XSS Flaw Impacting 100,000 Sites Patched in KingComposer

On June 15, 2020, our Threat Intelligence team was made aware of a number of access control vulnerabilities that had recently been disclosed in KingComposer, a WordPress plugin installed on over 100,000 sites. During our investigation of these vulnerabilities, we discovered an unpatched reflected Cross-Site Scripting(XSS) vulnerability.

Wordfence Premium customers received a new firewall rule the same day, protecting against the newly patched access control vulnerabilities as well as the unpatched Cross-Site Scripting vulnerability. Wordfence users still using the free version will receive this rule after 30 days, on July 15, 2020.

We attempted to contact the plugin’s developers the next day, on June 16, 2020. Since we did not receive a response after 9 days, we contacted the WordPress Plugins team on June 25, 2020. The WordPress Plugins team replied the next day and let us know that they were in touch with the developers of the KingComposer plugin, and a patch was released on June 29, 2020.

What is Reflected Cross-Site Scripting(XSS)?

We’ve written a number of articles about Stored Cross-Site Scripting(XSS) vulnerabilities in the past, and how they can be used to take over a website if an administrator accesses a page on their site containing a malicious JavaScript. We’ve also written about Cross-Site Request Forgery(CSRF) attacks, where an attacker can trick a victim into clicking a specially crafted link in order to make changes to a site.

Reflected XSS vulnerabilities have characteristics of both of these vulnerabilities. Much like a CSRF attack, exploiting a Reflected XSS vulnerability usually relies on an attacker tricking their victim into clicking a malicious link which sends the victim to the vulnerable site along with a malicious payload. This can be done in a number of ways, but it is common to first link to an intermediate site controlled by the attacker, which then sends a request containing a malicious payload to the vulnerable site on behalf of the victim.

A notable distinction between the stored XSS vulnerabilities more commonly found and reflected XSS vulnerabilities such as this, is that the malicious scripts that are used as part of the exploit are not actually stored anywhere in the database with reflected XSS vulnerabilities. Rather, the malicious scripts are reflected and executed once during the exploit.

As with Stored XSS attacks, the malicious payload will be executed in the victim’s browser. However, with reflected XSS, the vulnerable site would immediately output (reflect) the malicious JavaScript payload, which would be executed a single time in the victim’s browser instead of being stored in the database for later execution.

This could be used in a variety of attacks. For instance, if the victim was a logged-in administrator on the vulnerable site, the reflected JavaScript could be used to create a new, malicious administrator account controlled by the attacker.

In order for reflected XSS attacks to successfully exploit a user, an attacker needs to trick the user into performing an action. For that reason, we highly recommend remaining vigilant when clicking on links or attachments in comments, emails, and other communication sources unless you are sure of their integrity and legitimacy.

Description: Reflected Cross-Site Scripting(XSS)
Affected Plugin: Page Builder: KingComposer – Free Drag and Drop page builder by King-Theme
Plugin Slug: kingcomposer
Affected Versions: < 2.9.5
CVE ID: CVE-2020-15299
CVSS Score: 6.1(medium)
Fully Patched Version: 2.9.5

KingComposer is a WordPress plugin that allows Drag and Drop page building, and it registers a number of AJAX actions to accomplish this. One of these AJAX actions was no longer actively used by the plugin, but could still be used by sending a POST request to wp-admin/admin-ajax.php with the action parameter set to kc_install_online_preset.

The vulnerable function:

	public function install_online_preset(){

		$data = isset($_POST['kc-online-preset-data']) ? esc_attr($_POST['kc-online-preset-data']) : '';
		$link = isset($_POST['kc-online-preset-link']) ? esc_url($_POST['kc-online-preset-link']) : '';
		$link = str_replace( 'http://features.kingcomposer.com/', 'https://kingcomposer.com/presets/', $link);
		$callback = '
		<script type="text/javascript">
			top.kc.cfg.preset_link = "'.$link.'";
			top.kc.backbone.push(''.str_replace( "n", ''+"n"+'', base64_decode($data)).'');

		echo $callback;



This function renders a JavaScript based on the contents of the kc-online-preset-link and kc-online-preset-data parameters. Since it uses the esc_attr and esc_url functions, it appears safe at first glance. Unfortunately, however, the contents of the kc-online-preset-data parameter are base64-decoded after this step.

