Not Just for the Government: Using the NIST Framework to Secure WordPress

When setting up a WordPress website, it is easy to focus on the look and feel of the website, while overlooking the important aspect of security. This makes sense, because the security of a website is largely invisible until something goes wrong. Installing a cybersecurity plugin like Wordfence significantly reduces the chances of a successful attack on a WordPress site. What no software can fully protect is the human element. This is where cybersecurity models and frameworks come in. We discussed one cybersecurity model, the CIA Triad, a few months ago. There are other models and frameworks that each have their own strengths and weaknesses, depending on how they are implemented.

Cybersecurity frameworks are a common tool used by organizations to protect their networks, systems, and digital assets. One well-known framework is the National Institute of Standards and Technology (NIST) Framework Core, which consists of Five Functions. While the NIST Framework Core is often associated with securing government networks, the same principles apply to WordPress websites as well.

The Five Functions in the NIST Cybersecurity Framework Core are identified as the Identify, Protect, Detect, Respond, and Recover phases. Each phase describes an important aspect of securing an organization’s physical and digital assets. Rather than a list of dos and don’ts, these were written to be guidelines that help in making decisions that affect organization’s risk management. The best way to view this is as a cycle that is repeated whenever there is a cybersecurity incident or change to the protected assets.

Identify

The Identify function helps to identify any assets that need some form of cybersecurity protection. This includes physical assets like servers, digital assets like software, and even people. In this phase, it is important to make a list of all assets and the maintenance or security that they require. Any time there is a cybersecurity incident, or a change to the physical or digital systems in place, this phase should be revisited to ensure that changes are accounted for. New cybersecurity measures are considered in this phase, taking into account both individual systems, and how those systems interact with each other.

WordPress websites have many parts, both physical and digital. Even if a site is not hosted on a server that is physically controlled by the site owner, the server itself must still be a consideration of the site owner. Choosing a host that is trusted and has a record of using proven cybersecurity practices helps to ensure that the chances of a compromise of the server itself is minimized. If a malicious actor is able to access a compromised server, they may be able to make changes that can lead to modification of website files and databases, as well as locking the site owner or administrator out of their hosting environment control panel. One method of maliciously controlling accounts through a compromised host was discussed in our breakdown of the Anonymous Fox F-Automatical script, where part of the script could be used by threat actors to change passwords on compromised WHM or cPanel accounts which can help a threat actor to maintain persistence.

In addition to physical assets, all software used needs to be accounted for as well. On a WordPress site, this means WordPress core, themes, and plugins. Any underlying technologies may also need to be cataloged. If not managed by the host, then the site owner will also need to ensure that appropriate updates processes and cybersecurity considerations are taken into account for the web server software (Apache, Nginx, etc.), the PHP version, and any other software the site relies on for proper operation. Once all physical and digital assets have been cataloged, appropriate cybersecurity measures will need to be determined.

Protect

The Protect function guides the implementation of resources that will reduce the impact of a cybersecurity incident and prevent it from spreading. It is one thing to catalog your assets and determine appropriate cybersecurity measures, but those measures also must be implemented in order to be effective. Physical security will be implemented in this phase as possible, and any site administrator will be implementing digital security security solutions, such as Wordfence Premium, to protect against existing and new threats to the website. With these measures in place, threat actors can be stopped before their attacks have a chance at success, and malware can be quickly removed from an infected website.

Based on the most recent 12 months of data, the Wordfence firewall detects and blocks an average of 4,603,076,842 attack attempts across 4 million protected websites every month. In the year of data reported here, the Wordfence firewall blocked 30,488,640,718 attack attempts based on identified malicious activities, and 24,748,281,391 attempted password attacks. This means that on average more than 1,100 attack attempts are thwarted against each website every month, without any negative impact to the website. If websites with vulnerabilities or administrator accounts with weak or leaked passwords were left unprotected, they could be used in data theft schemes, as a platform to disseminate malware, or for a number of other malicious purposes.

Regular maintenance is a large part of the Protect phase as well. One of the best ways to keep WordPress websites secure is to keep WordPress, themes, and plugins updated with the latest security updates. Additionally, the software behind the website, like Apache and PHP, will need to be maintained as well. Whenever possible, best practice may be to enable automatic updates. If automatic updates are not possible, it is important to regularly check for available updates and manually update as soon as possible after a new version with security fixes is released.

Along with any physical and digital security measures, it is also important to keep in mind the people behind the website. Anyone who assists in managing the website will need to be considered an asset, and a potential cybersecurity risk. This means implementing access controls like user roles and two-factor authentication (2FA), utilizing the principle of least privilege by limiting access to roles, and training anyone who helps in the management of the website on cybersecurity best practices.

Detect

The Detect function outlines and implements methods, systems, and software that help to identify a cybersecurity incident rather than allowing it to continue unseen. Detection is one of the most important steps in keeping a website safe, as the unseen cannot be stopped. Regular scanning of files is critical, as is monitoring of website traffic. If malicious behaviors are detected prior to a malicious payload being delivered, then an attack can be rendered ineffective before it can truly begin.

