Episode 106: Admin Password Resets, Blockchain Botnets and a Central Management RCE

WordPress 5.7 is due to be released on March 9, and it will allow administrators to send password reset emails to users. A botnet is abusing the Bitcoin blockchain for command and control, while VMWare fixes a critical remote code execution bug in all default vCenter installations. Android users now have an easy way to check password security. We talk about the ramifications of vulnerability disclosures and how last year’s File Manager vulnerability did not have long lasting effects on plugin installation base or growth. We also discuss how investor data breach fatigue has reduced the stock price impact of cybersecurity failures.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:41 Wordfence/Defiant is hiring, and we’re offering a $500 gift card for anyone who refers a successful candidate
2:30 The Wordfence K-12 site cleaning and site audit program continues to help schools around the world
3:00 WordPress 5.7 will allow administrators to send password reset emails
6:20 This botnet is abusing the Bitcoin blockchain to stay in the shadows
9:52 VMWare fixes critical RCE bug in all default vCenter installations
11:53 Android users now have an easy way to check password security
14:40 Investor data breach ‘fatigue’ reduces Wall Street punishment for cybersecurity failures

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 106 Transcript

Ram:
Welcome to Think Like A Hacker, the podcast about WordPress, security, and innovation. I am Ram Gall, threat analyst at Wordfence, and with me is director of marketing, Kathy Zant. Kathy, how are things?

Kathy:
Things are very, very good compared to last week. It’s almost like Texas has somewhat recovered. At least the weather’s recovered. I think people here-

Ram:
Do have power and water now?

Kathy:
I have power. I have water. The skies were blue yesterday. We have ping pong ball sized hail coming, apparently. What is with Texas? I don’t know. It’s interesting, though. Got to keep-

Ram:
Everything is bigger in Texas, even the hail.

Kathy:
Even the hail. It’s a crazy place. Anyway, all is well. And we have some interesting things, some big things happening with Wordfence.

Ram:
I hear we are hiring.

Kathy:
We are hiring. We’re hiring for four specific roles. These are senior roles. So we wanted to sweeten the pot for all of our listeners who are out there listening who… Come on. You guys know someone who’s amazing. Someone who’s looking for-

Ram:
And you like free money, too, right?

Kathy:
And you like free money. So we thought we’d put all of those things together, and we want you to refer someone that you think would be exceptional in one of these roles and that would enjoy the fun, fast-paced environment we have here at Wordfence.

Kathy:
We have a security operations role. We want someone who’s up on the AWS scene. We’re looking for a couple of senior PHP developers and a senior researcher who is very interested in website performance. If you know someone and you refer someone, we will give you a $500 gift card if you refer a successful candidate. And if you think you might be a successful candidate, we would love to talk to you. There are links in the show notes for these job descriptions so you can get the full details about what these jobs entail and the benefits of working here at Defiant. Benefits that even include a week off between Christmas and New Year’s, which is always a nice time. Don’t you love that, Ram?

Ram:
Yeah. Yeah. Honestly, the last few years we’ve been doing it, but they finally made it official policy instead of just a cool thing we decided to do at the last minute.

Kathy:
Yeah, exactly. It’s a nice way to end the year. Just kind of think back over the previous year and plan for the future. Always a good time.

Kathy:
We also have our K-12 school initiative, site cleaning and site audits available for any government or state funded school in the United States, in Canada, in Mexico, anywhere in the world. If you know of a school that could use some security support, send them our way. We are cleaning and auditing those sites for free, and educating the educators. That program is continuing and continues to be a success, so we just wanted to mention it. We would love your referrals. Just send those schools our way.

Kathy:
Now, we saw some interesting stuff coming in WordPress 5.7. Ram, what do you know?

Ram:
WordPress 5.7 is actually fulfilling a sort of long-requested feature to let administrators send password reset links. And this is very cool. I mean, there is some potential for abuse via social engineering, but I mean, if you think about it, an attacker can already request a password reset for a user if they know or can guess the username or email address, so it’s not like attackers can’t send password resets to people anyways.

Kathy:
Sure, sure. Now this feature is rolling out in WordPress 5.7, which is coming up pretty soon. This has been a five-year-old ticket that has been in the trac system, and it’s going to allow administrators to manually send a password reset link to users instead of having to instruct a user about what to do, how to go about doing it. The administrator can just say, “Okay, let me just send that to you,” rather than trying to explain something to maybe a user who’s just a subscriber or a user who is a student in a learning management system, to basically get that lost password link to them so that they can go ahead and reset that password.

Kathy:
But obviously that send password reset link is going to be in several places, and with anything that sending to a user, there’s a potential if that site ever is hacked that that could trigger something that an attacker could use to basically trigger a user to perform some actions.

Ram:
I mean, I’m not really worried about that. WordPress now has fairly strong cross-site request forgery protection. I think, realistically, the only potential problem we could see is that now there’s this expectation that you could get a legitimate password reset email sent by an administrator without asking for it. So, I mean, it’s conceivable that these could be spoofed and used in phishing attacks.

Ram:
You send someone something that looks like a password reset link and say, “Hey, I’m the administrator for your site. It looks like your password might’ve been compromised so I’m sending you this link,” and then get them to fill it in on a phishing site. There’s still some caveats with that, where if they log in with their new password and find it doesn’t work, will they then reset it again to the same password? I mean, I could see this being abused. I could see it being fairly difficult to abuse, but there’s always the potential.

Kathy:
Sure. Mostly we just want people to know that this new feature exists, and with any new feature that shows up there’s the potential for it to be used in a unique and never-seen-before way, so just to be aware that that feature exists. That if a password link shows up in a user’s inbox, that that user should definitely look at that if it’s unexpected and investigate further before they go haphazardly clicking links and traversing the internet, right?

Ram:
Yeah. I mean, it’s just like receiving a weird request, like something that could be a spear phishing request in your company email inbox. If you get a request for something that you weren’t expecting from someone, just verify with them via another channel. If you get a password reset link from an admin, maybe you get in touch with them and say, “Hey, did you send this on purpose?”