As such, if an attacker used base64-encoding on a malicious payload, and tricked a victim into sending a request containing this payload in the kc-online-preset-data parameter, the malicious payload would be decoded and executed in the victim’s browser. The patched version of this plugin resolved the issue by removing the vulnerable function entirely.

Disclosure Timeline

June 15, 2020 – The Wordfence Threat Intelligence team discovers an unpatched vulnerability while investigating newly patched vulnerabilities in the KingComposer plugin. We release a firewall rule covering both the patched and unpatched vulnerabilities to our Premium users.
June 16, 2020 – We attempt to contact the developers of the KingComposer plugin.
June 25, 2020 – We contact the WordPress Plugins team about the vulnerability.
June 26, 2020 – The WordPress Plugins team responds and indicates that they are in touch with the developers of the KingComposer plugin.
June 29, 2020 – Patched version of KingComposer is released.
July 15, 2020 – Firewall rule becomes available to Wordfence Free users.


In today’s blog post, we discussed a Reflected Cross-Site Scripting(XSS) vulnerability in the KingComposer WordPress plugin, and provided some background information on how Reflected XSS attacks work. This vulnerability has been fully patched in version 2.9.5 and we strongly recommend updating to this version immediately. Sites running Wordfence Premium have been protected against this vulnerability, as well as older vulnerabilities in the KingComposer plugin, since June 15, 2020. Sites still using the free version of Wordfence will receive the firewall rule update on July 15, 2020.

The post XSS Flaw Impacting 100,000 Sites Patched in KingComposer appeared first on Wordfence.

Malware Detection: Measuring Recall to Catch Them All

At Wordfence, we take performance seriously on all levels. While speed is one way to measure performance, there are other metrics that are equally important. Over the past year, our Threat Intelligence team has improved our malware scan by leaps and bounds. We wanted to share some of the metrics we use and what they mean for our customers. We’ll also take a brief look at the new Jetpack Scan and see how it compares.

Measuring Recall to catch them all

Wordfence currently has more than 1.5 million malware samples on file, ranging from backdoors and shells to SEO spam. At any given time we use several thousand “signatures” to detect these malicious files. A signature is a pattern that is used to algorithmically match malware. Our signatures use regular expressions that are optimized to be highly performant and compatible with a range of platforms, from PHP regex to server-based pattern engines.

One of the most important metrics we use is Recall. Simply put, Recall is the percentage of known malicious files that are detected by our signatures.

Over the past year we have continuously improved this recall rate, and currently our signatures detect over 98% of known malicious content. Our Threat Intelligence team is constantly adding to and improving on these signatures, in order to detect emerging threats.

Keeping False Positives low

It’s just as important to make sure that our scanner doesn’t mistake legitimate software for malware. This is a situation known as a False Positive. We have a number of ways to prevent our customers from experiencing False Positives, and very few customers will ever see one.

Preventing False Positives starts with the malware detection signatures themselves, and we test them against millions of examples of legitimate web application code, ranging from popular plugins to home-brewed contact forms.

Over the past year we have improved the False Positive rate of our malware signatures from 1.1% to less than 0.03%. That is, our signatures mistakenly detect less than 3 in 10,000 known good files.

Speed is still critical

We measure each malware detection signature to ensure it doesn’t slow down the Wordfence scanner, replacing slow signatures with faster ones that detect even more malware. Over the past year, the combined speed of our malware detection signatures has increased by over 70%, which means Wordfence can scan your site faster than ever before.

