to download the unvetted apps.

Once installed, the CoronaApp does request for permission to access the user’s location, camera, internet data and system information, and to write to external storage. It is this particular combination of permissions requested that demonstrates the developer intent to access sensitive user information.

Separately, the Colombian government released mobile app called CoronaApp-Colombia on Google Play store to help people track potential COVID-19 symptoms in March 2020. However, ZeroFOX researchers discovered that the app included vulnerabilities relating to how it communicates over HTTP, affecting the privacy of more than 100,000 users.

As of March 25, the app with version number 1.2.9 communicates insecurely with the API server throughout the app workflow. Specifically, it uses HTTP instead of HTTPS or other more secure protocol for server communications. By making these insecure server calls to relay users’ personal data, CoronApp-Columbia could put sensitive user health and personal information at risk of being compromised.

But there is a shred of good news. The Columbian CERT fixed the vulnerabilities three days later after ZeroFOX Alpha Team submitted the vulnerability, listed as CVE-2018-11504 on MITRE, to them on March 26.

Last but not least, the Italian government created region-specific apps for tracking coronavirus symptoms as the country is one of the places that the COVID-19 pandemic has hit the worst.

As a result of the greater number of government-sanctioned apps, users are less certain of which COVID-19 mobile apps are legitimate.

Threat actors are taking advantage of this confusion, and inconsistency in the apps releases and availability to launch malicious copycats that contains backdoors.

ZeroFox Alpha Team found 12 android application packages related to the attack campaign. 11 of these packages were found to use various methods of obfuscation.

The first app analysed by Alpha Team was discovered to use a signing certificate where the signer was “Raven” with a location in Baltimore, likely a reference to the Baltimore Ravens NFL team. Furthermore, every other app analysed by the team used these signing certificate and issuer details.

The backdoor is activated when the Android app receives a BOOT_COMPLETED event when the boots, or when the app is opened.

The researchers advised governments with COVID-19 related apps or those thinking about releasing new ones to ensure the consistency in where the apps can be downloaded as well as in their appearance to help avoid the spread of malicious doppelgängers. Exercising due diligence during the development process will help secure the app and avoid putting citizens at further privacy risks.

Are you using Zoom? Your personal data is being leaked and you could be vulnerable to being hacked

Zoom is dealing with one hot potato after one another. They recently got out of a situation where its iOS app was found to be sharing data with Facebook secretly by updating the iOS app.

Now, they are dealing with another problem due to how the software’s Company Directory feature works.

Zoom groups users who signed up using the same company email domain together to make searches and calls easier with colleagues. So when users signs up with their private email address to join Zoom, they have had thousands of strangers added to their contact list as they were perceived to be working under the same organisation. With this, you can get insight to all subscribed users of that provider, which include their full name, physical address, profile picture and status.

However, there is a little bit of good news. Users of standard email providers such as Gmail, Hotmail and Yahoo are not affected as Zoom blacklisted them. Furthermore, the company officially requires users to submit a request for their non-standard domains to be blacklisted.

But that is not the end of bad news for the company.

It is also found that Zoom also converts any URLs into hyperlinks. This could then be used maliciously where cybercriminals could send you a Universal Naming Convention (UNC) path instead of a web link.

UNC paths are typically used for networking and file sharing. An unsuspecting user could click on the link sent via Zoom, which will then make Windows try to connect to the remote host using Server Message Block (SMB) network file-sharing protocol. By default, Windows will send the user’s login name and their NTLM password hash to this host. The NTLM password hash could easily be cracked and put your computer at risk from hacking.

Billions of Wi-Fi devices are vulnerable to eavesdropping due to

At the RSA security conference, security researchers announced that there is a Wi-Fi vulnerability that affects billions of devices. This vulnerability allows nearby attackers to decrypt sensitive data that are sent over the air.