Kathy:
Exactly. All right, let’s move on. Let’s look at this botnet that we saw abusing Bitcoin blockchains to stay in the shadows. Now, Bitcoin is crazy in the news.

Ram:
Your favorite. That’s your favorite. I know it is.

Kathy:
It’s everywhere. Everybody’s talking about Bitcoin. I mean, when an asset performs in ways that people weren’t expecting or predictable ways, everybody starts talking about it. As soon as cryptocurrency starts increasing in value, we start seeing attackers trying to leverage any technology they can in order to either mine that cryptocurrency, to ransomware people out of cryptocurrency. It just becomes another way that we see attackers trying to monetize attacks, right?

Ram:
Yeah.

Kathy:
What are we seeing with this one?

Ram:
Okay, so one of the things about the blockchain is that effectively, it’s an immutable record of things that have happened. This is actually kind of interesting. The botnet that was using it as actually a skid map malware, which is actually used for mining other cryptocurrency. In this case, Monero, which is popular amongst threat actors, because it’s untraceable or at least it really hard to trace. And by the way, these guys aren’t actually doing a great job. Apparently, they’ve mined like $30,000 in Monero, which is not really a lot considering.

Kathy:
Yeah, come on.

Ram:
Anyways, it looks like what they were doing is the malware that was looking for C2 instructions … So here’s the thing about command and control systems, it’s they’re really easy to disrupt. If your malware is asking for new instructions from so-and-so domain or so-and-so IP, then it’s fairly easy for the hosting provider or the domain registrar to take those down at the request of governments or security researchers once they figure out there’s something malicious happening there.

Ram:
So, a lot of malware that relies on this command and control infrastructure needs a way to figure out, okay, where should I ask for instructions next, because of my current instruction feed has gone down?

Ram:
What they did was they basically added an algorithm that looks at a particular Bitcoin wallet and checks how much had been sent to it, and it used that number in Satoshi’s, which are, I forget if it’s a hundred thousandth of a Bitcoin, but very small amounts of money. It uses that number and basically breaks it up and parses it into an IP address, and that IP address is the IP address of the next server they should check.

Kathy:
That’s crazy.

Ram:
Yeah. Since it’s pretty much immutable, you can’t really shut it down, but what you can do is you can send money to that and mess up the IP address.

Kathy:
Hack the hackers.

Ram:
Pretty much. And that’s cheaper than fixing the IP address back to where it was, but the attacker probably controls that wallet. Giving them money seems like a not great way to get them to stop, especially if they can just give themselves more money to undo what you just did.

Ram:
I think we’ll be seeing a lot more of this in the future, just because it’s a novel command and control method. We’ve seen this in Twitter feeds. We’ve seen this in Instagram feeds. We’ve seen all sorts of C2 methodology happen in the past few years that’s just kind of wild.

Kathy:
Yeah, interesting, because whatever is written into the blockchain, it’s there. It’s not something that can be erased or undone, it’s just there. This’ll be interesting to watch and see how other people are using blockchain technologies in novel ways to, I don’t know, be stinkers on the internet, I guess.

Ram:
Pretty much.

Kathy:
Yeah.

Ram:
Speaking of stinkers on the internet, it turns out there was a VMWare bug, a critical remote code execution bug in all default vCenter installations. So, vCenter server is basically a central management solution for virtual machine hosts.

Kathy:
Okay. So kind of like ManageWP would be for WordPress, this is for a centralized server for VM hosts, right?

Ram:
Kind of, yeah. Yeah. Basically, it manages all the virtual machines in an organization’s network that they’ve set it up to actually use virtual machines. Anyways, the vSphere client, basically it had a remote code execution vulnerability. It was in one of the vCenter server plug-ins related to something called vRealize operations, but the thing is it was vulnerable even if you weren’t using that particular plugin.

Ram:
An attacker with network access to port 443, which is just the standard SSL port or TLS port, could exploit the issue to execute commands with unrestricted privileges on the underlying operating system that hosted the server, which would probably give them control of all the VMs it was managing, too. Which, for some organizations, would be all of their servers. Apparently, they’ve already seen this being attacked in the wild in several thousand vulnerable servers exposed on the internet. So yeah, I feel bad for those organizations. If your organization is running this, then please update.

Kathy:
Yikes. That just sent chills down my spine. Very, very frightening. So definitely update if you have anything going on with VMWare and vCenter server. Scary.

Ram:
If you’re managing multiple VM hosts using vCenter server, then this is definitely something to be aware of. If you’re just on a desktop or running VMware to run a virtual machine, you’re probably okay. I mean, you’re definitely okay, but yeah.

Kathy:
Wow. Well, it looks like Android users now have an easy way to check password security. What’s going on with this?

Ram:
I don’t know if you’ve heard of Have I Been Pwned-

Kathy:
I have.

Ram:
Which is a online service that you can use to see if your password has been exposed in any data breaches. Which is a really good thing to do, because so many data breaches are the result of passwords exposed in other data breaches, that it’s just not even funny anymore. So yeah, use a password manager with unique passwords for each service you use, please.

Ram:
Anyways, this works really similar to Have I Been Pwned. It basically uses cryptography to ensure that the password checking service never gets your password that you’re checking. Not even just the hash of the password that you’re checking. Which, if you want to know more about password hashes you can listen to our previous podcast and our Wordfence Live show on encryption.

Ram:
Anyways, basically what it does is phones or device sends the first part of the hash of a password to the service, and the service sends back an encrypted set of breached hashes and it compares them without either side ever knowing the full hash you’re checking or the full hash of the breached passwords. It’s pretty cool. If you can turn it on, please do, because that way it’ll let you know if you’re using a password that’s been breached in any of your Android apps. And most of them, if you’re not signing in directly with Google or Facebook OAuth, you probably have an account set up with a password that you’ve probably used somewhere else, too.

Ram:
I remember I got breached in the GrubHub breach a while back because I was reusing a password for that, so this is kind of important.

Kathy:
Very important. So this is resident within all Android phones.

Ram:
If you’re up-to-date, yeah.