How the competition measures up

We recently had an opportunity to test the performance of the new Jetpack Scan. Similar to the Vaultpress scan that was previously available as a Jetpack upgrade, Jetpack Scan uploads a helper file to your site and downloads any files it finds to their servers in order to scan them for malware.

For each of our malware detection signatures, we placed a malicious file that was detected by that particular signature on a test server in the wp-content/uploads folder. After running the Jetpack Scan, we found that it had a recall rate of 11.5%. We used a total of 2982 malware samples in the test from our collection of over 1.5 million samples. That means that for a total of 2982 malware samples, 342 were detected by Jetpack in our testing.

It’s worth noting that our scan had a 100% recall rate on these samples, but that is because these are samples that we know of. So there is a case of selection bias here in that we are choosing samples that we already detect. While our collection of 1.5 million malware samples is substantial, we do not know the size of Jetpack’s own malware collection, and how their recall rate compares against their own collection. It is possible their collection contains malware that we don’t know about, and that their scanner has an enormously high detection rate for malware that is simply not on our radar.

Much of our own malware database comes from our site cleaning business, where we analyze sites that have been hacked, and where we collect indicators of compromise, including malware samples, malicious IP addresses, and malicious domains. Having a constant flow of customers that have encountered a real-world intrusion provides us with a continuous portrait of emerging threats.

We were unable to test Jetpack Scan’s False Positive rate since this would have required a much larger number of files to be scanned.


In this article, we have covered some of the ways we measure malware scan performance, how our performance has changed over time, and how Jetpack Scan compares. Knowing how to measure performance is important, but it is only the first step. The large and rapid improvements we have made in malware detection have been the result of a concerted and ongoing effort by the Wordfence team. We improved because we made it a priority, and it is a priority because we have a team that is dedicated to making WordPress safer.

The post Malware Detection: Measuring Recall to Catch Them All appeared first on Wordfence.

Critical Vulnerabilities Patched in Adning Advertising Plugin

On June 24, 2020, our Threat Intelligence team was made aware of a possible vulnerability in the Adning Advertising plugin, a premium plugin with over 8,000 customers. We eventually discovered 2 vulnerabilities, one of which was a critical vulnerability that allowed an unauthenticated attacker to upload arbitrary files, leading to Remote Code Execution(RCE), which could allow complete site takeover.

The next day, on June 25, 2020, we privately disclosed these vulnerabilities to the plugin’s author, Tunafish. A patched version was made available in less than 24 hours, on June 26, 2020. We strongly recommend updating to the latest version of this plugin, 1.5.6, immediately.

Wordfence Premium users received a firewall rule protecting against these vulnerabilities on June 25, 2020. Users still running the free version of Wordfence will receive this rule on July 25, 2020.

After monitoring attacks against this firewall rule, we determined that, although these vulnerabilities were being attacked in the wild, the attacks were extremely limited in scope and scale. As such we withheld details from public disclosure for a short period of time to allow users time to update and prevent more widespread exploitation.

Description: Unauthenticated Arbitrary File Upload leading to Remote Code Execution
Affected Plugin: Adning Advertising
Plugin Slug: angwp
Affected Versions: < 1.5.6
CVSS score: 10.0(critical)
Patched Version: 1.5.6

One functionality of the Adning plugin is to allow users to upload banner images. In order to provide this functionality, it used an AJAX action, _ning_upload_image. Unfortunately this AJAX action was available with a nopriv_ hook, meaning that any visitor to the site could make use of it, even if they were not logged in. Additionally, the function called by this AJAX action also failed to make use of a capability check or a nonce check.