Eset, the security company that discovered vulnerability, named it Kr00k and it is tracked as CVE-2019-15126. Kr00k affects the Wi-Fi chips made by Cypress Semiconductor and Broadcom. FullMAC WLAN chips from both companies are especially affected according to Eset. These chips are used in billions of devices and some of the devices include the following:

  • iPhones
  • iPad
  • Apple Macs
  • Amazon Echos
  • Amazone Kindles
  • Android devices
  • Raspberry Pi 3
  • Wi-Fi routers from Asus and Huawei

Most of the affected devices have patches made available by manufacturers but it is not clear how many of them installed the patches. Routers have the biggest concern because they often go unpatched indefinitely.

How does the vulnerability work?

When a wireless device disassociate from a wireless access point, unsent data frames will be placed in a transmit buffer and then sent over the air. Kr00k exploits this weakness. If either the device or the wireless access point has the flaw, these data frames will be encrypted with a key consisting of all zeroes instead of the session key negotiated earlier by the wireless device and the wireless access point. The use of a key consisting of all zeroes to encrypt data is equivalent to having no key.

The following diagram from ArsTechnica shows what would happen when a device disassociate from a wireless access point if either one is vulnerable.

A disassociation typically happens when a client device roams from one Wi-Fi access point to another, encounters signal interference, or has its Wi-Fi turned off. Hackers within range of a vulnerable device or access point can easily trigger this vulnerability by sending disassociation frames since they are not authenticated. From there, hackers could then capture and decrypt the transmitted data. They could trigger multiple disassociation to improve their chance of obtaining useful data.

The following diagram from ArsTechnica shows how the attack would happen.

What are the devices affected?

Eset researchers identified a variety of mobile devices that are vulnerable, including:

  • Amazon Echo 2nd gen
  • Amazon Kindle 8th gen
  • Apple iPad mini 2
  • Apple iPhone 6, 6S, 8, XR
  • Apple MacBook Air Retina 13-inch 2018
  • Google Nexus 5
  • Google Nexus 6
  • Google Nexus 6S
  • Raspberry Pi 3
  • Samsung Galaxy S4 GT-I9505
  • Samsung Galaxy S8
  • Xiaomi Redmi 3S

In addition, the following routers are also vulnerable:

  • Asus RT-N12
  • Huawei B612S-25d
  • Huawei EchoLife HG8245H
  • Huawei E5577Cs-321

The researchers also tested Wi-Fi chips from other manufacturers, including Qualcomm, Realtek, Ralink, and Mediatek and did not find any evident of them being vulnerable. However, since it was impossible to test all devices, it is possible that other devices using Cypress and Broadcom chips are affected.

For Apple, the vulnerabilities were patched in October 2019 as part of macOS Catalina 10.15.1, Security Update 2019-001 for macOS Mojave, Security Update 2019-006 for macOS High Sierra, iOS 13.2 and iPadOS 13.2 More information on the patches could be found here for macOS and here for iOS and iPadOS.

Amazon also state that Amazon Echo and Kindle devices listed in the security research have received automatic security update over the internet in a separate statement to ArsTechnica.

Emotet now hacks nearby Wi-Fi network to spread like a worm

Emotet has evolved multiple times since its initial discovery in 2014 by security researchers. Recently, a sample of Emotet malware was found to have gained the ability to spread itself through insecure Wi-Fi networks that are near an infected device.

Once the malware gains access to the Wi-Fi networks, it will then attempt to infect all the connected devices. It is a tactic that can dramatically escalate Emotet’s spread.

The Wi-Fi spreading binary was only discovered being delivered for the first time on 23 January 2020 by researchers but further analysis suggested that the executable file has a timestamp of 16 April 2018, which hints that the behaviour has been running unnoticed for almost two years.

This Wi-Fi spreading capability further raises the threat level of the already-prevalent Emotet.

Before this discovery, the malware was found to have gained new obfuscation and anti-virus detection capabilities in November 2019. These capabilities enable Emotet to better escape detection. Meanwhile, its authors have also changed their social engineering tactics to keep in line with current events, sending out malicious emails that claimed to be Edward Snowden’s new memoir or with Halloween-themed lures.

What is Emotet?

Emotet is a malware that begin life as a banking trojan in 2014. Its primary goal is to sneak into your computer in order to steal sensitive and private information.