Kathy:
It’s a project by Google. Let this be a reminder to you that you should be using a password manager. Most of the major password managers, they have both a desktop as well as a phone, iOS or Android version, and always kind of these tools have ways of letting you know that you are using passwords in multiple places, password checkups, types of features. Always good to have this running in your apps, as well, just across the board. You can’t just have the one password anymore.

Kathy:
Hey, do you want to hear the worst story? One of the first companies I ever worked at in the networking department, and one of our server passwords was Flowbee.

Ram:
Oh gosh. It sucks, and it cuts.

Kathy:
It sucks and it cuts. That should have not been a password, but back in the day you could reuse passwords and do dumb, funny things like that. No longer.

Ram:
No longer.

Kathy:
Yeah. So, let’s talk a little bit about this article you found, Ram, about data breach fatigue. What does that mean, and what does it mean for … I mean, you and Chloe and our threat intel team are constantly finding vulnerabilities and working with plugin developers, theme developers, anybody in the WordPress space, helping them to patch their code and to write more secure code. But then, of course, there comes a point once that’s patched and once firewall rules and updating has occurred, you have to publish details about what you found for educational purposes, for keeping your certifications up. And a lot of, I think, plugin developers and whatnot, is it painful for them when you guys are publishing?

Ram:
We have heard some concerns expressed that publishing the vulnerability will reduce the plugin’s market share. And, you know what? We have seen that happen in the very short term, but they almost always recover. Even the File Manager vulnerability, the one last year-

Kathy:
Yeah, that was a bad one.

Ram:
That was really bad. That was hugely impactful. That was almost a worst case scenario in everything except how they handled it. They handled it pretty quickly, but it was already a zero-day. It was already being exploited by the time it got found out and it had a lot of installations and there were a lot of sites impacted by it. Our site cleaning team is still cleaning sites that were impacted by that and didn’t have Wordfence at the time.

Ram:
So, yeah, it was a huge thing. And you know what? Their install growth dropped. It went negative for about a month and a half, and then it came back. The growth is not back to where it was, but the install count is right where it was, and growth is still positive and growth went positive again about a month and a half after it got disclosed. So, yeah, if you’re worried about the impact of vulnerability in your plugin, don’t be. It’s much better to fix it than to have people impacted and to not fix it.

Kathy:
Right. Well, there’ve been some major … I mean, Target. When was that? 2013 when Target had all of their point-of-sale cash registers basically compromised and credit card data was compromised. I didn’t stop shopping at Target, and Target’s recovered quite well. It didn’t ruin them completely, right?

Ram:
Yeah. IBM’s done some research on the cost of a data breach report, and I mean, yeah. This is outside of the WordPress plugin ecosystem, mind you, so this is a completely different context. If you’re talking how much a database breach costs a large company, enterprise sector can expect an average bill of like $3.8 million, and some of them can rise up to like $392 million to actually remedy the breach.

Ram:
But they did a study on the stock prices of companies that disclosed breaches, and back in, say 2013, there was a massive impact, but even in 2019 stock prices would drop by like maybe 7% after a data breach was disclosed. Now, it only drops by like three and a half percent. So people are getting used to data breaches just kind of happening as a cost of doing business. That doesn’t mean they shouldn’t be addressed, because they absolutely should. If they’re not addressed, then that leads to much more severe long-term consequences.

Ram:
It only took like a 100 days for prices to recover, apparently, according to this research, and general performance was only slightly poorer in the six months after a breach. So, breaches happen. Address them, fix them, take precautionary measures if you can, but the response is really one of the big things that matters.

Kathy:
Right. Well software, to me, and I think to all of us, is about trust, right? Your WordPress site, you are trusting that a plugin developer has done a good job creating not only the functionality, but the security of that code and you trust it so you install it on your site. Trust comes in a lot of different ways, right? So if you have a vulnerability and you patch it and you don’t disclose that you’re patching it, or you don’t disclose what’s happening in the next version of a site, or you don’t disclose that something might have gone wrong, that destroys trust. That secretism … That’s not the right-

Ram:
Secrecy.

Kathy:
Secrecy, that’s the word.

Ram:
Trying to hide stuff, being sneaky and shady, and “No one will ever know that I was breached.” Yeah, that’s also … In a lot of cases, the law requires you to disclose a breach. If you don’t actually take appropriate action, that’s when you run into trouble. I mean, it’s still expensive. Transparency is good.

Kathy:
Transparency is the best. So when you’re evaluating a plugin to put on your site, that’s a factor that goes into, “Am I going to install this on my site? Do I trust this developer?” You go look at their change log, and if they’ve had a celebrity bug known as a vulnerability … Mark likes to call them celebrity bugs. If they’ve had it, how did they handle it? Did they disclose that in their change log? How was it fixed? How did they work with security researchers that may have disclosed it with them? If there was a zero-day in the past, how did they handle it? You make your evaluations of whether or not you trust someone based on how their past performance has been when they’ve had to deal with anything. Celebrity bugs, functional problems? That transparency really says a lot about a plugin developer. So it’s, I think, a factor when you’re evaluating a plugin.

Ram:
It really does. If you see in someone’s change log, at least look for security issue fixed. If the change log has never fixed a security issue, then I don’t know if I would trust a plugin that’s been around for a while and never fixed a security issue.

Kathy:
Right. Everybody has celebrity bugs at one point or another, don’t they?

Ram:
Pretty much, yeah.

Kathy:
So it’s just how do you handle those issues and how do you communicate about them, which is critically important. To all of the security researchers out there, and to all of the plugin and theme developers who we work with, we’re just really excited when we see plugin developers who have a security policy on their site. Makes it very easy for us to contact you. That you work with us, share information freely so that we can help you get things fixed quickly. Proof of concepts, all of that fun stuff is incredibly important in this disclosure process.

Ram:
Yeah. If you have a security contact, that means that we can send you the full disclosure right away instead of having to go through your support department and having to wait 24 to 72 hours for them to get back to us and say, “Okay, yeah. This is totally the right place to send security issues,” or, “No, here’s who you should send it to.” So that could save you one to three days in fixing something.

Kathy:
Right. And the faster you get it fixed, the faster and better it is for your customers. That’s all I’ve got, Ram. How about you?

Ram:
That’s all I’ve got. It was great chatting with you again, Kathy, and I will see you next week.