	public static function _ning_upload_image()
		$_action = isset($_POST['action']) ? $_POST['action'] : '';
		$user_id = isset($_POST['uid']) ? $_POST['uid'] : 0;
		$banner_id = isset($_POST['bid']) ? $_POST['bid'] : 0;
		$max_upload_size = isset($_POST['max_upload_size']) ? $_POST['max_upload_size'] : 100;
		$upload = isset($_POST['upload']) ?  json_decode(stripslashes($_POST['upload']), true) : array();
		$valid_formats = isset($_POST['allowed_file_types']) ? explode(',', $_POST['allowed_file_types']) : array('jpg');
		if( in_array('jpg', $valid_formats) )
			$valid_formats[] = 'jpeg';
		//$max_file_size = 1024*100; //100 kb
		//$max_file_size = 1024000*15; // 15 MB (1 mb = 1000 kb)
		$max_file_size = 1024000*$max_upload_size;
		//$upload_path = $upload_dir.'/'.$upload_folder;
		//$upload_path = $upload_path.$upload_folder;
		$upload_path = $upload['dir'].$upload['folder'];
		$count = 0;

		// Create upload folder if not exists
		if(!is_dir($upload_path)) {
		    mkdir($upload_path, 0777, true);

			$upload_success = false;
			$upload_error = '';
			$uploaded_files = array();
			$unzip_error = array();

			// Loop $_FILES to execute all files
			foreach ($_FILES['files']['name'] as $f => $name) 
			    if ($_FILES['files']['error'][$f] == 4) 
			        continue; // Skip file if any error found
			    if ($_FILES['files']['error'][$f] == 0) 
			        if ($_FILES['files']['size'][$f] > $max_file_size) 
			            $upload_error = $name. " is too large!";
			            continue; // Skip large files
					elseif( !in_array(pathinfo($name, PATHINFO_EXTENSION), $valid_formats) )
						$upload_error = $name." is not a valid format";
						continue; // Skip invalid file formats
			        	// No error found! Move uploaded files 
			            if(move_uploaded_file($_FILES["files"]["tmp_name"][$f], $upload_path.$name)){
			            	$count++; // Number of successfully uploaded file
							$src = $upload['src'].$upload['folder'].$name;

			            	// Copy image to banner folder
			        			if(!is_dir($upload_dir.'/'.$banner_folder)) {
								    mkdir($upload_dir.'/'.$banner_folder, 0777, true);
			        			copy($path.$name, $upload_dir.'/'.$banner_folder.$name);

			        		$uploaded_files[] = array(
			        			'name' => $name, 
								'size' => $_FILES['files']['size'][$f],
								'upload' => $upload,
								'path' => $upload_path.$name,
			        			'src' => $src,
			        			'grid_item' => '<div class="grid-item" data-src="'.$src.'" data-use="path"><img src="'.$src.'" /><div class="info_btn" data-info="'.basename($src).'"><svg viewBox="0 0 448 512" style="height:18px;border-radius:2px;"><path fill="currentColor" d="M400 32H48C21.49 32 0 53.49 0 80v352c0 26.51 21.49 48 48 48h352c26.51 0 48-21.49 48-48V80c0-26.51-21.49-48-48-48zm-176 86c23.196 0 42 18.804 42 42s-18.804 42-42 42-42-18.804-42-42 18.804-42 42-42zm56 254c0 6.627-5.373 12-12 12h-88c-6.627 0-12-5.373-12-12v-24c0-6.627 5.373-12 12-12h12v-64h-12c-6.627 0-12-5.373-12-12v-24c0-6.627 5.373-12 12-12h64c6.627 0 12 5.373 12 12v100h12c6.627 0 12 5.373 12 12v24z" class=""></path></svg></div></div>',
			        			'uid'  => $user_id,
			        			'action'  => $_action
							if( pathinfo($name, PATHINFO_EXTENSION) == 'zip')
								$zipfile = array(
									'name' => $_FILES['files']['name'][$f],
									'type' => $_FILES['files']['type'][$f],
									'tmp_name' => $_FILES['files']['tmp_name'][$f],
									'error' => $_FILES['files']['error'][$f],
									'size' => $_FILES['files']['size'][$f],
								$unzip_error = self::upload_and_unzip($zipfile, array('folder' => $upload['folder'], 'path' => $upload_path, 'src' => $upload['src']));
							$upload_error = is_writable($upload_path) ? 'Could not move files.' : 'Folder is not writable.';

			if(count($uploaded_files) > 0){
				$upload_success = true;

			echo json_encode(array("chk" => $_FILES['files'], "unzip" => $unzip_error, "upload" => $upload, "success" => $upload_success, "files" => json_encode($uploaded_files), "error" => $upload_error));
			echo 'no files found.';