It is important to run regular scans for malware on your website. Wordfence includes one of the industry’s largest WordPress-specific malware databases to scan websites and alert administrators of any malware found in their website files. The Wordfence Scanner detects malware from an average of 173,449,409 files each month. Armed with the scan results, administrators may be able to identify infected core, plugin, or theme files that need to be reinstalled.

Monitoring website traffic can also help to detect threats. Wordfence Live Traffic monitors and tracks all activity on the website, logging the IP address, location, time, browser, and page being visited by any human or bot accessing the website. After reviewing traffic, the administrator has the option to dive deeper into the details of a specific visitor or even block the IP to prevent its access in the future.

Respond

When a cybersecurity incident has been detected, the Respond function supports organizations in determining the appropriate actions needed to contain the incident. It is not enough to simply detect an incident, plans and measures need to be in place to contain an incident before it becomes an even bigger issue. If a threat actor can be stopped in the process of inserting a malicious admin user, then they won’t have the access to complete further attacks such as collecting website subscriber data or other sensitive information.

Responding to an incident may be something that can be handled by the website administrator, or they may need help from a team of cybersecurity experts. For more complex infections, or if the administrator is not familiar with how to respond to a malware threat, our team of analysts can use the scan data as a starting point to investigate and respond to malware that has been found on websites protected by Wordfence Care or Wordfence Response.

Recover

The final phase is the Recover function, which guides the recovery process after a cybersecurity incident, reducing the time required to return to normal operations. Cybersecurity incidents can modify the content or functionality of a website, requiring content to be restored from backup, themes or plugins to be reinstalled, or even running updates or installing new software to protect against the vulnerability that was exploited. Maintaining an awareness of available updates helps to ensure vulnerabilities are patched as quickly as possible, which is why Wordfence lists any available updates right on the Wordfence Scan Results page. Updating after an incident can prevent a recurring incident by applying any available security patches, but regularly updating software can prevent successful exploits of vulnerabilities before there can be a first incident.

NIST Cybersecurity Framework Core Implementation Tips

Implementing a cybersecurity framework might feel like a daunting task, however it is often easier than it might initially seem. We have some suggestions that can help with implementing the NIST Cybersecurity Framework Core on WordPress websites.

Start with the highest priority

When cataloging systems and software, keep in mind that not all assets are of equal priority for a cybersecurity solution. If the website exists on a shared or managed server solution, the host will often have cybersecurity measures in place to protect the physical systems and even some of the base software. This allows site owners to focus on the software they are installing, which means that WordPress specific cybersecurity solutions will be the first priority for many WordPress website administrators.

Be flexible

When writing policies and procedures, it is not always possible to account for every scenario that may be encountered. When a situation arises that does not fit into existing policies and procedures, the situation needs to be reviewed and existing policies and procedures will be updated to account for the new situation.

Ensure policies and processes are clearly defined

Policies and processes are an important part of any holistic cybersecurity solution. It is important to make sure that these are clearly defined, with as much detail as possible to avoid confusion if an incident occurs. Clearly defined policies and processes can also help prevent human error that could lead to a cybersecurity incident.

Follow up on policies

Effective policies are not “set it and forget it” solutions. It is important to regularly review policies, as well as regularly discuss them with any individuals who have a hand in managing the website or other systems. This helps to keep policies fresh in people’s minds, which increases the chances of policies being followed and cyber incidents being avoided.

Communicate

This tip cannot be stressed enough. Communication is the backbone of any good cybersecurity plan. Employees or anyone else who has a hand in developing and managing the website needs regular and clear communication about cybersecurity expectations and procedures. When an incident occurs, communication must be accurate and concise, and should include any stakeholder including customers and website visitors. Clear and honest communication can help to work through an incident faster, as well as build trust in how the situation is being handled.

Review and learn

Any time there is a cybersecurity incident, all five phases of the NIST Cybersecurity Framework Core need to be revisited, with policies, procedures, and solutions being reviewed for possible improvements. Any identified improvements need to be implemented as quickly as is safely possible. This is not the time for snap decisions, but taking several months to discuss options is also not going to be effective. After every incident or change, review what happened and how it happened, and learn from what went well and what could have been improved.

Use tools

Installing a cybersecurity solution like Wordfence to protect WordPress websites helps to stop incidents before they start, and recover quickly from incidents that have already occurred. Wordfence, including Wordfence Free, provides a number of tools to help you implement the NIST Cybersecurity Framework Core, including two-factor authentication (2FA) to help secure user accounts and alerts for suspicious activity and outdated components. The Wordfence firewall detects and blocks malicious activities, while Wordfence Scan detects malware and other indicators that website data may have been compromised.

Wordfence Premium includes the most up-to-date firewall rules and malware signatures, as well as our Real-Time IP Blocklist to block malicious actors based on IP addresses known to be performing malicious activities. Wordfence Care and Wordfence Response include a security audit to help identify opportunities to improve website security, and suggest best practices alongside incident response in the event a site has a security incident.

