BIND9 – Denial of Service Exploit in the Wild

Bind9 DNS Vulnerability

BIND is one of the most popular DNS servers in the world. It comes bundled with almost every cPanel, VPS and dedicated server installation and is used by most DNS providers.

A week ago, the Internet Systems Consortium (ISC) team released a patch for a serious denial of service vulnerability (CVE-2015-5477) that allows a remote and unauthenticated attacker to crash the BIND (named) daemon, taking down a DNS server.

This happens because of an error in the way BIND handles TKEY queries, which with a single UDP packet can trigger a required assertion failure, causing the DNS daemon to exit.

Exploits in the Wild

Because of its severity we’ve been actively monitoring to see when the exploit would be live. We can confirm that the attacks have begun. DNS is one of the most critical parts of the Internet infrastructure, so having your DNS go down also means your email, HTTP and all other services will be unavailable.

Read More

Introducing Free Global Website Performance Tool

We are happy to launch a new free tool (aka Global Website Performance Tester) that allows anyone to quickly check how fast a website is loading from across the globe.

We extract three key metrics that are critical to the performance of any website: connection time, time to first byte (TTFB) and total load time:

  • Connection time: It measures how long it takes for the TCP session to be established to your website. If you are a networking geek, it measures how long it takes for the 3-way handshake to be completed.
  • Time To First Byte (TTFB): This is one of the most important numbers to pay attention to, as it tells you how long it takes for the first byte to be received by the browser. This metric is important because as soon as the browser receives the first few bytes, it can start to load the page and display content to the end user.
  • Total Load Time: This shows how long it takes for the full page to be loaded.

To give us the visibility we need for these tests, we setup 13 globally distributed testing stations:

  • 4 in USA (New York, Atlanta, Dallas and Los Angeles)
  • 1 in Canada (Montreal)
  • 4 in Europe (Germany, UK, France and Netherlands)
  • 2 in Asia (Japan and Singapore)
  • 1 in South America (Brazil)
  • 1 in Australia

And we run all our tests from all of them. To get started, you can test your websites performance here:
Read More

Magento Shoplift (SUPEE-5344) Exploits in the Wild

As warned a few days ago, the Magento Shoplift (SUPEE-5344) vulnerability details have been disclosed by the CheckPoint team. They show step by step how it can be exploited to take over a vulnerable Magento site.

They have prepared the following video showing a Proof of Concept (PoC) in which they create a fake coupon:

That’s a simple example. This vulnerability can be exploited in much more devastating ways.

Magento ShopLift in the Wild

As expected, it is now actively being exploited.

In less than 24 hours since the disclosure, we have started to see attacks via our WAF logs trying to exploit this vulnerability. It seems to be coming from a specific crime group, since they all look the same:

Read More

Security Advisory: XSS Vulnerability Affecting Multiple WordPress Plugins

Multiple WordPress Plugins are vulnerable to Cross-site Scripting (XSS) due to the misuse of the add_query_arg() and remove_query_arg() functions. These are popular functions used by developers to modify and add query strings to URLs within WordPress.

The official WordPress Official Documentation (Codex) for these functions was not very clear and misled many plugin developers to use them in an insecure way. The developers assumed that these functions would escape the user input for them, when it does not. This simple detail, caused many of the most popular plugins to be vulnerable to XSS.

To date, this is the list of affected plugins:

There are probably a few more that we have not listed. If you use WordPress, we highly recommend that you go to your wp-admin dashboard and update any out of date plugins now.

Read More

Critical Magento Shoplift Vulnerability (SUPEE-5344) – Patch Immediately!


The Magento team released a critical security patch (SUPEE-5344) to address a remote command execution (RCE) vulnerability back in February. It’s been more than two months since the release and still more than 50% of all the Magento installations have not been patched, leaving them open to attacks.

This means hundreds of thousands of websites are vulnerable right now, worse yet they are ecommerce websites. This means that these websites are used to sell goods online, and in the process they capture personal identifiable information (PII) including credit card details. The impact of Magento websites getting compromised can be devastating for every online buyer that uses, or has used a website built on the platform.

Read More

FBI Public Service Annoucement: Defacements Exploiting WordPress Vulnerabilities


The US Federal Bureau of Investigation (FBI) just released a public service announcement (PSA) to the public about a large number of websites being exploited and compromised through WordPress plugin vulnerabilities:

Continuous Web site defacements are being perpetrated by individuals sympathetic to the Islamic State in the Levant (ISIL) a.k.a. Islamic State of Iraq and al-Shams (ISIS). The defacements have affected Web site operations and the communication platforms of news organizations, commercial entities, religious institutions, federal/state/local governments, foreign governments, and a variety of other domestic and international Web sites. Although the defacements demonstrate low-level hacking sophistication, they are disruptive and often costly in terms of lost business revenue and expenditures on technical services to repair infected computer systems.

Read More

Intro to E-Commerce and PCI Compliance – Part I


Have you ever heard of the term PCI? Specifically, PCI compliance? If you have an ecommerce website you probably have already heard about it, but do you really understand what it means for you and your online business? In this series we will try to explain the PCI standard and how it affects you and your website.

We will focus mostly on small and medium sized ecommerce businesses, which is the category that most of our clients fall into.

  • Part I – Introduction to E-Commerce and PCI Compliance
  • Part II – PCI and E-Commerce cloud-based SMB’s (coming soon)
  • Part III – PCI and your WordPress-based ecommerce (coming soon)
  • Part IV – PCI requirements in detail for cloud-based servers – Open source can help

Read More

Understanding WordPress Plugin Vulnerabilities

The last 7 days have been very busy with a number of WordPress plugin vulnerabilities being disclosed on multiple WordPress plugins. Some of them are minor issues, some are more relevant, while others are what we’d categorize as noise. How are you supposed to make sense of all this?

To help provide some clarity on the influx of data, we want to provide some insights to help you, the website owner, navigate and understand these vulnerabilities. We will provide a summary and an explanation of the ones that matter and the ones that do not.

Read More

Vulnerability Disclosures – A Note To Developers

This post is entirely for developers. Feel free to read, but approach it with that in mind.

There is no such thing as bug-free code. We all make mistakes and every piece of software will have issues that we did not anticipate. We ourselves find weaknesses in our code and have to work extra hard to stay ahead of the issues. The same applies to every other company out there.

However, some of these bugs may have security implications that can affect the integrity, availability or confidentiality of the users deploying it. They are called software vulnerabilities.

I think it’s fair to assume that we can all relate with this to some level. What seems to be a problem however is how we, using the collective we, handle the disclosure of these vulnerabilities when brought to our attention.

  • What happens when someone identifies a vulnerability in the code we write?
  • What if it can or is being misused to hack websites that employ that same code?
  • How should we as developers respond and handle these situations?

I want to share some thoughts that I hope will provide some insights on a good disclosure and engagement strategy.

Read More

Zero-day in the Fancybox-for-WordPress Plugin

Update: We posted an analysis of the vulnerability following this post.

Our research team was alerted to a possible malware outbreak affecting many WordPress websites. All the infections had a similar malicious iframe from “203koko” injected into the website. We were also directed to a forum thread where users were sharing their concerns and describing similar issues they were experiencing.

In analyzing the infected websites, we found that all the websites were using the fancybox-for-wordpress plugin.

Read More