This function also allowed the user to supply the “allowed” file types. As such it was possible for an unauthenticated attacker to upload malicious code by sending a POST request to wp-admin/admin-ajax.php with the action parameter set to _ning_upload_image the allowed_file_types set to php, and a files parameter containing a malicious PHP file. Alternatively, an attacker could set the allowed_file_types to zip and upload a compressed archive containing a malicious PHP file, which would be unzipped after upload. It was also possible for an attacker to change the upload directory by manipulating the contents of the upload parameter – if the desired directory did not exist, the plugin would create it.

Description: Unauthenticated Arbitrary File Deletion via path traversal
Affected Plugin: Adning Advertising
Plugin Slug: angwp
Affected Versions: < 1.5.6
CVSS score: 8.7(high)
Patched Version: 1.5.6

In order to delete any uploaded images, the plugin also registered another ajax action, _ning_remove_image, which also used a nopriv_ hook. As with the upload vulnerability, this function did not perform a capability check or a nonce check. As such it was possible for an unauthenticated attacker to delete arbitrary files using path traversal.

If an attacker were able to delete wp-config.php, the site would be reset, and an attacker could then set it up again and point it to a remote database under their control, effectively replacing the site’s content with their own content.

	public static function _ning_remove_image()
		$upload = wp_upload_dir();
		$upload_dir = $upload['basedir'];
		$upload_url = $upload['baseurl'];
		$upload_folder = self::$upload_folder.$_POST['uid'].'/';	

		$path = $upload_dir.'/'.$upload_folder.basename($_POST['src']);
		$removed = 0;

			$remove = 1;
		echo $remove;


This attack might require an extra step of preparation, which is that the wp-content/uploads/path folder would need to exist. However, since the previously mentioned arbitrary file upload vulnerability allowed for directory creation, this was not a major obstacle. Once the directory was created, an attacker could send a POST request to wp-admin/admin-ajax.php with the action parameter set to _ning_remove_image, the uid parameter set to /../../.. and the src parameter set to wp-config.php.


June 24, 2020 – Wordfence Threat Intelligence receives a report of a compromised website running the Adning plugin. During our investigation, we discovered two vulnerabilities.
June 25, 2020 – Firewall rule released for Premium Wordfence users. We make initial contact with plugin’s author and send full disclosure after receiving a response.
June 26, 2020 – Plugin’s author releases a patch.
July 25, 2020 – Firewall rule becomes available to Wordfence free users.


In today’s post, we discussed two vulnerabilities in the Adning Advertising plugin which could allow an attacker to completely take over a website. These flaws have been fully patched in version 1.5.6. If you are running this plugin, it is critical that you updated to this version as soon as possible. Sites running Wordfence Premium have been protected against these vulnerabilities since June 25, 2020, while sites still using the free version of Wordfence will receive the firewall rule on July 25, 2020.

Special Thanks to Tunafish, the author of the Adning Advertising plugin, for their excellent and timely response in releasing a patch.

The post Critical Vulnerabilities Patched in Adning Advertising Plugin appeared first on Wordfence.

Defiant Participating in Privacy Shield Framework

Defiant, dba Wordfence, is now listed on the Privacy Shield certification list participating in both the EU-U.S. and Swiss-U.S. Privacy Shield frameworks. The purpose of these frameworks is to allow for the lawful transfer of personal data from the European Union and Switzerland to the United States.