Conclusion

In this post we discussed how to apply the NIST Cybersecurity Framework Core to the protection of WordPress websites. Implementing the use of the NIST Cybersecurity Framework Core will help any website administrator to ensure that their website is secure, and that policies and procedures are in place to keep the website secure as software changes or vulnerabilities are discovered. When a cybersecurity incident occurs, they will be able to use the framework to help recover from the incident as quickly as possible to minimize the impact of the incident.

The post Not Just for the Government: Using the NIST Framework to Secure WordPress appeared first on Wordfence.

Russian Hacktivist Group Targets Political Websites with DDOS Attacks

A Russian hacktivist group calling itself “The People’s Cyberarmy” called on its members to target the American Democratic party website at https://democrats.org with DDOS (Distributed Denial of Service) attacks this morning, November 8th, 2022, which is Election Day in the United States. A post in their Telegram channel, “CyberArmyofRussia_Reborn”, which has more than 7,000 subscribers contained targeting instructions, and the channel contains links and instructions to downloadable DDOS tools.

The group itself uses fairly unsophisticated attack methods and does not have a high likelihood of succeeding at taking down the democrats.org site, as the attack instructions include an IP address for the site that is one of four Fastly CDN IPs. This indicates not only that the site itself already has DDOS mitigation in place, but that the attackers are targeting it in a way that is unlikely to achieve their goals.

While this group does not appear to consist of particularly skilled attackers, and has until now primarily targeted Ukrainian websites, Google-owned cybersecurity firm Mandiant has noted that it has coordinated with the Russian state-sponsored threat group known as APT-28 in the past.

Skilled attackers frequently use the chaos caused by DDOS attacks as cover to gain or escalate access to a system, or to exfiltrate sensitive information. In this case it is likely that the purpose of the attacks is simply to make a statement. While the attacks on the Democratic party website have not been successful at the time of publication, they appear to have added the website of the Mississippi secretary of state, who is currently a Republican, to the list of targets.

The fact that the target URL is an easily cacheable PDF file would make it significantly more difficult to successfully take down the site but the website at www.sos.ms.gov appears to be down at this time, indicating that the group is having considerably greater success. We expect ongoing attacks on local and regional government sites throughout election day, and may update this post as more information becomes available.

Note regarding research posts that include political references: In the past we have found that posts related to an election, or that mention a political party or figure, tend to produce fiery rhetoric in the comments. We’re leaving the comments open on this post, but please note that we won’t be approving  comments that are inflammatory or designed to promote a political debate on this blog. Our focus is on reporting data that helps cybersecurity analysts identify indicators of compromise, attackers, and their tactics, techniques and procedures. If you have data to bring to the conversation, we welcome your input!

The post Russian Hacktivist Group Targets Political Websites with DDOS Attacks appeared first on Wordfence.

Missing Authorization Vulnerability in Blog2Social Plugin

On October 5, 2022, the Wordfence Threat Intelligence team responsibly disclosed a Missing Authorization vulnerability in Blog2Social, a WordPress plugin installed on over 70,000 sites that allows users to set up post sharing to various social networks. Vulnerable versions of the plugin make it possible for authenticated attackers with minimal permissions, such as subscribers, to change the plugin’s settings.

We initially reached out to the developer via email on October 1, 2022. After receiving a response from the developer shortly thereafter, we disclosed this vulnerability to their team on October 5, 2022. A partial fix was provided within a day (version 6.9.11) with a full fix following on October 10, 2022 (version 6.9.12).

At the time of discovery, we did not release a firewall rule as we determined that the vulnerability is unlikely to be targeted and has a relatively low impact. After further evaluation, we decided to release a firewall rule on October 27, 2022 as a precautionary measure. Premium, Care, and Response customers received that protection the same day, while sites still running the free version of Wordfence will receive the same protection 30 days later on November 26, 2022. As such, we strongly recommend updating to version 6.9.12 or higher of Blog2Social to ensure that your site is protected against any exploits targeting this vulnerability.

Description: Missing Authorization to Authenticated (Subscriber+) Settings Update
Affected Plugin: Blog2Social
Plugin Slug: blog2social
Affected Versions: <= 6.9.11
CVE ID: CVE-2022-3622
CVSS Score: 4.7 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
Researcher/s: Marco Wotschka
Fully Patched Version: 6.9.12

Blog2Social: Social Media Auto Post & Scheduler is a plugin offered by Blog2Social/Adenion that provides content-creators with the ability to quickly share site content to their social media accounts. It offers automatic post sharing as well as optimized scheduling and also extends some of its features to subscribers, enabling them to share posts to their own social media accounts.

As part of the plugin’s functionality, there are some more advanced settings that can be managed. Unfortunately, this was implemented insecurely making it possible for authenticated attackers to update these settings even without the authorization to do so.

