As with most years, there’s been a wide array of critical vulnerabilities found within content management systems, plugins, API keys, etc. We’ll be recapping our discoveries and how these vulnerabilities were exploited, or potentially could have been.
This past year, Adobe released several critical security patches for both their commercial and open source ecommerce platform. 16 issues were listed in the patch notes, but only ten vulnerabilities didn’t require any authentication to be exploited. These were classified as critical. In this article, we share the list of patches provided and provide details on each vulnerability.
An unpatched version of a plugin known as wp-user-avatar was found to have a vulnerability, known as a privilege escalation. This allows users to gain elevated access by exploiting a bug, and allows files to be uploaded. Specifically, this plugin allows users to create an admin account without any authentication, providing more site access. After the upload functionality was used, attackers proceeded to upload several backdoors.
Once our malware research team found the file uploaded to the site there was a fake plugin known as “Zend Fonts.” The malware created a database table that dumped the user agent and IP address of admin users. This is used to specifically prevent a malicious redirect from occurring for those same admin users. Only visitors are redirected to spam sites where they’re then prompted to install trojans or phished for sensitive information.
In recent months our team has come across a hacking technique that leverages the Telegram API to exfiltrate stolen data, and send it in a private message to a bot, under the attacker’s control. On a compromised WordPress site, malicious code was injected into wp-login.php and the attacker was able to capture login credentials each time a login action occurred. The attacker was able to avoid leaving really any evidence of exfiltration on the server, by using file_get_contents, allowing them to transmit stolen data virtually unnoticed.
In July, Woocommerce released a critical patch for an SQL Injection vulnerability that allowed attackers to access arbitrary data from an online store’s database. The team was able to provide proofs for time-based and boolean-based blind injections. A UNION attack may have also been possible with this critical vulnerability, which could’ve allowed an attacker to retrieve information a lot quicker than with a blind injection.
This affected versions 3.3 to 5.5 for the WooCommerce plugin, and WooCommerce Blocks 2.5 to 5.5 plugin. Luckily, this hack was avoided as Woocommerce found it before attackers did.
During the holidays a critical server security vulnerability was found within the Java logging library, Log4j. This was first discovered through the popular video game Minecraft, and is being found to affect most web servers running Apache along with the logging library Log4j. This critical vulnerability allows for arbitrary remote code execution (RCE) and full takeover of servers and endpoint computers.
This vulnerability affects versions 2.14.1 and lower, but the amount of applications that use Log4j extends way beyond an average website. To put this in perspective, even routers and other hardware devices may be affected by it. In this article we rewind back to the times of the ShellShock vulnerability back in 2014, and provide examples of how this current vulnerability is being exploited. Many new variants are still evolving as we speak, but the best measure people can take is updating any software using log4j to the most recent patched version. Also querying file systems for any modifications recently made, and rolling back servers to a safe snapshot before the compromise will be helpful.
The first step to take when encountering these kinds of critical vulnerabilities is to update all out-of-date software as soon as possible. In addition to making these updates, adding firewall protection provides virtual patching and hardening for sites. If you think you’ve been a victim of one of these vulnerabilities, please don’t hesitate to reach out and have our remediation team take a look and clean things up for you.
If there are any critical vulnerabilities we didn’t mention that you found interesting, feel free to let us know on social media, we’d love to take a look.