Kathy:
See you next week. Thanks, Ram.

Ram:
Bye.

You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

The post Episode 106: Admin Password Resets, Blockchain Botnets and a Central Management RCE appeared first on Wordfence.

SQL Triggers in Website Backdoors

Over the past year, there’s been an increasing trend of WordPress malware using SQL triggers to hide malicious SQL queries within compromised databases. These queries inject an admin level user into the infected database whenever the trigger condition is met.

What makes this especially problematic for website owners is that most malware cleanup guides focus on the website files and data within specific database tables  — for example, wp_users, wp_options, and wp_posts.

Continue reading SQL Triggers in Website Backdoors at Sucuri Blog.

Episode 105: The Hottest Trend in WordPress

An analysis of WordPress-related search trends found that interest in WooCommerce related results dominated during 2020. We discuss recent vulnerabilities discovered by our threat intelligence team in Ninja Forms, affecting over 1 million sites. WordPress issues a statement that pirated themes and plugins are prohibited on the repository. And a supply chain attack affects users of the once-legitimate Barcode Scanner Android app. We also discuss some career opportunities on the Wordfence team.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:31 Wordfence is hiring for numerous roles, including PHP development, and Security/Operations
1:50 Our K-12 site audit and site cleaning program continues
2:30 Our threat intelligence team discovered numerous vulnerabilities in Ninja Forms
6:25 WordPress issues a statement about pirated themes and plugins on repositories
10:00 WordPress search terms for 2020
13:51 Supply chain attack on Android Barcode Scanner app, reminiscent of Mason Soiza supply chain attacks.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 105 Transcript

Ram Gall:
Hello, and welcome to Think Like a Hacker, the podcast about WordPress security and innovation. I’m Ram Gall, Threat Analyst at Wordfence. And with me is Director of Marketing, Kathy Zant. Hey Kathy, how are things, other than very cold?

Kathy Zant:
It’s cold. I haven’t really talked a lot about my move to Texas, but I think I might need some therapy after moving to Texas and then having this historic storm basically cripple the entire state. It has been interesting times, but there’s some interesting times in WordPress security, so let’s just jump right into it. Hey, I hear we are hiring.

Ram:
That we are. We are hiring for a SecOps role. So if your OpSec is good and you’re good at Sec and Ops, please apply. Also, we’re hiring a senior PHP Dev.

Kathy:
All right. I was going to ask you to explain. Usually I’m asking you to explain things, but if you don’t know what SecOps is, it’s probably not the role for you. But if you do know what it is, we’d love to talk to you. This job comes with a number of challenges and interesting fun things to play with, as well as a great team, an amazing team, and you would be contributing to helping us to secure 4 million plus WordPress sites. So it’s a very rewarding position, as is the senior PHP role, we’ve got a lot of things going on, don’t we?

Ram:
We do. Securing our infrastructure and taking part in our operations is something that we are hoping to get some cool people for.

Kathy:
Yeah, definitely. And do you get a percussion instrument as part of your welcome package?

Ram:
You do. I got a gong, but I mean, if you want a bell or some chimes. We could maybe swing a xylophone, if depending on… I don’t know. You’d have to check with…

Kathy:
Check with HR. HR handles percussion around here.

Ram:
Yeah, it’s true.

Kathy:
We definitely have a lot of fun. We also have another initiative we want to just bring to your attention, and this is our K-12 site cleaning and site audit initiative. If you are, or you know of, a K through 12, meaning kids, school that is using WordPress, that it may need some security auditing, may have a security concern that needs a site cleaning, we will do it at no charge. Part of our initiative to educate the educators on security, and our way of giving back to schools that are using WordPress. So we will have a link to that in the show notes, but just wanted to mention that. That if you know of a school, please forward that on to them.

And it looks like Chloe found some severe vulnerabilities in Ninja Forms. Ram, what did she find?

Ram:
Okay. Well, first of all, Ninja Forms is installed on over 1 million WordPress sites.

Kathy:
1 million. Oh, that sounds…

Ram:
1 million. They’re actually pretty cool people, we love them. They have an actual security policy and an email address to email disclosures to, so they usually get on problems real quick. We found issues with their plugin the past, and they’re just very helpful, they get stuff fixed quickly. They have a great response.

Ram:
Anyways, Chloe found four vulnerabilities. So two of them we kind of have to use together. One of them was basically a flaw that let attackers redirect site administrators to arbitrary locations. So you could send a link to an administrator that looks like it’s going to their own website, but it’ll really redirect them to like maliciousdomain.com. And I mean, that’s one of the reasons you don’t click on random links in email, but there are several others.

Ram:
So the second one, this was really interesting. It made it possible for anyone with an account on the site, like a subscriber or a shopper or a customer, to install a plugin, a specific plugin that could be used to intercept all mail traffic. But this is where the third flaw comes in is that, basically, if an attacker installed that plugin and actually set it up, which they could do, they could retrieve the OAuth connection key and basically establish a connection with the Ninja Forms central management dashboard for the attacker’s account.

Kathy:
Oh wow.

Ram:
And that’s where they could actually read mail traffic coming from the site, which if you reset the password for an admin user, then you can just intercept the email and go, “Oh hey, I can click this link and reset this admin’s password to whatever I want it to be. Muahahahaha.” So yeah. I never would have considered that particular attack vector, but Chloe found a way to make it work, so I’m super impressed.

Kathy:
Wow. That’s pretty amazing. So the attacker would have to have an account with Ninja Forms in order to exploit that, so probably not a lot of attackers would be doing that.

Ram:
I mean, even the trial costs like a dollar I think, so this is something that would be reserved for high-value targets. But at the same time, it’s the sort of thing that if there’s a site that you’re specifically targeting, an attacker that’s motivated enough might find that extremely attractive to be able to read all the mail sent from that site.

Kathy:
And honestly, my site is a high-value target — to me — if it’s being attacked.

Ram:
Yes, it is, Kathy.

Kathy:
I’m putting myself in the shoes of an average site owner who maybe is doing something with WooCommerce and has a number of orders coming in. And that is a very high-value target to them if their site is compromised with something like that. Value is obviously in the eye of the valuer. If that’s even a saying.