More specifically, the plugin provides administrators with the ability to enable legacy mode, which is intended to reduce server load. In legacy mode, the plugin will load content one item at a time instead of loading all content in bulk in an attempt to reduce the likelihood of dashboard freeze-ups. In order to reduce the number of concurrent outgoing connections, legacy mode will also load connections to social media accounts in sequential order as opposed to doing so simultaneously. While functionality should not be significantly affected by this for most use cases, this legacy option setting is reserved for administrators only. Unfortunately, due to a lack of capability checking on the function and in the user interface, site subscribers had access to this setting via the dashboard:

/wp-admin/admin.php?page=blog2social-settings

Furthermore, the same URL offers access to a Social Meta Data tab, which contains forms that are disabled for non-administrative users. However, browsers offer inspector tools, which can be used to modify html on the fly in order to change properties of such forms and their elements. For instance, a save button with the following properties can be modified to become functional by removing the disabled attribute from the button: <button class="btn btn-primary pull-right" disabled="disabled" type="submit">save</button> – as a result, such a form can be submitted by a subscriber. This indicates the developer used client-side validation, which can easily be bypassed by modifying the request sent to the server.

A request could be submitted using a third party tool similar to this one:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: 127.0.0.1
Cookie:

b2s_og_default_title=SiteTitle&b2s_og_default_desc=Just%20another%20WordPress%20site&b2s_og_default_image=&b2s_og_imagedata_active=1&b2s_og_objecttype_active=1&b2s_og_locale_active=1&b2s_og_locale=en_US&b2s_card_default_type=Summary&b2s_card_default_title=SiteTitle&b2s_card_default_desc=Just%20another%20WordPress%20site&b2s_card_default_image=&is_admin=1&version=0&action=b2s_save_social_meta_tags&b2s_security_nonce=<nonce>

This had consequences such as allowing subscribers to change social meta tags which could potentially be used to impact brand reputation.

A third issue that we discovered surrounded the plugin’s general authorization mechanism as seen below:

public function lockAutoPostImport() {
if (current_user_can('read') && isset($_POST['b2s_security_nonce']) && (int) wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['b2s_security_nonce'])), 'b2s_security_nonce') > 0) {
if (isset($_POST['userId']) && (int) $_POST['userId'] > 0) {
update_option('B2S_LOCK_AUTO_POST_IMPORT_' . (int) $_POST['userId'], 1, false);
}
echo json_encode(array('result' => true));
wp_die();
} else {
echo json_encode(array('result' => false, 'error' => 'nonce'));
wp_die();
}
}

The first if-statement is intended to prevent unauthorized use of this function and similar functions using the same protection. The following parts need to evaluate to true in order for the if-statement to do the same:

  • current_user_can('read') – This gives access to the administration screens and user profiles. This permission is generally available to all authenticated users such as subscribers.
  • isset($_POST['b2s_security_nonce']) – this nonce is set by the plugin and can be obtained by searching the code of /wp-admin/profile.php for the string ‘b2s_security_nonce’. This nonce is generated for subscribers and higher.
  • (int) wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['b2s_security_nonce'])), 'b2s_security_nonce') > 0 – this verifies the nonce after some sanitization.

As long as a userId is provided, we are able to lock B2S_LOCK_AUTO_POST_IMPORT_ for any user, resulting in that user being unable to automatically import posts. We found that many other functions lacked proper capability checks as well.

The Importance of Capability Checks

Capability checks are an important part of securing AJAX actions since those are available to any logged in users, including subscribers. The following is an example of an AJAX action from the Blog2Social plugin.

add_action('wp_ajax_b2s_lock_auto_post_import', array($this, 'lockAutoPostImport'));

While nonce checks ensure that the user initiating the request intended to do so, they don’t provide authorization. As mentioned above, the check current_user_can('read') does ensure that the user initiating the request has that specific capability, but it does not suffice to protect actions intended for administrators only. A proper way to secure such actions would be to utilize a check such as
current_user_can('manage_options').

The plugin does make use of B2S_PLUGIN_BLOG_USER_ID, which determines the current user’s ID in order to ensure that options saved are personalized thus preventing overwriting other users’ preferences:

define('B2S_PLUGIN_BLOG_USER_ID', get_current_user_id());

Timeline

October 1, 2022 – Initial outreach to the plugin developer.
October 5, 2022 – We disclosed details of the vulnerabilities with the developer.
October 6, 2022 – Version 6.9.11 is released which provides a patch for the legacy mode update vulnerability.
October 10, 2022 – The remaining authorization vulnerabilities are patched in version 6.9.12.
October 27, 2022 – Wordfence Premium, Care, and Response customers receive a firewall rule to provide additional protection.
November 26, 2022 – Wordfence Free users receive a firewall rule.

Conclusion

In today’s post, we covered several vulnerabilities in the Blog2Social: Social Media Auto Post & Scheduler plugin that could be used by subscribers to update plugin settings due to improper authorization checks. The vulnerabilities were patched by ensuring that capabilities were checked.

