Top 10 Sucuri Research Articles in 2019

Sucuri Research 2019 Roundup

As we settle into 2020, it’s a good time to look back at what was learned in the previous year. After all, the past provides valuable lessons for the future.

With that thought in mind, we asked our researchers to choose their favorite blog posts from 2019. If your New Year’s resolution for 2020 is to beef up your cybersecurity, these articles can get you up to speed.

1. How to Know If You Are Under a DDoS Attack

By 2019, it’s likely most internet users are familiar with Distributed Denial of Services (DDoS) attacks. These attacks involve sending fake traffic to overload a resource. Anything connected to the internet is a potential target. In fact, anything connected to the internet is also a potential weapon.

But, DDoS traffic may be difficult to distinguish from legitimate traffic. Because bad actors are finding new ways to generate fake traffic, knowing the signs and symptoms of a DDoS attack is becoming more important.

2. SQL Injection in Magento Core

In March 2019, Magento released a security update that fixed several vulnerabilities. A notable patch in the update prevented SQL injections. These attacks do not need any form of privilege or authentication.

We recommended users install the security update. But in the case of users who can not use the update, we recommend a web application firewall (WAF) for virtual patching.

Magento 1 will also reach end-of-life in June 2020. As a result, it is important for legacy Magento users to take action to protect their customers.

3. Fake Instagram Verification

A verified check is a coveted symbol on social media. Displaying a checkmark by your username gives a degree of credibility and clout. To get one, users must meet a list of requirements and verification from the platform.

But bad actors are also aware of the strong desire for that digital badge of honor. As a result, phishing sites are masquerading as Instagram verification submission pages. As a result, it’s important for any social media manager to boost their security IQ and identify these phishing campaigns.

4. Vulnerable Versions of Adminer as a Universal Infection Vector

In November, our team discovered a new wave of infections impacting WordPress and Magento websites. Hackers were injecting scripts into files and database tables. While this strategy was nothing new, specific patterns piqued our team’s interest.

In particular, these attacks injected code into every JavaScript file on an infected site. A typical WordPress site has hundreds of JavaScript files. This makes manual cleanup a daunting task. On one day, our team removed this malware from more than 50,000 infected JavaScript files.

5. Magento Killer

Usually, October is the time we start thinking of boogeymen. But Magento users had their Halloween scare back in July with a malicious PHP script called “Magento Killer.”

The script allowed an attacker to change data in the core_config_data table of a Magento database. It could then be used to redirect payments and confidential information. It’s just another reason that Magento security should be top of mind in 2020.

6. PHP Backdoor Evaluates XOR Encrypted Requests

Attackers can hide malware within the PHP XOR bitwise operator. By encrypting the malicious source code, it is more difficult to detect.

XOR leaves open three common avenues to installing malware and backdoors. But, their symmetric cryptography means that anyone that knows the pre-shared secret key can decrypt/encrypt using it.

7. From .tk Redirects to PushKa Browser Notification Scam

We’ve been tracking a long-lasting campaign injecting malicious scripts into WordPress sites. This campaign leverages old vulnerabilities in a variety of outdated themes and plugins. But, it also adds new vulnerabilities, as well as some zero-days.

The attack often redirects visitors to various scam sites. In our findings, bad actors often used disposable .tk domains in their redirect chains. But in spring 2019, we noticed the addition of a new monetization channel, PushKa. It sometimes replaced the .tk redirects — and sometimes used a .tk redirect and push notifications at the same time.

8. An Indirect Way to Change cPanel Passwords

The “forgot your password?” feature has helped many users recover their accounts. But the trade-off is that it can also help bad actors gain access. Hackers can exploit bugs in the feature to get further access to a compromised website.

One of our analysts discovered malware that targeted a password-changing bug in cPanel. Attackers could create an SSH or FTP user once they have gained access to a compromised environment. Even after the website is clean and the password is reset, they would be able to use the new SSH or FTP user to reinfect the website.

9. Korean Gambling and Call Girl Spam on Hacked and Non-hacked Sites

One attack in 2019 only targeted one country, but affected site owners around the world. It began with a pretty regular sample of an infected WordPress index.php file. The campaign redirected only visitors from Korean search engines with Korean as their default browser language.

As we dug deeper, we had a nicely formatted code of a web spam doorway generator. It could fetch spammy content from a third-party server, cache it on a compromised server, and serve different versions of web pages to search engine bots and human visitors.

10. Magento Skimmers: From Atob to Alibaba

It may feel like we’re picking on Magento here, but 2019 saw the continuation of a massive Magento malware campaign. In 2018, we first detected a malware campaign that injected credit card stealing code.

The new update for 2019 was that the obfuscation pretended to be Google Analytics code. It looked quite similar except for some extra base64-encoded values along with short instructions to decode (atob). With the profit potential bad actors see in credit card skimmers, this attack will likely evolve again in 2020.

Staying Informed in 2020

While these blog posts cover our research team’s top findings for 2019, new threats are always emerging. Keeping up to date with the latest cybersecurity news is the best way to protect yourself online. Our research team makes it easy to stay informed with new content on our blog every week. Sign up to receive our blog content in your email.

You May Also Like

Bye Bye Astalavista

Scripts kiddies (and some security researches) are crying all over the world. Astalavista, the biggest repository of exploits was defaced, erased and shut down. In…
Read More