A Walk Through a Year of Website Security: Part II

Part I of our 2021 Security Walkthrough shows the initial 5 posts of our top 10.

6 – Vulnerable Plugin Exploited in Spam Redirect Campaign

It was brought to our malware research team’s attention that a vulnerability was discovered in old, unpatched versions of the wp-user-avatar plugin. The type of vulnerability found is known as a privilege escalation, which essentially allows a user to gain elevated access by exploiting a bug, and can allow files to be uploaded. 

In the case of this plugin, the vulnerability allows an attacker to create an admin account without any authentication, which provides more access to the website. The upload functionality was used, and they proceeded to upload multiple backdoors.

Furthermore, we found the file uploaded to sites was a fake plugin called “Zend Fonts,” which included a function for hiding it from view in wp-admin. The malware also creates a database table that dumps the user agent and IP address of admin users, which it then uses to prevent a malicious redirect from occurring for those same admin users. The redirect only sends visitors to spam sites where they’re prompted to install trojans, or be phished for sensitive information.

7 – Examining Unique Magento Backdoors

This post dives into a compromised Magento environment and discovers several backdoors. Often these backdoors can originate from file upload vulnerabilities that lead to remote code execution capabilities. Eventually, this can lead to an attacker obtaining database connection details, via the site’s configuration file. Once this information is obtained, the attacker can add further injections into the database, capturing credit card numbers and administrator credentials.

By implementing multiple backdoors, an attacker can also prevent attempts to search for an infection. The variety of functions discussed ultimately all have the same priority in mind, avoiding detection for as long as possible.

8 – Stylish Magento Card Stealer loads Without Script Tags

When it comes to e-commerce websites, stealing credit card information can be a very common type of hack. Some may refer to this kind of malware as a “CC Skimmer.”

Usually, attackers will need to start and end an injection with script tags to load JavaScript in a visitor’s browser, but in this instance we found nothing malicious when sending a query to the database with the <script string. Once we loaded an item in the cart and went to the checkout page, we noticed what we (at first glance) believed to be JavaScript loading from a blocklisted domain, despite it not being in the source code. It turned out this was actually an obfuscated payload. In this article, we take apart this obfuscation to inspect it further.

Ultimately, this malware had a clever approach of utilizing CSS styles and an event handler. This allowed the attacker to avoid the usual <script tags when it comes to a JavaScript injection.

9 – WPScan Intro: How to Install the WordPress Vulnerability Scanner

This article is in addition to our previous one which goes over the capabilities and features of WPScan, and why we recommend it as a useful addition in your security toolkit. Since it’s primarily free to use (depending on how many sites it’s needed for), we guide you through on how to properly install and update it. We provide instructions on how to utilize the API here as well.

10 – Fake Ransomware Infection Spooks Website Owners

We’ve recently discovered defacements to a number of sites where the malware impersonates a ransomware attack. The files are reported to be “encrypted,” and the attacker demands a ransom payment of 0.1 bitcoin, which is around several thousand USD currently (considering volatility). Since ransomware has grown exponentially these past years, naturally, any business would be in immediate panic mode here. 

Upon further inspection, we found the files weren’t actually encrypted at all. When doing a query on the file structure for the Bitcoin account number given, we were able to determine that this “ransomware” was actually generated by a phony plugin. What we found within the plugin file instead was just simple HTML to generate the ransomware message, and basic PHP to generate a sense of urgency with a countdown clock. 

Despite the easy cleanup of just simply removing the plugin from the wp-content/plugins directory, all pages and posts then resulted in 404 Not Found responses. This was due to a general SQL command that finds all posts and pages with the “publish” status, and changes them to “null” instead, which we were able to revert.

Eventually we were able to determine the source of this infection by checking access logs, and found a foreign IP interacting with the directorist plugin, using the plugin editor feature for wp-admin. This indicated a legitimate plugin was installed, but later tampered with by the attackers. We also found the initial request from the attacker’s IP was from the wp-admin panel, meaning the attacker had already gained administrator access either by Brute Force or acquiring the compromised login credentials off the black market.

In Conclusion

Overall, this year has provided us with an array of clever infections, handy tools, and questionable security practices. We continue to remain adamant in finding and resolving new vulnerabilities and exploits so we can adapt our products as they arise. 

Most of these articles will list our recommendations on how to protect sites against attacks using standard security practices like updating outdated software, reviewing logs, updating passwords, and revising account privileges. 

In addition to these practices, we always recommend using a scanner (like our free Sucuri WordPress plugin), storing backups, and deploying a  firewall. If you’re experiencing an infection, please don’t hesitate to reach out. Our remediation team is here to help.

Read our 5 first website security lessons for the year in Part 1 of this post.

 

You May Also Like