Wordfence Premium, Care, and Response users received a firewall rule on October 27th, 2022 for enhanced protection. Wordfence free users will receive this rule after 30 days on November 26th, 2022. We strongly recommend updating to version 6.9.12 or higher of Blog2Social: Social Media Auto Post & Scheduler to ensure that your site is protected against any exploits targeting this vulnerability.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance. If you have any friends or colleagues who are using this plugin, please share this announcement with them and encourage them to update to the latest patched version of Blog2Social as soon as possible.

The post Missing Authorization Vulnerability in Blog2Social Plugin appeared first on Wordfence.

Wordfence Premium Price Increase Coming in December – The First Since 2016

It has been over 6 years since we last raised our prices. Since then our team has more than doubled in size and we have introduced significant improvements to the core Wordfence product, launched a range of free and paid products, and introduced new services that include 24 hour incident response.

Starting December 5th, 2022, the base price of Wordfence Premium will increase from $99 to $119 per year. This does not affect Wordfence Care or Wordfence Response prices.

As before, you’ll continue to receive discounted pricing for multiple licenses and discounted pricing for multiple year subscriptions.

Customers with legacy pricing below the $99 base price will see their renewal prices increase by 20.2 percent.

If you need more Premium licenses now, you can still purchase licenses at the lower $99 base price before December 5th, 2022 and they will renew at the increased base price when the subscription ends. We continue to offer discounted multiple year pricing which means you can lock in the $99 base price on new key purchases for two or three years for any new Premium keys purchased until December 5th, 2022.

Wordfence wouldn’t be able to make the web a safer place without your continued support. We look forward to securing your WordPress websites and are committed to keeping you and your customers secure through innovation and excellence in customer service.

Regards,

Mark Maunder & Kerry Boyte – The Wordfence Founders

The post Wordfence Premium Price Increase Coming in December – The First Since 2016 appeared first on Wordfence.

What Does The Fox Hack? Breaking Down the Anonymous Fox F-Automatical Script

While performing routine security research, one of our threat analysts discovered the latest version of a Command and Control (C2) script, which is referred to as F-Automatical within the script’s code and was commonly known as FoxAuto in older versions. This is the seventh version of this automatic C2 script that is developed and distributed by a threat group called Anonymous Fox. This script is exactly as advertised: a script that automates tasks performed by a threat actor on a compromised web server. While this script is not used to exploit a vulnerability, it is a post-exploitation script that is run from a location under the threat actor’s control and can be used to maintain persistence or upload additional malware on a website that the threat actor has already accessed through an exploited vulnerability.

Some of the malicious functions are built-in, while others are performed by downloading and running additional scripts from a hardcoded location. Threat actors often try to automate anything they can, and this script is one of the more versatile malicious scripts out there. This script allows for anything from simple information stealing attacks, up to full site takeover, and more.

Anonymous Fox is a threat group that was inspired by the works of Anonymous, but is not affiliated with the better-known hacktivists. Publicly, they are mainly focused on NFTs, and have even hired an artist to create images for their NFTs. However, the group also has indicated a strong opposition to governments and large corporations. Anonymous Fox has called for action to be taken to break down public-private partnerships, and has published a list of corporations they would like to hack, including Google and Amazon. In an interesting twist, their tools tend to be used against small businesses and individuals far more often than against corporations and governments.

The Fox Doesn’t Want You to Know What It Says

The initial script itself is only 6 lines of code, with a number of empty lines thrown in. The most important line in the script is line 17. This is where the entire malicious script actually resides, but encoded and compressed.

Once this line has been decompressed and decoded, we find a much larger script, consisting of more than 2,500 lines of code. While there is still a layer of obfuscation in place, a significant portion of the script is now readable by anyone who knows Python. The remaining obfuscation seems to be using an obscure method of encoding the text, based on a method developed by a Reddit user as a response to a challenge in the r/dailyprogrammer subreddit.

While this obfuscation method is well documented, which makes reversing the obfuscation possible, some well-placed print statements can make fast work of decoding important pieces of the script. This obfuscation could be considered overkill, considering the fact that a capital ‘F’ is encoded as str("".join(chr(__RSV) for __RSV in [(___neoostdfluai+____hyrblqdmgtxk+(((((__ehykazitkvvj<<____hyrblqdmgtxk))<<(_vjqdsnodtvja**_vjqdsnodtvja)))<<(_vjqdsnodtvja**_vjqdsnodtvja)))])). The use of multiple layers of different types of obfuscation is also a common tactic of threat actors, in an attempt to make their code harder to analyze.

What the Fox Does

Without even fully decoding the script, we can see what this script does, thanks to a code block near the end. This block is the list that is printed to the screen, allowing the would-be attacker to choose which functions they will use during their attack attempt. The way this was coded indicates that the script author intended to distribute this malicious script to other threat actors.

A quick review of this block of code shows that this script performs many functions, including password resets, uploading and injecting backdoors and mailers, information stealing, attempting to gain access to the server itself, and many other functions. This is also a versatile script because it accounts for different types of servers, as well as common content management systems, including WordPress, Joomla!, OpenCart, and Drupal.

