Tony Perez

You will often find me in the shadows of the business focusing on operational effectiveness and cost inefficiencies. Catch my other rants on tonyonsecurity.com and follow at perezbox or tonyonsecurity

Apache Web Server Attacks Continue to Evolve

April 29, 2013 by Leave a Comment

For the past few months we have seen a gradual increase in server-level compromises. In fact, every week it seems we’re handling half a dozen or so and it continues to increase. It’s one of the reasons that I have started including this as a trend in my most recent Website Security presentations.

Just last week we talked about some very sneaky hacks that targeted the Apache binaries directly in the place of the modules, contrary to what we had been seeing. Fortunately, the more sophisticated attack are still far and few in between leaving us to deal with rogue modules more often than not.

Sucuri - Website Security Trends - Server Compromises

The purpose of this image is to provide a logical representation of the evolution of website attacks. While websites are still the number one distribution mechanism, attackers are making a big effort to improve their attacks by going after server level applications in the place of the website itself, and it’s application (i.e., Custom ASP/PHP, WordPress, Joomla, etc..). The beauty of this is that the attacks becomes platform agnostic, in terms of the platform the end-user is utilizing.

Read More

Filed Under: apache, hacked, Malware, malware cleanup Tagged With: , ,

LivingSocial Hacked — More Than 50 Million Accounts Compromised

April 26, 2013 by 4 Comments

Just as we were thinking we were going to avoid any major enterprise compromises this week, LivingSocial announces that it has been compromised and some 50 million accounts have been compromised. Based on the reports, it doesn’t seem that any financial data is at risk, but things like usernames and passwords are all fair game.

To put this into perspective, if you think back to last years major compromise, LinkedIn, that was only 6 million accounts. The data compromised here is about 8.5 times that size.

That’s pretty freaking big.

Read More

Filed Under: awareness, hacked Tagged With: ,

Joomla Version 2.5.10 Released – Security Updates

April 24, 2013 by Leave a Comment

This morning the Joomla development team released a new version of the Joomla platform. This is a Security release, so please be sure to update if you’re on the 2.x branch. If you’re on the 1.x branch the odds of updating seamlessly is highly unlikely so please do so only if you’re engaging a developer to assist you.

This release address 7 security issues, all of them appear to be low to moderate and revolve around Cross-Site Scripting (XSS), Denial of Service (DOS) and Privilege Escalation. It also contains another 38 bug fixes.

Security Fixes include:

If you can, please be sure to update, you can get your latest releases off the Joomla website here.

Filed Under: awareness, joomla, sucuri, updates Tagged With: , , ,

Update WP Super Cache and W3TC Immediately – Remote Code Execution Vulnerability Disclosed

April 23, 2013 by 47 Comments

Shame on us for not catching this a month ago when it was first reported, but it seems that two of the biggest caching plugins in WordPress have what we would classify a very serious vulnerability – remote code execution (RCE), a.k.a., arbitrary code execution:

…arbitrary code execution is used to describe an attacker’s ability to execute any commands of the attacker’s choice on a target machine or in a target process. – Wikipedia

It appears that a user by the name of kisscsaby first disclosed the issue a month ago via the WordPress forums. As of 5 days ago both plugin authors have pushed new versions of their plugins disabling the vulnerable functions by default. The real concern however is the seriousness of the vulnerability and the shear volume of users between both plugins.

There are a few posts, released within the past few hours that do a great job of explaining what the issue was and what was being exploited. You can find some good after action thoughts on Frank Goosens’ blog and on Acunetix’s blog as well.

Why Such a Big Deal?


Read More

Filed Under: awareness, security, sucuri, vulnerability, WordPress Tagged With: , , , , ,

Cyber Criminals Take Advantage of Recent Boston Attack with SPAM

April 17, 2013 by 1 Comment

It pains me to write about this at all, but as despicable as this might appear, cyber criminals have started to take advantage of those that have been affected by the recent tragedy in Boston – which pretty much means everyone with a pulse.

Trend Micro is reporting -

Mary Ermitano-Aquino noted a spam outbreak of more than 9,000 Blackhole Exploit Kit spammed messages, all related to the said tragedy that killed at least three people and injured many more. Some of the spammed messages used the subjects “2 Explosions at Boston Marathon,” “Aftermath to explosion at Boston Marathon,” “Boston Explosion Caught on Video,” and “Video of Explosion at the Boston Marathon 2013″ to name a few.

Sophos NakedSecurity is also reporting similar upticks –

Messages spammed out by attackers claim to contain a link to video footage of Monday’s terrorist activity in Boston, with subject lines such as “2 Explosions at Boston Marathon”…..If you make the mistake of clicking on the link, however, you are taken to a website which – while showing you genuine YouTube videos of the the horrific incident – attempts to infect your computer with a Windows Trojan horse that Sophos products detect as Troj/Tepfer-Q.