Ram:
Yeah, there’s definitely some sites that would be worth it to an attacker to target like this. So we’re very glad that they patched it. We also have firewall rules protecting our users, of course. And there was a final flaw, where attackers could trick an administrator into clicking a link and disconnecting their own connection to Ninja Forms if they had that set up. That’s typically not going to be quite as big of a deal, mostly just a nuisance, unless of course the attacker needed to set this up in the first place and couldn’t because it was already connected.

Kathy:
So this was fully patched in version 3.4.34.1. We have firewall rules and it looks like premium customers are protected. And by the time you hear this podcast, free customers of Wordfence will be protected as well, but you should still always update your plugins.

Ram:
Update. Always update your plugins, please.

Kathy:
Definitely. All right. Looks like Search Engine Journal had an interesting story about pirated themes and plugins on the official WordPress site. That looks pretty interesting. I wouldn’t imagine that there would be pirated themes and plugins on WordPress.org, but there’s a repo of many themes and over 50,000 plugins. And so, if you are an attacker or someone who is trying to get something out to many people, you might want to pirate a theme and put some malware in it or something.

Ram:
I mean, you might. And we did do some research earlier this year about how malware from nulled pirated themes and plugins was one of the biggest threats facing WordPress. In this case, it looks like the main issues is that people were basically taking premium plugins and themes and just reposting the code verbatim onto the free repository without any changes, according to what they’re claiming. Which is basically taking credit for someone else’s work. All WordPress plugins, at least all plugins on the repo, are licensed under the GPL because they’re derivative works. So WordPress is not opposed to people reusing each other’s code if they’re making something new out of it. But this was literally just basically plagiarism. And the fact that WordPress is very much big on free software, if they’re saying it’s a problem, then it’s actually a problem.

Kathy:
Gotcha. So somebody is buying something from CodeCanyon perhaps, and then repurposing that as their own and putting it on the repo?

Ram:
Yeah. Yeah. It sounds like that is what is happening. Wouldn’t be super surprised if they’re maybe not also adding a few little extra bits of code or if they might be planning on doing that at some point in the future. We do know that WordPress does examine plugins when they’re first added, but then updates might not be monitored as widely. It’s possible that this may have been a strategy to rack up a fairly high install count and then maybe insert some sort of supply chain malware.

Kathy:
Yeah. Otherwise, I don’t really understand what the motivation is of somebody spending money to buy somebody else’s plugin off of CodeCanyon and then putting it on the repo. There has to be some other kind of motive for them to do that beyond just putting it on the repo.

Ram:
One can assume that there’s likely some sort of monetary motive, but there’s so many paths that could take. Could be someone making a competing premium plugin, trying to devalue their competitor’s plugin, who knows.

Kathy:
Sure, sure. Well, WordPress is now powering over 40% of the web. It is a huge behemoth of a community, a behemoth of a content management system. It is a target for all sorts of things, including this very odd thing.

Ram:
I just like saying behemoth.

Kathy:
It is a fun word, that and plethora, right?

Ram:
Yes.

Kathy:
So I mean, we’re going to see things like this, and it’s really great to see that the .org team is issuing a statement that they are aware that this is happening and that they’re going to ensure that if it is someone else’s code with some kind of copyright, or even if it’s GPL and it’s someone else’s code, that they’re taking a stance that this is unacceptable.

Ram:
Even if your code is allowed to be copied for derivative works, that doesn’t necessarily mean that the pictures or advertising copy is something that isn’t copyrighted. The code might be duplicable, but the person who made the original plugin still owns the pictures and the other creative work.

Kathy:
Right. Okay. Well, this’ll be interesting to watch to see what happens there. And so, I found some interesting statistics. This came from the MasterWP weekly newsletter, which is a fascinating newsletter, we’ll have a link to it in our show notes. But they were not only talking about WordPress’ market share, but they started looking at search terms and search trends for WordPress over the last year. WordPress keywords increased by 14%, plugin keywords increased 17.8%, themes only 8.7%. But guess what was 44.3%, Ram?

Ram:
I don’t know.

Kathy:
You do too know, you’re looking at the same thing I’m looking at. I was going to give the big bang to you.

Ram:
Okay, okay, okay. It’s WooCommerce. Yes, I know.

Kathy:
It’s WooCommerce. Commerce on WordPress increased 44.3%. So this is WordPress, WooCommerce, and looking for specific things for WooCommerce, but it basically is showing us that there is… Well, obviously, WordPress is a content management system. It started as a blogging platform, but now there’s over 50,000 plugins that you can plug into it. You can create a membership site, you can create newsletters, you can create a learning management system. There are tons of things you can do with WordPress, but the thing people are doing, I think, the most with WordPress looks like WooCommerce. At least that’s what the search traffic is showing us. WooCommerce and WordPress seems to be a growing use case, which means, I would assume, that security and WooCommerce… If you’re taking credit card transaction, security in WooCommerce is a huge thing as well. So for those of us in the WordPress space, I find this to be interesting.

Ram:
It makes sense to me. I think a lot of people are starting to open up online stores for side gigs these days.

Kathy:
Yeah.

Ram:
And I mean, don’t get me wrong, WooCommerce isn’t easy to use, but if you’ve tried any of the other free open source e-commerce alternatives, it’s still significantly easier than, say, Magento or any of the Joomla or Drupal add-ons that you might be able to use. The only easier alternatives are pay to play.

Kathy:
Right, right. Like Shopify is so huge. I mean, obviously, they are the e-commerce hosted solution, but you can also publish blog posts. And there are people in the Shopify world who are like, “Oh, I’m going to use this as my content management system.” But as far as getting started, open source, getting your storefront up, WordPress and WooCommerce is the easiest way to go. So some more statistics: 6,500 searches per month looking for a membership solution, 4,300 a month want to use their store for drop shipping, 3,100 a month want a point of sale solution for using WooCommerce in a physical shop, which I thought was interesting as well.

Ram:
That’s a very peculiar and weird thing considering, I mean, a lot of people are just using Square, which incidentally is one of the default payment gateways for WooCommerce.