The Fox Hides

Many of the functions are not built into this script. Common scripts and applications may be downloaded and installed from servers under the control of Anonymous Fox. Some of these uploads could be plugins (also known as extensions or modules in non-WordPress websites), or scripts like LeafMailer for sending emails, backdoors and shell scripts, configuration files, and even additional malware or other tools that may be of use to the threat actor. Rather than including these scripts within the F-Automatical script, they are pulled from locations under the control of Anonymous Fox, but these locations are not readily visible within the script. This is another spot where we have to use the functionality in the script to deobfuscate the code and see where these scripts are being pulled from.

Once this has been decoded, what we are left with is simply ______________________oldobherivaw=[ufox.co,youfox.co] which is an array of two malicious domain names. These are then plugged into the next block of code, which reaches out to the domains to grab the needed payload. At the time of writing, both of these domains appear to be down, which could be temporary, or an update to the script may include new domains or IP addresses in place of these two domains. In this sample, 'script': '(.*)' has already been deobfuscated from the original code. While it is possible to complete the deobfuscation here, at this point enough is readable to see what the code is accomplishing.

One way in which Anonymous Fox doesn’t hide very well is in their consistent use of a single user-agent string. The previous version of this script used a common misspelling of Mozilla that is often seen in user-agents from malicious actors, Mozlila. This latest version of the F-Automatical script is using a different user-agent string that is identical to the Chrome 90 browser on Windows 10 user-agent. While not an effective indicator on its own, tracking this user-agent, Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36, along with other characteristics like IP addresses and observed behaviors can help to identify attacks using Anonymous Fox tools. Keep in mind that this may not be a single threat actor, but many threat actors who are using the Anonymous Fox F-Automatical script.

The Fox Tracks

One of the pieces of information that led us to reversing the obfuscation in this script was the use of the Gyazo API, which was also used in previous versions of the script. The use of this API itself has nothing to do with the obfuscation, but it was a familiar starting point that helped us to better understand what was in the code. The actual purpose of the API being used in this script is to take screenshots of successfully uploaded webshells and mailer scripts, typically used as proof when reselling access to a hacked site, and to save them in a searchable and web-accessible location. For obvious reasons, specific details are omitted here.

This may look indecipherable, but combined with the block of code immediately preceding this block, and using the Gyazo Python library, we can see a little more of what is happening here. With these details, we can use a print() function to see that str("".join(chr(__RSV) for __RSV in [((_azckljdzdnaw**_azckljdzdnaw)+____rxfmwahulsfe+______uncyxrbonqkk+_______wbrgpyimzghk+(((((_____iqotaksjjbuy<<(_azckljdzdnaw**_azckljdzdnaw)))<<(_azckljdzdnaw**_azckljdzdnaw)))<<(_azckljdzdnaw**_azckljdzdnaw))),(___rhhamzxovwmt+______uncyxrbonqkk+_______wbrgpyimzghk+(((((_____iqotaksjjbuy<<(_azckljdzdnaw**_azckljdzdnaw)))<<(_azckljdzdnaw**_azckljdzdnaw)))<<(_azckljdzdnaw**_azckljdzdnaw))),(____rxfmwahulsfe+_____iqotaksjjbuy+_______wbrgpyimzghk+(((((_____iqotaksjjbuy<<(_azckljdzdnaw**_azckljdzdnaw)))<<(_azckljdzdnaw**_azckljdzdnaw)))<<(_azckljdzdnaw**_azckljdzdnaw)))])) simply becomes url.

This function uploads a screenshot of a successfully compromised system, opening the Gyazo URL using the Gyazo API key, and uploading the image to the specified location. Once uploaded, it provides the exact URL where the image was uploaded using the API.

The Fox Replaces Your Locks

One thing that F-Automatical does differently from other scripts is resetting cPanel passwords instead of simply inserting new admin users. Many website administrators don’t access their cPanel dashboard frequently, which can help this password update to go unnoticed for an extended period of time. This functionality is split into two parts within the script. First, the password must be generated. This is defined early in the script, so that it can be reused as needed in different functions.

The next part of this depends on what password is being reset. Here we see the script using data it has already collected from WHM to reset cPanel passwords. If successful, this could lead to multiple websites being compromised, possibly affecting multiple website owners in some environments.

One way to keep threat actors using Anonymous Fox scripts out of a website is to enable two-factor authentication (2FA). This will require a second form of authentication in addition to the password, so even if the threat actor is able to change a password, it won’t be enough to access the account. cPanel now supports 2FA as well, though you may need to contact your host to see if their configuration supports it.

The Fox Shows No Mercy

Remember that list of functions this script could do? Let’s look at option 29. This portion of the script finds the website control panel and accesses a shell to give the threat actor the ability to run the commands of their choosing on an infected system.