It has gone through a few iterations. Early versions arrived as malicious Javascript files. Subsequently, it evolved to use macro-enabled documents that will retrieve the virus payload from command and control (C&C) servers run by the attackers.

A malware is mostly useless to the attackers if it is detected early or when security researchers can analyse it to determine how it works. In order to prevent that, Emotet comes with a few tricks up its sleeves.

Most notably, it knows if it is running inside a virtual machine (VM) and will lay dormant when that happens. This is because cybersecurity researchers use VMs to observe malware within a safe and controlled space. I

Emotet is also able to use Command and Control (C&C) servers to receive updates, much like the operating system (OS) updates on your PC and could happen seamlessly and without any outward signs. This way, attackers can install updated version of the malware or deliver and install additional malwares on the target. In addition, the C&C servers can also serve as a dumping ground for stolen information such as financial credentials, usernames and password, and email addresses.

How does Emotet spread?

Emotet spreads itself primarily through spam emails (malSpam). It will go through your contact lists and send itself to your friends, family, coworkers and clients. The emails look less like spam because they are coming from your hijacked account, which in turn make the recipients feel safe and more likely to click on the bad URLs in the emails and download infected files.

In order to increase the likelihood recipients click on the bad URLs or open the attachments, the emails may come with contents that contains familiar branding or tempting languages such as ‘Your invoice’ and ‘Payment Details’. In some cases, the content may be about an upcoming shipment from well-known delivery companies.

Furthermore, if there is a connected network present, Emotet attempts to spread through it and gained access to other connected system by using a list of common passwords and brute forcing its way.

For Emotet to spread via Wi-Fi, it first infects the initial system with a self-extracting RAR file containing two binaries (worm.exe and service.exe). Once the RAR file is extracted, worm.exe executes automatically.

The main purpose of worm.exe is to profile wireless networks. Then it would go through each Wi-Fi network to identify their SSID, signal, encryption and authentication methods. After which, the malware will begin to connect to each of the network by brute forcing the passwords.

Once the malware gains access into the network, it will make a request to its command and control (C2) server and establishes a connection to the Wi-Fi network. Next, it will attempt to brute-force the passwords for all users on the newly-infected network. If the brute force is successful and the malware gains access into the device, worm.exe will install the service.exe onto the device.

Finally, once service.exe is installed onto the infected device, it will communicate back to the C2 server and then begin dropping the embedded Emotet executable. The whole spreading and infection process will repeat again in an attempt to infect as many devices as possible.

How do you protect your devices from Emotet?

In order to prevent Emotet from using the Wi-Fi spreading capability and infect connected devices, it is recommended that wireless networks are secured using longer and more complex passwords.

Preventing infection by Emotet is only one part of the solution. Active monitoring of endpoints for new installation of services and subsequent investigation of suspicious services or processes running from temporary folders and application data folders within user profile is equally important. This way, Emotet and its associated malwares can be identify early and be eliminated before they cause any further damage to the rest of the systems.

Furthermore, computers and endpoints should be kept up-to-date with the latest software patches to eliminate as many vulnerabilities in the system as possible. This will prevent the other malwares associated with Emotet infection such as TrickBot from exploiting these said vulnerabilities.

Last but not least, it is important to be aware not to download or open any suspicious attachments or links respectively. This way, Emotet will not be able to gain any initial foothold in the system or network.

IoT and surveillance devices that use Xiongmai Tech firmware discovered to have zero-day backdoor mechanism

Russian security researcher Vladislav Yarmak discovered a backdoor mechanism integrated into DVR/NVR devices built on top of HiSilicon SoC. He published a full-disclosure report on Habr, a Russian IT and Computer Science blog.

The backdoor mechanism is implemented using a mix of exploits that take advantage of bugs discovered years ago, with some dating as early as March 2013.

HiSilicon, a fabless semiconductor Chinese company fully owned by Huawei, was inferred to be responsible for the backdoor mechanism. An earlier version of the HiSilicon firmware came with telnet access enabled using a static root password that can be easily recovered from the firmware image.