Kathy:
Sure. Sure. Well, I mean, if you’re really thinking forward as a shop owner and you’re using just your payment processor, trying to actually take those customers and then mail to them would be many steps that you would have to go through in order to do that. But if you’re using a WooCommerce, all of your customers are right there. You can use another plugin and then access those customers for a mailing perhaps, those types of things. So either way, it’s interesting to see that so many people are using WordPress for WooCommerce.

Ram:
It is. I’m going to digress at this point and cover our next item. And it’s something that we’ve actually talked about before in the podcast and also in articles, but there’s a new supply chain attack. So the barcode scanner app for Android, which I think many of you may have downloaded. I know that at some point in the past I actually downloaded it and removed it because I don’t actually need a barcode scanner very often. But it’s the thing you use to scan the little QR codes with your phone. Anyways, it was a legitimate app, and then a company called Lavabird, basically, as I understand it they were acting as a middleman and they purchased the app and they were going to sell it to a new buyer. And apparently, this new buyer added some adware code to the app.

Ram:
So we’ve actually seen this dynamic happen before in WordPress. Where a man named Mason Soiza bought a number of plugins and added malicious spam, SEO spam, advertising code to those plugins. This is something that happens, attackers will actually spend money to buy a popular app or a popular plugin and inject malware into it, because that way you already have a user base. I think that that’s actually going to be a weird side effect of WordPress automatic updates becoming more of a thing, a sort of unanticipated knock-on effect. Is that with automatic updates being more likely to happen, I think that’s going to make WordPress plugins a more attractive target, because if you can buy a plugin that already has a lot of users, you’re more likely to get the malicious code distributed to more of them if they have automatic updates turned on.

Kathy:
Yeah. Interesting. So the software you trust today might not be the software that’s trustworthy in the future, huh?

Ram:
Exactly.

Kathy:
Yeah. Interesting. Okay. Well, we still have our recommendations. I don’t think they’re changing much about automatic updates and that…

Ram:
We do think you should still manually update your plugins all the time.

Kathy:
If you can. I mean, if you’re just sitting there and letting your site be and you’re only using trusted software from organizations that have a long history of maintaining their code, you’re good. Turn those automatic updates on. But if your plugin author is named Mason, Mason Soiza, maybe… No, I think Mason is banned, banned forever.

Ram:
From WordPress at least.

Kathy:
From WordPress, yes. Anyway, so definitely interesting story there about that Android app. Supply chain attacks seem to be the hot rage after SolarWind these days, huh?

Ram:
I mean, they’ve been going on for a while now. It’s just that all of a sudden everyone is aware that there are a bunch of ways to do this, and that some of them can be very profitable for threat actors.

Kathy:
Yeah, definitely. Well, that’s why you have security teams like Wordfence behind your site. We keep an eye on all of these things and bring you the news wherever and whenever we can. And if you want to join that team, go to the show notes and click on that employment link. We’d love to hear from you. And until next week, if you want any more news, just follow us on our social media. Come join us on Wordfence Live, we had such a fun time the other day. We talked about Wordfence Central and teams and, what else?

Ram:
Chloe demoed a lot of Wordfence Central stuff. It was pretty cool.

Kathy:
Wasn’t it cool?

Ram:
Yeah, showed how to apply templates to stuff and set event notifications. I mean, if you’ve got a bunch of sites that you’re managing, it’s super useful to be aware and to be made aware when something weird happens. You can configure it to send you an alert when an administrator logs in to one of your sites. And that way if you get that alert and it’s not you, then you know something’s weird.

Kathy:
Definitely. So that link to that Wordfence Live episode will be in the show notes as well. Definitely worth watching, and there’s timestamps and chapter links in that YouTube video, so you can jump around and get the overviews that you need. Thanks for joining me again, Ram, and I will talk to you next week.

Ram:
Yep. I will see you all next week or talk to you next week at least. Bye.

Kathy:
Bye.

You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

The post Episode 105: The Hottest Trend in WordPress appeared first on Wordfence.

One Million Sites Affected: Four Severe Vulnerabilities Patched in Ninja Forms

On January 20, 2021, our Threat Intelligence team responsibly disclosed four vulnerabilities in Ninja Forms, a WordPress plugin used by over one million sites. One of these flaws made it possible for attackers to redirect site administrators to arbitrary locations. The second flaw made it possible for attackers with subscriber level access or above to install a plugin that could be used to intercept all mail traffic. The third flaw made it possible for attackers with subscriber level access to to retrieve the Ninja Form OAuth Connection Key that could be used to establish a connection with the Ninja Forms central management dashboard. The final flaw made it possible for attackers to disconnect a site’s OAuth Connection if they could trick a site’s administrator into performing an action. These flaws could be used to take over a WordPress site and redirect site owners to malicious sites.

We initially reached out to Saturday Drive, the plugin’s parent company, on January 20, 2021 through their responsible disclosure email contact and provided the full disclosure details at the time of reporting. Just a few days later, on January 25, 2021, Ninja Forms released a patch for 3 out of the 4 vulnerabilities. We followed up to let them know that one of the vulnerabilities was still present. They released a final patch on February 8, 2021.

We consider these to be severe vulnerabilities that could ultimately lead to complete site takeover, therefore, we highly recommend updating to the fully patched version, 3.4.34.1, immediately.

Wordfence Premium users received a firewall rule to protect against any exploits targeting these vulnerabilities on January 20, 2021. Sites still using the free version of Wordfence will receive the same protection on February 19, 2021.


Description: Authenticated SendWP Plugin Installation and Client Secret Key Disclosure
Affected Plugin: Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress
Plugin Slug: ninja-forms
Affected Versions: <= 3.4.33
CVE ID: Pending.
CVSS Score: 9.9 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Fully Patched Version: 3.4.34

Ninja Forms is one of the most popular intuitive form creation plugins in the WordPress plugin repository. It provides users with the ability to create forms using drag and drop capabilities, making the design process much more simple for WordPress users.