Note that in this sample, domain.com is not the domain registrar, but rather a formatting example to be used if the URL format passed doesn’t match the expected input. If that passes, then the script attempts to find the administrator panel in WordPress, followed by Jooomla!, OpenCart, and finally Drupal. Once it has found the administrator panel, it configures a new shell connection that the threat actor can send malicious commands to the server through.

Cyber Observables

There are a number of observables that can be obtained from the Anonymous Fox script, and associated data. The observables in the script can be expanded out to include the following cyber observables, which can be used to identify and block attack attempts from malicious actors using the F-Automatical or other Anonymous Fox scripts. In addition to F-Automatical, there are seven additional files we have observed in conjunction with this script, and still more scripts that the group has developed and distributed. Many of the additional files are named with a random 8-character filename and a PHP extension.
Keep in mind that the IP addresses could be shared servers, so they are only one piece of the puzzle, but can help to identify malicious activity. The user-agent mentioned above is a legitimate user-agent for Chrome 90, but the old versions of this script used a known malicious user-agent which is included below.

File Hashes

F.py
MD5: 49a4a453b10715f0ed0ab3775dce76d8
SHA-1: 252f380bf8e8c2645e481c43e08b6c85b8f1c339
SHA-256: ae544ff7385af2dcb57ecb1e3193048a59639e203334b90c5b29dc96730b08ed
SSDeep: 1536:qPFL1ls4cgb19ho+UUyRHR0NGazRy6D+H9h:6Zln3GZUyVgjI3

f.php
MD5: 88c69bd369d3400efcb517ad799f5e32
SHA-1: 912cab83a15d067877ad7a80ab90ef9e669f7725
SHA-256: 0e8cb823c8ba1ada61cba424709028a306f54ff596292070e0d00b4dea94799c
SSDeep: 3072:VktSC92X9Ug0MItogowLTJLJF/uuL4EpbhER0kwmNFshEfdW5hJW7X:u32OoULxuKNVhER1wQmhEfdehQD

llsjxdcr.php
MD5: 33993f645556198f3724b210b9ad2228
SHA-1: 780fba5e22cb92f6906ad33ed4d7f890e78342d0
SHA-256: 0e0c060684d89eb04ea7c4a4a07887fbe119ec1ff7574bf085517ad7989b04ef
SSDeep: 384:QRHKPMf8mOaqTRxXM9GwdGNtNoygVGPfWbVM65PvqY6TzHrBmvC36uhjBvSF+zn2:QN0mO7H3QONxgoPu3JvqlLBcuhjIwWt

mblircic.php
MD5: 9b5e538812ab1c5dc502ebe9330b4a62
SHA-1: f7bd5da02f3e104aa685048880d28f27931dc4cd
SHA-256: 5fd9e6269ec291e5691bd814f0636c579c8a16b0790d65228e84ca75677062db
SSDeep: 768:dG1FRp0SjC7JqR+9Ghb749Y/eVi7bu3yNAlSjAW5rq3S9dq3jT6DAJtT73XMYu:d2F3A++y4hVyaCNqSw3BT6yJtu

vfmuqyvp.php
MD5: 02185d0a044ea18112be72851a73fcca
SHA-1: 9b33f0ac861c57ab6a9b2946258f159f3e911bce
SHA-256: 3971e2cdb79b64d0b38c68a255e2f5196766167891c1f798d30eb1a43ffbc343
SSDeep: 1536:G3Au+4w0wRHMjCPR+AGxnBPJxIB3Mo3i6aJVcmuRhdLC:kAhDoq3Gxds9MyHaJV8hE

archive.php
MD5: e64ae2dff64a2e18875f5248c56b7c6f
SHA-1: 893439ca04be9d12547d7c3f4197af5d8612eda3
SHA-256: 7a8dfcce30251df692872feb4866f07c624e19f98099f09cfd15574ad9f6b0e1
SSDeep: 384:eQbGda8KRuaFzouI23660hIFQ2FFBUURR80iGCzynKidGW1r:OKTGujqNhIF3tzRxiLzyVr

index.php
MD5: e67f242091860b7a64300651ab4359e4
SHA-1: d8e8c58594a226ece74e504c8859d5a5e581d452
SHA-256: eca183e681b7a976601f2d96253f154c77eec2df262a903546bb65cb9d561944
SSDeep: 384:cLkQhbwyy70Y79c42QbnQbi9oi/c+uRnEueXyFY:Vn9Z2QruYGY

bkV7.txt
MD5: 853aa4af73e25df257689eb342a1923d
SHA-1: d7fa82818c7f1faf9574d19d31101c5293ca68dd
SHA-256: 53d42c1df7ed8893d2a1491cf89e8fa061ec7ce060bc14d608c67e7513676d7f
SSDeep: 384:cNkQhbwyy70YQ9NQNeRkIFGPYdrAzsu8f7tXcqMY:7U9WsRHuxzY

IP Addresses

104.21.33.221
104.21.55.215
104.26.10.99
104.26.11.99
158.69.55.40
172.67.68.117
172.67.173.110
172.67.193.29

Domain Names

fcs.is
ufox.co
youfox.co
anonymousfox.co.uk
anonymousfox.is

User-Agent

Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36

Conclusion

In this post, we broke down the F-Automatical script from Anonymous Fox, and showed several examples of what it can accomplish. This is the latest version of the script, which appears to be in active development, and has a much higher level of obfuscation than seen in previous versions. F-Automatical can be utilized to install additional malware, use the infected server to send malicious emails, or perform a complete takeover of a website, virtual server, or even a physical server in some cases.

