WordPress Attack

Hackers are attempting to take over tens of thousands of WordPress sites by exploiting critical vulnerabilities including a zero-day in multiple plugins that allow them to create rogue administrator​​​ accounts and to plant backdoors.

The attacks on WordPress sites have started yesterday by targeting a zero-day unauthenticated stored XSS bug found in the Flexible Checkout Fields for WooCommerce plugin with 20,000 active installations by researchers at NinTechNet.

While the plugin’s development team WP Desk pushed out version 2.3.2 to fix the actively targeted security flaw within an hour after receiving the disclosure report from NinTechNet, some users were hacked until it was available and ready to install.

Three critical bugs has been found

a subscriber+ stored XSS in Async JavaScript (100,000+ installs)

an unauthenticated+ stored XSS in 10Web Map Builder for Google Maps (20,000+ installs)

and multiple subscriber+ stored XSS in Modern Events Calendar Lite (40,000+ installs)

Indicators of compromise

  • the appearance of new admin accounts that weren’t created yourself
  • the appearance of new plugins on the plugins list that weren’t personally installed
  • suspicious files, especially the ones with .php or .zip extensions e.g. Woo-Add-To-Carts.zip were placed in /wp-content/uploads/ directory
  • rearrangement of the checkout fields, their unusual faulty functioning or appearance of the new fields that hadn’t been previously added.

Wifi Vulnerability affects WPA2

Wifi cracks

A vulnerability in the widely used Wi-Fi protected access 2 (WPA2) protocol lets hackers view unencrypted connections on these networks, even if they don’t know the password. Patches are already rolling out to current routers and client devices, leaving only older, unsupported hardware indefinitely affected.

The vulnerability has been discovered by security research firm ESET that also collaborates with Google to protect the Play Store. It named the flaw Kr00k and describes it as a weakness “that allows unauthorized decryption of some WPA2-encrypted traffic.” Luckily, only the Wi-Fi layer is affected by the problem, so additionally encrypted transmissions via TLS can’t be spoofed. That means your online banking credentials and passwords on websites that connect via HTTPS should be protected.

Amazon Echo 2nd gen
Amazon Kindle 8th gen
Apple iPad mini 2
Apple iPhone 6, 6S, 8, XR
Apple MacBook Air Retina 13-inch 2018
Google Nexus 5
Google Nexus 6
Google Nexus 6P
Raspberry Pi 3
Samsung Galaxy S4 GT-I9505
Samsung Galaxy S8
Xiaomi Redmi 3S


Many routers are also affected by the issue, including the Asus RT-N12, the Huawei B612S-25d, the Huawei EchoLife HG8245H, and the Huawei E5577Cs-321. If you own a vulnerable access point, all traffic on your network can be spoofed regardless of applied fixes on client devices.

Apple has already rolled out patches to its devices, and most current Android phones and routers should also be protected as the chip manufacturers have started providing updates since Q4 2019. Older hardware could be left in the cold, though, especially Android handsets like the Nexus series that isn’t updated anymore. Even custom ROM developers probably won’t be able to patch the vulnerability themselves as they have to rely on binaries from the original manufacturers that would need to contain the fixes. Currently active Nexus handsets will thus probably have to deal with Kr00k indefinitely.

CloudSnooper

Snoopy

Researchers at Sophos discovered the attack while inspecting infected Linux and Windows EC2-based cloud infrastructure servers running in Amazon Web Services (AWS). The attack, which Sophos says is likely the handiwork of a nation-state, uses a rootkit that not only gave the attackers remote control of the servers but also provided a conduit for the malware to communicate with their command-and-control servers. According to Sophos, the rootkit also could allow the C2 servers to remotely control servers physically located in the organization as well.

“The firewall policy was not negligent, but it could have been better,” said Chet Wisniewski, principal research scientist at Sophos. The attackers masked their activity by hiding it in HTTP and HTTPS traffic. “The malware was sophisticated enough that it would be hard to detect even with a tight security policy” in the AWS firewall, he said. “It was a wolf in sheep’s clothing … blending in with existing traffic.”

Sophos declined to reveal the victim organization, but said the attack appears to be a campaign to reach ultimate targets via the supply chain – with this as just one of the victims. Just who is behind the attack is unclear, but the RAT is based on source code of the Gh0st RAT, a tool associated with Chinese nation-state attackers. Sophos also found some debug messages in Chinese.

The attackers appear to reuse the same RAT for both the Linux and Windows servers. “We only observed the Linux RAT talking to one server and the Windows talking to a different control server, so we’re not sure if it’s even the same infrastructure,” Wisniewski said. The C2 has been taken down, he noted.

Just how the attackers initially hacked into the victim’s network is unclear, but Sophos suggests one possibility is that the attackers infiltrated a server via SSH. They also don’t have a lot of intel on the rootkit, such as which port it abused, nor do they know for sure what they were after. “It’s likely a supply chain attack, targeting this organization to get all of their downstream” clients or customers.

One of the rare aspects of the attack: it targeted Linux with a rootkit, which was called Snoopy. “They dropped the driver part of the rootkit, and called it Snoopy. Had it been called a legitimate file name on the Linux box, we probably wouldn’t have noticed it,”

It’s just a matter of time before the cloud become an active prey.

McAfee SASE Adoption UCE.

MVISION Cloud

McAfee yesterday announced new innovations to its cloud-native MVISION platform with the availability of Unified Cloud Edge (UCE), which provides unified data and threat protection from device level to the cloud. 

McAfee says the platform will provide a converged security solution to simplify the adoption of Secure Access Service Edge (SASE) architecture, with the ultimate aim to reduce the cost and complexity of modern cybersecurity.

The platform enables secure access to the cloud from any device for ultimate productivity across the workforce. 

By enforcing consistent policies across device, web and cloud, UCE protects data as it leaves the device, travels to and from the cloud, and within cloud services to create a new secure cloud edge for the enterprise. 

“The dispersion of data to the cloud, coupled with the myriad of devices available today has changed how we protect critical assets,” says McAfee executive vice president and chief product officer Ash Kulkarni. 

“To recognise the full potential of the cloud, IT needs to secure data in cloud services they do not own and on networks they do not operate. 

UCE enables organisations to mount a powerful data-centric defence where modern work is done – from any device to any cloud service,” says Kulkarni. 
 

Key features:

Comprehensive visibility and consistent control over data from device to cloud
Consistent threat protection with unified management and investigation
Cloud SLA powered by a cloud native, direct-to-cloud architecture with enterprise scale and resilience 

McAfee UCE will be available from March 2020.