As part of the plugin’s functionality it offers the ability to install “Add-Ons,” some of which offer services. One of these services is SendWP, which is an email delivery and logging service intended to make mail handling with WordPress simpler. From the Ninja Form plugin’s Addon dashboard, it offers the ability to set up this service with just a few clicks. In order to provide this functionality, the plugin registers the AJAX action wp_ajax_ninja_forms_sendwp_remote_install.

 add_action( 'wp_ajax_ninja_forms_sendwp_remote_install', 'wp_ajax_ninja_forms_sendwp_remote_install_handler' );

This AJAX action is tied to the function wp_ajax_ninja_forms_sendwp_remote_install_handler, that checks to see if the SendWP plugin is installed and activated. If the plugin is not currently installed, then it performs the installation and activation of the SendWP plugin.

 function wp_ajax_ninja_forms_sendwp_remote_install_handler () {

    $all_plugins = get_plugins();
    $is_sendwp_installed = false;
    foreach(get_plugins() as $path => $details ) {
        if(false === strpos($path, '/sendwp.php')) continue;
        $is_sendwp_installed = true;
        activate_plugin( $path );
        break;
    }

    if( ! $is_sendwp_installed ) {

        $plugin_slug = 'sendwp';

        include_once ABSPATH . 'wp-admin/includes/plugin-install.php';
        include_once ABSPATH . 'wp-admin/includes/file.php';
        include_once ABSPATH . 'wp-admin/includes/class-wp-upgrader.php';
        
        /*
        * Use the WordPress Plugins API to get the plugin download link.
        */
        $api = plugins_api( 'plugin_information', array(
            'slug' => $plugin_slug,
        ) );
        if ( is_wp_error( $api ) ) {
            ob_end_clean();
            echo json_encode( array( 'error' => $api->get_error_message(), 'debug' => $api ) );
            exit;
        }
        
        /*
        * Use the AJAX Upgrader skin to quietly install the plugin.
        */
        $upgrader = new Plugin_Upgrader( new WP_Ajax_Upgrader_Skin() );
        $install = $upgrader->install( $api->download_link );
        if ( is_wp_error( $install ) ) {
            ob_end_clean();
            echo json_encode( array( 'error' => $install->get_error_message(), 'debug' => $api ) );
            exit;
        }
        
        /*
        * Activate the plugin based on the results of the upgrader.
        * @NOTE Assume this works, if the download works - otherwise there is a false positive if the plugin is already installed.
        */
        $activated = activate_plugin( $upgrader->plugin_info() );

Once the plugin has been installed successfully, the function will return the registration url, along with the client_name, client_secret, register_url, and client_url. This is used to show users the sign-up page and easily connect their WordPress instance with SendWP.

 echo json_encode( array(
        'partner_id' => 16,
        'register_url' => esc_url(sendwp_get_server_url() . '_/signup'),
        'client_name' => esc_attr( sendwp_get_client_name() ),
        'client_secret' => esc_attr( sendwp_get_client_secret() ),
        'client_redirect' => esc_url(sendwp_get_client_redirect()),
        'client_url' => esc_url( sendwp_get_client_url() ),
    ) );
    exit;

Unfortunately, this AJAX action did not have a capability check on it, nor did it have any nonce protection, therefore making it possible for low-level users, such as subscribers, to install and activate the SendWP plugin and retrieve the client_secret key needed to establish the SendWP connection.

How could this affect my WordPress site?
Due to the fact that the client_secret key is returned with the AJAX request, attackers with low-level access to a vulnerable WordPress site could establish a SendWP connection with their own SendWP account, thus making sites with open-registration particularly vulnerable. Once that connection is established, all mail from the WordPress site would be routed through and logged in the attackers SendWP account. At that point they can monitor all data emailed which could range from user Personally Identifiable Information (PII) from form submissions to reports generated on your site.

Further, an attacker could trigger a password reset for an administrative user account, if they could discover the username for an account. The password reset email with the password reset link would get logged in the attackers SendWP account, which they could then use to reset an administrator’s password and gain administrative access to a site. This could ultimately lead to remote code execution and site takeover by modifying theme/plugin files or uploading a malicious theme/plugin.

The SendWP service does cost $9 a month per site, with a $1 14-day trial. As such, it is less likely to be widely exploited. However, it would be a very valuable entry point for attackers seeking to compromise high-value targets.


Description: Authenticated OAuth Connection Key Disclosure
Affected Plugin: Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress
Plugin Slug: ninja-forms
Affected Versions: <= 3.4.34
CVE ID: Pending.
CVSS Score: 7.7 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
Fully Patched Version: 3.4.34.1

Another feature of Ninja Forms is the ability to connect to the Ninja Forms “Add-on Manager” service, a centralized dashboard that allows you to manage all purchased Ninja Forms Add-Ons to provision them to a WordPress site remotely. Just like with the SendWP service, it offers capabilities to set up this service with just a few clicks from the Ninja Form plugin’s Addon dashboard. In order to provide this functionality, the plugin registers the AJAX action wp_ajax_nf_oauth which is used to retrieve the connection_url that contains the information necessary, like the client_secret, to establish an OAuth connection with the Ninja Forms Add-On Management portal.

 public function setup() {
   add_action( 'wp_ajax_nf_oauth', function(){
     wp_die( json_encode( [
       'data' => [
         'connected' => ( $this->client_id ),
         'connect_url' => self::connect_url(),
       ]
     ] ) );
   });

Unfortunately, there was no capability check on this function. Low-level users, such as subscribers, were able to trigger the action and retrieve the connection url needed to establish a connection. They could also retrieve the client_id for an already established OAuth connection.

This meant that attackers could potentially establish an OAuth Connection for a vulnerable WordPress site with their own account. However, there would be some social engineering involved as the attacker would need to trick the site administrator into clicking a link to update the client_id in the database with the nf_oauth_connect AJAX action for the connection to be fully complete. From there, they could install any purchased Add-On plugins.