Two years ago when the General Data Protection Regulation (GDPR) was enacted in Europe, we painstakingly worked to ensure that Wordfence was in full compliance with these new regulations governing data protection and privacy for those located in the European Economic Area (EEA).

Defiant’s inclusion in the Privacy Shield Framework underscores our commitment to data protection standards aligned with those that meet EU legal standards for data acquisition and processing.

Our legal, operations, and compliance teams worked diligently over the last few years not only to ensure we are in compliance with GDPR, but also certified with Privacy Shield. This is no small task. Our team spent countless hours invested in the process to ensure full compliance. Meeting the requirements for any organization requires an analysis of all business processes as well as the establishment of new ones.

If you have questions about Privacy Shield and Defiant Inc, you can review our Privacy Shield Policy, and you are welcome to ask questions in the comments.

The post Defiant Participating in Privacy Shield Framework appeared first on Wordfence.

Episode 78: Targeted Phishing Bypassing Security Checks and a new DDoS Record

This week, we look at some targeted phishing attacks that are bypassing Microsoft Outlook’s protective filters, and phishing campaigns using calendar invitations to target unsuspecting recipients. We also look at some successful bitcoin scams and a new record for a massive DDoS attack that targeted an AWS customer.

Drupal pushes out some security fixes, and zero-day vulnerabilities found in numerous Netgear routers.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
2:35 Targeted phishing campaigns are bypassing Microsoft Outlook spam filters, and Wells Fargo customers targeted by calendar invites
4:48 Bitcoin scam using vanity addresses nets $2 million
5:55 AWS said it mitigated a 2.3 Tbps DDoS attack, the largest ever
7:37 Drupal patches critical security flaws
9:07 Netgear zero-day vulnerability allows full takeover of dozens of router models

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 78 Transcript

Welcome to another episode of Think Like a Hacker, the podcast about WordPress, security, and innovation. I’m your host Kathy Zant from Wordfence and today we’re going to dive into some security news.

There’s not much happening in the world of WordPress security. Even the attackers that we’ve seen ramping up some significant attacks in the recent months have been pretty quiet. Maybe it’s the doldrums of summer, or maybe the craziness in the world is hitting the hacking world. Either way, we’ll take a little bit of quietude after the frenzy of activity we had in May 2020. We hope you’re well. Let’s get into some news.

First a note about Office Hours. A couple of months ago, Tim Cantrell and Scott Miller, a couple of the Customer Service Engineers here at Wordfence, came up with an idea of doing Wordfence Office Hours to bring you a way to learn how to use Wordfence. Usually we do these types of things at WordCamps, but since we’re all quietly waiting for life to get back to normal, we figured we’d provide that value in other ways. Since our quiet start, we’ve moved to live streaming on YouTube, and it’s been pretty active. If you haven’t joined us for our Wordfence Office Hours, we invite you to come join us every Tuesday at noon Eastern, 9:00 AM Pacific. Past episodes are archived up on YouTube where you can watch us walk through some of the features of Wordfence to get the most out of the plugin. You can also look at some of our walkthroughs of Wordfence central and Wordfence login security [on our YouTube channel].

We’ve also been joined in the past few weeks by Chloe Chamberland, who’s one of our threat analysts here at Wordfence, who has discovered a number of plugin vulnerabilities over the recent months. And she showed us how hackers compromised vulnerabilities in WordPress plugins. And last week we took a look at how to clean a hacked site using Wordfence. We have some additional episodes coming up that I think you’ll find interesting. Ram Gall is going to join us to show us how hackers can compromise vulnerable plugins without capabilities checks and what plugin coders can do in order protect against these types of exploits. And we’ve also got some interactivity, so you can come play with us. We have a lot planned with Wordfence Office Hours in the coming weeks. So please come join us.

Let’s dive into some news.

