Protect Your Interwebs!
Research by Daniel Cid. Authored by Dre Armeda.
One thing you can’t take away from some of the attackers we deal with everyday is their creativity. From time to time we write about new trends we’re seeing, and this post is no different. We’re seeing a new tactic recently, and it may be affecting your pockets, even if you’re not into the latest trend of using digital currency.
This morning the Joomla development team released a new version of the Joomla platform. This is a Security release, so please be sure to update if you’re on the 2.x branch. If you’re on the 1.x branch the odds of updating seamlessly is highly unlikely so please do so only if you’re engaging a developer to assist you.
This release address 7 security issues, all of them appear to be low to moderate and revolve around Cross-Site Scripting (XSS), Denial of Service (DOS) and Privilege Escalation. It also contains another 38 bug fixes.
Security Fixes include:
If you can, please be sure to update, you can get your latest releases off the Joomla website here.
Shame on us for not catching this a month ago when it was first reported, but it seems that two of the biggest caching plugins in WordPress have what we would classify a very serious vulnerability – remote code execution (RCE), a.k.a., arbitrary code execution:
…arbitrary code execution is used to describe an attacker’s ability to execute any commands of the attacker’s choice on a target machine or in a target process. – Wikipedia
It appears that a user by the name of kisscsaby first disclosed the issue a month ago via the WordPress forums. As of 5 days ago both plugin authors have pushed new versions of their plugins disabling the vulnerable functions by default. The real concern however is the seriousness of the vulnerability and the shear volume of users between both plugins.
There are a few posts, released within the past few hours that do a great job of explaining what the issue was and what was being exploited. You can find some good after action thoughts on Frank Goosens’ blog and on Acunetix’s blog as well.
It pains me to write about this at all, but as despicable as this might appear, cyber criminals have started to take advantage of those that have been affected by the recent tragedy in Boston – which pretty much means everyone with a pulse.
Trend Micro is reporting -
Mary Ermitano-Aquino noted a spam outbreak of more than 9,000 Blackhole Exploit Kit spammed messages, all related to the said tragedy that killed at least three people and injured many more. Some of the spammed messages used the subjects “2 Explosions at Boston Marathon,” “Aftermath to explosion at Boston Marathon,” “Boston Explosion Caught on Video,” and “Video of Explosion at the Boston Marathon 2013″ to name a few.
Sophos NakedSecurity is also reporting similar upticks –
Messages spammed out by attackers claim to contain a link to video footage of Monday’s terrorist activity in Boston, with subject lines such as “2 Explosions at Boston Marathon”…..If you make the mistake of clicking on the link, however, you are taken to a website which – while showing you genuine YouTube videos of the the horrific incident – attempts to infect your computer with a Windows Trojan horse that Sophos products detect as Troj/Tepfer-Q.
Unfortunately this is not just specific to emails, it appears that this is bleeding into all mediums, to include Facebook and Twitter. Aside from it being highly disturbing, all we can do is spread the word so that friends and families are not affected while emotionally distraught.
I plead with you that if you want to contribute and / or are interested in what is going on avoid clicking on social media and email links and go directly to known media outlets. Also, please don’t donate to random organizations, stick with known reputable organizations that you can verify.
Authored by Daniel Cid, Tony Perez.
We have been blogging about the massive brute force attacks against WordPress websites over the past few days, today we want to provide better context of the scale by sharing some more data on what we saw and continue to see.
In our previous report, we said that the number of scans detected almost tripled from the old averages, increasing from around 30,000 scans per day to around 100,000 per day in April.
However, the numbers are a lot larger than that. We compiled the averages per day again and on Thursday (April 11), the number of scans increased to more than 1,000,000 scans, which is more 30x the averages. This is the compilation per day:
Read More
Bruno Borges, of our security team, came across an interesting case this week, in which a WordPress plugin was abusing the 404 rewrite rules and redirecting all traffic to SPAM pages advertising a variety of things, the most common being:
FACTUAL STUDY: HYDROXYCITRIC ACID IN GARCINIA CAMBOGIA BURNS FAT.
The way it works is interesting, by default most would never realize they are even infected. The plugin is designed only to redirect incoming traffic that accidentally goes to a page that doesn’t exist. In most cases it would generates what we know as 404 pages, or state something like, Sorry this page doesn’t exist, etc… Well in this case, you’d be greeted with something like the following:
Read More
There is a lot of interesting discussion going on at the moment across the interwebs on the intention of the latest string of Brute Force attacks, much of which I find very interesting. While I can’t repudiate what is being said, I can add my own insight into the anatomy post attack success.