In 2017, Istvan Toth did a comprehensive and detailed analysis of the firmware and discovered multiple vulnerabilities with the firmware and the built-in webserver.

He also published a list of brands with the affected firmwares on this GitHub page: https://github.com/tothi/pwn-hisilicon-dvr#summary. From the list, there are hundreds of products across at least a dozen of brands.

Subsequent versions of the firmware had their telnet access and the debug port (9527/tcp) disabled by default. Another port, 9530/tcp, was opened instead to receive a special command to start the telnet daemon and enable shell access with the same static password. This was intentionally baked into the firmware.

Huawei published an official media statement stating that they are not responsible for the discovered vulnerabilities. In addition, they said that they and their affiliates, including HiSilicon have long committed that they will not and have not install backdoors nor will they allow their vendors to do the same.

It was later determined by other security researchers that only devices using Xiongmai firmwares are affected by the vulnerabilities.

Xiongmai (Hangzhou Xiongmai Technology Co, XMtech) is a Chinese technology company founded in 2009 that develops IoT and surveillance devices such as DVR, NVR and IP Cameras.

Given that the vulnerabilities remained unpatched and the company is not responding to the disclosure, it is advised that devices using Xiongmai software are replaced. If the replacement of these devices is not possible, then it is best to restrict network access to these devices to only trusted users. Ports involved in this vulnerability are 23/tcp, 9530/tcp and 9527/tcp, and they should be blocked from external access.

What is the difference between Authentication and Authorisation?

If you have been working as a member of the tech community (System Administrator, Software Engineer, etc.), you might have heard of the terms Authentication and Authorisation. Even though they are often used together when the security of a computer system or application is involved, they are two completely different security processes.

What is Authentication?

Authentication in the security context refers to the act or process that validates if a user of a software, computer or system is who they claim to be. The most common way to do this via the use of a password. If the user enters the correct password, the system assumes the identity is valid and allows access.

The use of password-based authentication is also known as single-factor authentication.

However, it is no longer sufficient to rely on password alone to validate a user’s identity in recent times. Improvements in computer performance have led to the reduction in the time needed to brute force a password (or in layman terms, trying out every combination of letters, numbers and symbols) and gain access into a system. Furthermore, it is human nature to use something short and/or familiar such as birthdays, social security numbers, national identity numbers and names as passwords.

In order to increase the level of security of a system, multi-factor authentication is becoming a norm and highly recommended for systems that process sensitive information.

Two-factor authentication is one of the more common multi-factor authentication scheme employed by companies such as Apple, Google and Microsoft. Under this scheme, the following two factors are commonly used for authentication:

  1. Something that you know (e.g. password)
  2. Something you own (e.g. smart card, smart phone)

This is based on the premise that even if some malicious actors manage to get a hold of a password to a system, they remain unable to log into a system because they do not have access to a registered hardware such as a smart card, security token or smart phone to further prove they are a valid user.

What is Authorisation?

Authorisation takes place after the user has verified their identity. It refers to the act or process that verifies if the authenticated user has the rights or permission to access or use a particular resource. In this context, a resource can refer to a file, a folder, a particular room within a building or an area.

The most common implementation of authorisation is role-based access control (RBAC). It is based on the premise that different users have different roles to play in a given organisation. Their roles ultimately determine the type of information they can access and the amount of responsibility they have.

However, RBAC may not be fine-grain enough to control access to specific resources—a role typically comes with a set of permissions. This is where attribute-based access control (ABAC) comes into the picture. In addition to using the roles and groups a user belongs in to determine the access, additional attributes such as a user’s citizenship, the action performed or the time at which the access is requested can be used to control access.

Conclusion

Both authentication and authorisation are fundamentals of system/information security. Without them or when they are implemented poorly, malicious actors could gain access to the system and extract sensitive information such as personal information and company secrets easily. Then, these actors could use what they acquired to mount further attacks that could include identity fraud or helping the competitors of a business to gain an edge. Even if the attacks do not come from outside the organisation, employees within could accidentally or intentionally access or change information that they are not permitted to.