Our first story is about a phishing campaign that is bypassing some spam filters in Outlook, Microsoft’s email platform. These are targeting Bank of America customers, and it’s a phishing campaign that is targeting only a few people in an organization. And because it’s only targeting a few people, this low volume is enabling these to slip past Microsoft’s email security. Also, because this phishing campaign is passing all of these security checks because it’s using a Yahoo email address rather than a Bank of America email address, it’s authenticating to the types of checks that they do on domain authentication. So technologies like SPF, DKIM, and DMARC are helping to verify if an email has been sent from the domain it claims to be originating from, and because this is coming from Yahoo, it looks okay with those checks. But in this case, the email’s originating from Yahoo.

So the email body doesn’t have any domains that can be recognized as malicious. So the phishing domain that they’re using nulledco[.]store was registered on June 1st, has a valid SSL certificate and is not in any security databases. So it is not being flagged as malicious.

What does this tell us? Well, it’s telling us that spammers and phishers can bypass some of these security tools that we have in place to identify malicious emails coming in. So the responsibility still lies with us. Any email that comes in, whether it’s from a bank or our friends, any email that ends up in your inbox still should be looked at with some scrutiny to determine whether or not that is a valid email. And when you’re going to your bank just type in the domain name yourself, don’t click links in emails, [that] would be my advice.

And in a related story, Bleeping Computer also is reporting that there is a phishing campaign targeting Wells Fargo customers that is baiting customers with calendar invites. So you’ll want to watch out for those as well.

Our next story is about Bitcoin giveaway scams. I see these on Twitter all the time, and I always wonder who falls for these. And apparently some people have. ZDNet is reporting that Elon Musk’s name is being used in vanity Bitcoin addresses, and they have been successful in scamming users out of about $2 million. Not even quite sure why Elon Musk’s name tricks people into falling for these scams, but basically these vanity addresses have Elon Musk’s name in them and they have noticed that about $2 million has been harvested by these attackers. So just to educate our friends, that Bitcoin scams exist and to not fall for them, if there is a Bitcoin giveaway, make sure that you walk the other way. Bitcoin’s like $9,000 at the moment, I’m sure that will change, it’s so volatile, but interesting to see that these vanity addresses are all it takes for people to fall for these scams.

Our next story also from ZDNet, AWS said it mitigated at 2.3 terabyte per second (Tbps) DDOS attack. And this is the largest DDOS attack ever recorded. The previous record for the largest DDOS attack was 1.7 terabytes per second, recorded in March of 2018. So this report doesn’t identify the targeted AWS customer, but it says the attack was carried out using hijacked CLDAP web servers, and caused three days of elevated threat for AWS Shield staff. So connectionless lightweight directory access protocol, it’s an alternative to the older LDAP protocol. It’s used to connect search and modify internet shared directories.

This protocol has been abused for DDOS attack for about four years and CLDAP servers are known to amplify DDOS traffic by 56 to 70 times initial size, so highly sought after protocol for attackers. And this is a common option that is being used by DDOS for hire services. And CloudFlare has reported that 92% of the DDOS attacks that it mitigated in the first quarter of 2020 were under 10 gigabytes per second (gbps). And about half of those were even smaller, under 500 megabytes per second (mbps). So a 2.3 terabytes per second DDOS attack is pretty significant. And it sounds like someone was targeted in this attack. It’ll be interesting to see if we see more of this.

Our next story comes from portswigger.net. They’re reporting that Drupal has patched a couple of critical security flaws. Drupal is a content management system, similar to WordPress. The flaws that were patched first up was a cross site request forgery or a CSRF that was in the form API. It was failing to properly handle certain form input from cross-site requests. The second critical vulnerability was an arbitrary code execution risk. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. And with that directory in place, an attacker could attempt to brute force a remote code execution vulnerability. And Windows servers were most likely to be affected by that. These critical vulnerabilities were resolved in Drupal versions 7.7.2, Drupal 8.8.8, Drupal 8.9.1, and Drupal 9.0.1. There were a few other vulnerabilities patched in these updates, but they were less critical. There are full details on the Drupal site and we’ll have a link for you in the show notes to check that out if you are managing Drupal sites along with your WordPress sites. Definitely important to keep all of your open source software patched and to keep everything safe.