First, let’s address the first, and most important piece of information, the how. What we know, based on the data we reported earlier is that a very large majority of the attacks are coming from local PC boxes. How do we know? We’re seeing the IP’s and their incoming signatures.
A botnet is a collection of internet-connected programs communicating with other similar programs in order to perform tasks. – Wikipedia
Tomorrow I will be flying to my hometown (Miami) to give a Website Security presentation to a bunch of enthusiastic online professionals at an event called WordCamp. If you’re not familiar with these events, they are global events put together by the local populace to focus on a specific platform – WordPress. The event is called WordCamp Miami 2013, if you plan to be there definitely look me up.
I will be presenting at 1400 (EST), also known as 2:00 pm to most.
I will be volunteering at the Happiness Bar right after my talk at 1445 (EST), 2:45 pm.
If you’re interested, they are going to be live-streaming the event and you’re more than welcome to watch.
If you read our blog you know that we are really open to providing insight into malware infections, remediation and hardening tips. The goal is to help educate website owners where and when we can. Unfortunately, that education only goes so far. We have learned that when it comes to hardening no single environment is the same and what you tell one person doesn’t necessarily apply to another person.
Take into consideration three of the simple things we tell website owners that use the WordPress platform:
Although effective for many of them, most are unable to apply them. Reasons include things like static versus dynamic IP’s and lack of understanding of the use of secure tunnels and static IPs proxies. Then you have the challenges of web servers, is it a Windows IIS web server, or an Apache web server? Is it something else? And what if the environment is a hybrid with varying elements, each with specific considerations.
The same applies to guidance we provide other content management system (CMS) applications like Joomla, Magento, vBulletin, osCommerce and many others. The fact of the matter is that it’s hard to provide one solid solution that all website owners, regardless of platform, can use and employ to harden their websites.
The main issue with hardening is that not everyone is technical enough to follow or understand the guidance. Especially when they see long posts like this one: WordPress Security – Cutting Through The BS or WordPress and Server Hardening – Taking Security to Another Level. The reality is that every one of the configuration changes is one potential new headache for the website owner. What works for one, doesn’t work for the other. Perhaps a host doesn’t allow a specific directive or disables specific functions. How do you account for that when talking to the masses?
Then you have to keep up with the growing threats. Is there a new attack vector? Is there a new hardening tip to address that vector? How do you know? How do you apply the hardening in time to avoid becoming vulnerable and exploited?
In our previous post, we talked about the concept of virtual patching: Virtual Patching for Websites with Sucuri CloudProxy, it is the idea that a non-patched web site can still be protected (patched) by a web application firewall (our CloudProxy).
Fortunately, the benefits of our CloudProxy does not stop there. By default, every site under our CloudProxy is already hardened without any work. In our WordPress plugin we have the 1-click hardening. That’s the no-click hardening. You no longer need to run any security plugin or modify your configuration, since all the hardening is done “virtually” by our WAF.
You can automatically restrict access to your administration panel per IP address. All direct access to non-allowed directories are blocked. And all the steps we provide in our blogs are implemented there to all our users.
Go back a few months and look at the Timthumb mass compromise, where thousands of sites were hacked. Any site that was hardened like we recommend would not get hacked through it, even if they had the insecure timthumb installed. And even without any type of virtual patching or custom WAF rule. Just the hardening alone.
That’s what the Virtual hardening offers without any work for web site owners.
All software has bugs, and some bugs can lead to security vulnerabilities. Vulnerabilities can be extremely dangerous when your software is running over the web, allowing anyone to reach and try to attack it. That’s why patching and keeping web applications updated is so important.
The reality is there is no shortage of websites running outdated Joomla installs, or outdated WordPress, or name your favorite CMS. There are also plenty of websites running themes/templates with known vulnerabilities, or forgotten plugins that are being exploited in the wild. The #1 excuse for keeping these web applications outdated is that their websites will break.
We often hear things like “My theme was heavily modified, so I can’t update it”, or “I am afraid it will break some functionality if I update this plugin”, or “I modified core files so now I am stuck”, or even “My web developer left us and nobody knows how this piece of code works”.
Read More
Comments