The Wordfence plugin comes with 2-Factor authentication which prevents scripts like F-Automatical from being used to upload additional malware to your site even in cases where your credentials have been compromised. 2-Factor authentication is available to protect all Wordfence users, including Free, Premium, Care, and Response, against exploits targeting WordPress authentication. If you believe your site has been exploited by F-Automatical or any other malware, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.

The post What Does The Fox Hack? Breaking Down the Anonymous Fox F-Automatical Script appeared first on Wordfence.

Wordfence Intelligence Launches New Malware Hash Feed!

Today, the Wordfence team is launching a Malware Hash Feed as part of our Wordfence Intelligence API. This gives our Enterprise users another way to rapidly and definitively identify malware targeting web applications.

As the world’s foremost WordPress security provider, Wordfence has an expertly curated database of nearly three and a half million unique malicious files. Most of the malware in our database is PHP, but we also have a selection of malicious JavaScript, ASP.NET, Python, and other languages used for web applications.

About the Malware Hash Feed

The Malware Hash feed contains the following information for each malicious file in our data set:

  • SHA-256 hash – For applications and appliances where SHA-256 hashes are the default method of ingestion, or where hash collisions are a concern, we offer SHA-256 hashes. We recommend using this hash by default if possible.
  • Normalized SHA-256 hash – For files containing variable amounts of whitespace, we offer a SHA-256 hash of each file after whitespace normalization (with spaces, tabs, carriage returns, and newline characters removed).
  • SHA-1 hash – The SHA-1 algorithm remains popular with many platforms. While it is now trivial to generate both MD5 and SHA-1 collisions, these techniques are not commonly used with malware targeting web applications.
  • MD5 hash – MD5 hashing is extremely performant and some platforms still make use of it.
  • Number of sightings – The number of times the malicious file has been seen by our intelligence platform.
  • First seen – The date we first encountered the malicious file.
  • Last seen – The most recent date we encountered the malicious file.

Wordfence Intelligence subscribers can download the entire feed or use its built-in sorting and filtering functionality to grab the most relevant data, making ingestion easy.

A Complement to the Malware Signature Feed

While the YARA rules that comprise our Malware Signatures feed detect 99.99% of the malicious files in our collection and are flexible enough to detect currently uncatalogued variants, hash-based detection is more practical, compatible, or performant for some applications. Additionally, access to our malware hashes can allow for detection of novel malware as soon as we identify and classify it, even before a production-ready signature can be released. The Malware Hash feed is updated every 15 minutes.

Potential Use Cases for Enterprise and Hosting Providers

Threat Intelligence data feeds serve an important role in any organization with a Security Operations Center, Threat Intelligence team, or security-conscious IT department with a mandate to make their network more secure. Adding more data and context to the network traffic being analyzed is crucial to attaining and maintaining readiness.

Malware Hashes can be ingested into a number of platforms including as System Information and Events Monitors (SIEM), Security Orchestration, Automation, and Response platforms (SOAR), or even Extended Detection And Response platforms (XDR). This data can be used to determine if a host on a network has been compromised or if any traffic into or out of a network contains malicious files.

In addition malware hashes can be fed into threat intelligence platforms to add context around specific threats so your organization can better understand and attribute the techniques being deployed against it.

Wordfence Threat Intelligence feeds can also be integrated into custom solutions to effectively detect, block, and remediate malicious files at rest, or even on their way into the network.  Web hosting providers can work with us to integrate a “powered by Wordfence Intelligence” product into their offerings, with all the efficiency of running on the whole server platform.

As a reminder, Wordfence tracks malware and blocks exploits targeting multiple web services, including non-WordPress services, across our network of four million protected WordPress sites. This gives us a unique level of visibility compared to other Threat Intelligence feeds on the market. All Wordfence Intelligence customers receive access to our IP Threat data feed, our Malware Signatures feed, our Malware Hash feed, and our WordPress Vulnerability Data feed.

What does this mean for Wordfence users?

If you are a Wordfence Free, Premium, Care, or Response customer and your host subscribes to Wordfence Intelligence, they can use it to protect not only your website but the websites of any other sites on the same server, which greatly improves the security of your own website. They can also use it to detect and shut down abuse originating from within their own network, making the entire internet safer.

Get in touch with us today for more information or to try out the feeds!

Inquire Now

The post Wordfence Intelligence Launches New Malware Hash Feed! appeared first on Wordfence.

Pin It on Pinterest