Our final story is about a zero-day flaw in NETGEAR routers that allows for full takeover of dozens of router models. This is coming from ThreatPost and it was published on June 19, 2020. This unpatched vulnerability in this web server of the device firmware gives attackers root privileges, according to researchers. They discovered the zero-day vulnerability that puts 79 device models at risk for a full takeover. So the flaw stems from a memory safety issue that’s present in the firmware’s HTTPD web server. Basically, there’s a web server on your router that allows you to basically browse to that router and configure the settings that you want on a router.

Now, unfortunately, with this flaw, authentication isn’t required to exploit the vulnerability, which means that anyone can exploit it. Authenticated vulnerabilities means that you have to be an authenticated user, you have to be logged in with username, password, or some kind of credentials that logs you into the device. But with this one, you don’t need to be authenticated. Anyone can exploit it.

Now what’s kind of frightening about this is that this security researcher states that they informed NETGEAR of the vulnerability in January, but they’ve still not delivered a patch for affected devices. So this is what typically happens in the security world. Security researchers find a vulnerability, you go to the manufacturer of the device or to the plugin author in many of our cases and you disclose the vulnerability. You provide a proof of concept, show how it works, and then you work with that vendor to ensure that the vulnerability is patched.

So in this case, the researcher was asked by NETGEAR to extend their deadline for public disclosure until the end of June. And the researcher decided not to extend that deadline, it’s been six months, of course. And they discovered the flaw initially in the NETGEAR R7000 routers series, but then they eventually identified 79 different NETGEAR devices and 758 firmware images that include a vulnerable copy of this web server. So what does this mean for you? If you are using one of the affected devices and you should go check out this ThreatPost article to determine whether or not you are using a NETGEAR router with this vulnerability, you’re going to need to watch for a patch. And when that patch is released, you need to make sure your router is patched so that you have all of those security fixes in place.

This is not the first problem with security for NETGEAR. In March, NETGEAR patched a critical remote code execution bug that could allow unauthenticated attackers to take control of wireless AC router Nighthawk, the R7800. So NETGEAR is no stranger to some security issues. It’s really important. You think about patching your computer and making sure that that’s all updated. Obviously you think about your WordPress website and want to ensure that that is updated. But you have to consider every device that’s on your network, including the router that allows you to access the internet, that needs to be patched as well.

So, yeah, not much going on in WordPress security, which is nice, but there’s a lot going on in the security world as a whole. Obviously staying on top of all of these security stories is our beat. And if we think it’s relevant to you, we will cover it. If there’s a story you would like us to cover, we will take that little tip, send it to us at press@wordfence.com and our researchers will get on it. If there’s a story you’d like us to cover in WordPress that is beyond security, we’d love to take a look at that as well.

And join us on the office hours, every Tuesday at noon on the East coast of the United States, 9:00 AM on the West coast. We have a few of us coming from the East coast and a few of us here in Arizona, and we look forward to showing you some secure coding practices coming up next.

We will talk to you soon again on the podcast. Hope if it is after the 4th of July, that you have a safe holiday, if you are here in the United States. And if you are elsewhere, we hope that your summer is peaceful and that things are well for you. Stay safe and we’ll talk to you again on Think Like a Hacker.

Please give us a like or give us a review on Apple podcasts. Definitely join us over on YouTube. Follow me on Twitter and I’ll let you know what the whole Wordfence team is up to. Of course, if you’re not following Wordfence on your favorite social media, we are Wordfence everywhere, whether it is Instagram or Facebook or Twitter.

The post Episode 78: Targeted Phishing Bypassing Security Checks and a new DDoS Record appeared first on Wordfence.

Pin It on Pinterest