Unfortunately this is not just specific to emails, it appears that this is bleeding into all mediums, to include Facebook and Twitter. Aside from it being highly disturbing, all we can do is spread the word so that friends and families are not affected while emotionally distraught.

I plead with you that if you want to contribute and / or are interested in what is going on avoid clicking on social media and email links and go directly to known media outlets. Also, please don’t donate to random organizations, stick with known reputable organizations that you can verify.

Filed Under: awareness, Spam, sucuri Tagged With: , ,

WordPress Malicious Plugin – WPPPM – Abusing 404 Redirects with SEO Poisoning

April 13, 2013 by 12 Comments

Bruno Borges, of our security team, came across an interesting case this week, in which a WordPress plugin was abusing the 404 rewrite rules and redirecting all traffic to SPAM pages advertising a variety of things, the most common being:

FACTUAL STUDY: HYDROXYCITRIC ACID IN GARCINIA CAMBOGIA BURNS FAT.

The way it works is interesting, by default most would never realize they are even infected. The plugin is designed only to redirect incoming traffic that accidentally goes to a page that doesn’t exist. In most cases it would generates what we know as 404 pages, or state something like, Sorry this page doesn’t exist, etc… Well in this case, you’d be greeted with something like the following:

Read More

Filed Under: Malware, malware cleanup, plugins, Spam, sucuri, WordPress Tagged With: , , , , , ,

Brute Force Attacks and Their Consequences

April 12, 2013 by 14 Comments

There is a lot of interesting discussion going on at the moment across the interwebs on the intention of the latest string of Brute Force attacks, much of which I find very interesting. While I can’t repudiate what is being said, I can add my own insight into the anatomy post attack success.

How Are These Attacks Happening

First, let’s address the first, and most important piece of information, the how. What we know, based on the data we reported earlier is that a very large majority of the attacks are coming from local PC boxes. How do we know? We’re seeing the IP’s and their incoming signatures.

A botnet is a collection of internet-connected programs communicating with other similar programs in order to perform tasks. – Wikipedia

What is the end-game?


Read More

Filed Under: awareness, sucuri Tagged With: , , ,

Protecting Against WordPress Brute-Force Attacks

April 11, 2013 by 34 Comments

It was not long ago that I was sitting on a call with other members of the WordPress community in which we were talking abou brute-force. When asked why WordPress core didn’t offer more out of the box features to address the issue, the response was it’s just not a relavent issue.

As interesting a response as that was, the latest trends seem to contradict that statement head on. It goes to show us that with the technological improvements things like latency and other network considerations are becoming less of a barrier to entry for attackers.

Web Based Brute Force Attacks Are Here

As if we really needed any tangible evidence of such a prominent issue, the first large-scale issue of such attacks first presented itself in October of 2012 when WordPress.com disclosed that some 50,000 sites were compromised using a similar attack:

Per their incident handling process they identified a brute force like attack which made use of a list of compromised email / password combinations derived from a third-party application[s].


Read More

Filed Under: awareness, cloudproxy, waf Tagged With: , , ,

WordPress Security Presentation by Tony Perez

April 4, 2013 by 1 Comment

Tomorrow I will be flying to my hometown (Miami) to give a Website Security presentation to a bunch of enthusiastic online professionals at an event called WordCamp. If you’re not familiar with these events, they are global events put together by the local populace to focus on a specific platform – WordPress. The event is called WordCamp Miami 2013, if you plan to be there definitely look me up.

I will be presenting at 1400 (EST), also known as 2:00 pm to most.

I will be volunteering at the Happiness Bar right after my talk at 1445 (EST), 2:45 pm.

If you’re interested, they are going to be live-streaming the event and you’re more than welcome to watch.

Filed Under: awareness, presentation, sucuri, WordPress Tagged With: , , , , ,

Drupal Core Vulnerability Released – Denial of Service – Advisory SA-CORE-2013-002

February 22, 2013 by 1 Comment

As if the week wasn’t exciting enough, Drupal has released a core vulnerability that leaves it susceptible to Denial of Service attacks.

Metadata for this vulnerability is:

Advisory ID: DRUPAL-SA-CORE-2013-002
Project: Drupal core
Version: 7.x
Date: 2013-February-20
Security risk: Critical
Exploitable from: Remote
Vulnerability: Denial of service

Description of the vulnerability:

Drupal core’s Image module allows for the on-demand generation of image derivatives. This capability can be abused by requesting a large number of new derivatives which can fill up the server disk space, and which can cause a very high CPU load.

This vulnerability has been patched and it’s recommended that all Drupal sites upgrade to the latest version, 7.20.

I will say this about this announcement, I kind of wish other platforms would do something similar to disclose security issues to the public. Kudos Drupal security team for your approach to disclosure.

Filed Under: sucuri
«Older Posts