Description: Administrator Open Redirect
Affected Plugin: Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress
Plugin Slug: ninja-forms
Affected Versions: <= 3.4.33
CVE ID: Pending.
CVSS Score: 4.8 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Fully Patched Version: 3.4.34

As part of the OAuth connection process, the plugin registers an AJAX action, wp_ajax_nf_oauth_connect, that is registered to the function connect() which is used to redirect a site owner back to the WordPress site’s Ninja Forms service page after the user has finished the OAuth connection process.

 public function connect() {
    // Does the current user have admin privileges
    if (!current_user_can('manage_options')) {
      return;
    }

    // wp_verify_nonce( $_REQUEST['nonce'], 'nf-oauth-connect' );

    if( ! isset( $_GET[ 'client_id' ] ) ) return;

    $client_id = sanitize_text_field( $_GET[ 'client_id' ] );
    update_option( 'ninja_forms_oauth_client_id', $client_id );

    if( isset( $_GET[ 'redirect' ] ) ){
      $redirect = sanitize_text_field( $_GET[ 'redirect' ] );
      $redirect = add_query_arg( 'client_id', $client_id, $redirect );
      wp_redirect( $redirect );
      exit;
    }

    wp_safe_redirect( admin_url( 'admin.php?page=ninja-forms#services' ) );
    exit;
  }

This function uses wp_safe_redirect to redirect site owners back to the admin.php?page=ninja-forms#services page by default.However, if the ‘redirect’ parameter is supplied, then it would redirect the site administrator to an arbitrary URL supplied in that parameter.

Fortunately, there was a capability check on this function so that only administrators could use it. However, there is no protection on the redirection URL validating where the redirect goes, nor was there any protection to prevent an attacker from using the function to redirect a site administrator to a malicious location. There was the use of wp_verify_nonce(),however, it was commented out and rendered unusable. This made it possible for attackers to craft a URL with the redirect parameter set to an arbitrary site. If the attacker could trick an administrator into clicking the link, then they could be redirected to an external malicious site which could infect the administrator’s computer amongst other malicious actions.

Open redirect vulnerabilities exploit the inherent trust of the vulnerable domain to assist in getting someone to click on the open redirect link. For example, an attacker could craft a link with the redirect parameter containing a shortened URL and then ask a site owner to check out the link saying that the page was responding weirdly on their site. This would likely cause the site owner to click on the link and check out what the “inquiry” is referring to, and ultimately result in them being redirected to an external and malicious site.


Description: Cross-Site Request Forgery to OAuth Service Disconnection
Affected Plugin: Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress
Plugin Slug: ninja-forms
Affected Versions: <= 3.4.33
CVE ID: Pending.
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L
Fully Patched Version: 3.4.34

An additional feature of the Ninja Forms Add-Ons Manager was the ability to easily disconnect an established OAuth connection with just a few clicks. In order to provide this functionality, the plugin registered an AJAX action wp_ajax_nf_oauth_disconnect tied to the function disconnect(). The disconnect() function would simply disconnect an established connection by deleting the options associated with the connection settings in the database.

add_action( 'wp_ajax_nf_oauth_disconnect', [ $this, 'disconnect' ] );

Unfortunately, this feature did not have nonce protection. This made it possible for attackers to craft a legitimate request, host it externally, and if successful in tricking an administrator into clicking a link or attachment, send a request to disconnect the current OAuth connection. Though there would be no critical harm being exploited by this vulnerability, it could be a puzzling experience for a site owner.

 public function disconnect() {

  // Does the current user have admin privileges
  if (!current_user_can('manage_options')) {
    return;
  }

  do_action( 'ninja_forms_oauth_disconnect' );

  $url = trailingslashit( $this->base_url ) . 'disconnect';
  $args = [
    'blocking' => false,
    'method' => 'DELETE',
    'body' => [
      'client_id' => get_option( 'ninja_forms_oauth_client_id' ),
      'client_secret' => get_option( 'ninja_forms_oauth_client_secret' )
    ]
  ];
  $response = wp_remote_request( $url, $args );

  delete_option( 'ninja_forms_oauth_client_id' );
  delete_option( 'ninja_forms_oauth_client_secret' );
  wp_die( 1 );
}

Disclosure Timeline

January 20, 2021 – Conclusion of the plugin analysis that led to the discovery of the four vulnerabilities. We develop firewall rules to protect Wordfence customers and release them to Wordfence Premium users. We make our initial contact and send full disclosure via the Security Disclosure contact listed on the Ninja Forms website.
January 21, 2021 – We receive a response confirming that Saturday Drive received our information and will begin working on a fix.
January 25, 2021 – The first patched version of the plugin is released as version 3.4.34
January 26, 2021 – We check to see if the release addresses all reported issues. We discover one endpoint is still vulnerable and follow-up with our contact at Saturday Drive. We receive confirmation the same day that they will send the details to the developers to work on a fix.
February 4, 2021 – We follow up to check on the status of a fix, and we are informed that it should be released in the next couple of days.
February 8, 2021 – A final patched version of the plugin is released as version 3.4.34.1. We verify again that the vulnerabilities have been patched.
February 19, 2021 – Free Wordfence users receive firewall rules.

Conclusion

In today’s post, we detailed four flaws in the Ninja Forms plugin that granted attackers the ability to obtain sensitive information while also allowing them the ability to redirect administrative users. These flaws have been fully patched in version 3.4.34.1. We recommend that users immediately update to the latest version available, which is version 3.5.0 at the time of this publication.

Wordfence Premium users received firewall rules protecting against this vulnerability on January 20, 2021, while those still using the free version of Wordfence will receive the same protection on February 19, 2021.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as these are considered critical severity issues that can result in remote code execution.

Special thanks to the creators of Ninja Forms, Saturday Drive, for working quickly to quick patches out and for providing a contact for responsible disclosure directly on their website.

The post One Million Sites Affected: Four Severe Vulnerabilities Patched in Ninja Forms appeared first on Wordfence.

UCEPROTECT: When RBLs Go Bad

Realtime Blackhole Lists (RBLs) can be a great tool in your security arsenal. You may not know you’re using them, but all email providers and company email servers leverage these services to verify whether servers and IP addresses are sending spam or other abusive content against a known list of offenders.

These services use a number of methods to compile lists of IP addresses reputed to send spam, mostly populating them using honeypots drawing them in with “poison” email addresses to act as victims.

Continue reading UCEPROTECT: When RBLs Go Bad at Sucuri Blog.

Pin It on Pinterest