Another busy month!
A major vulnerability in a WordPress plugin opens the door to “drive-by” hacking, a(nother) big Windows 10 vulnerability (and fallout from the last Windows 10 update), plus a young child does something that Google and Apple have often failed to do!
While there hasn’t been a lot of WordPress security news this month, a big vulnerability in the File Manager plugin.
File Manager Vulnerability
File Manager is a WordPress plugin with about 700,000 active installations. It allows users to access the backend of their WordPress site without using FTP or CPanel.
The File Manager vulnerability allows an unauthenticated user to upload malicious files and execute commands on a site. Since the vulnerability is open to any unauthenticated user there have been reports of hackers probing sites by trying to inject a variety of file types. If the uploads are successful, it’s likely that the attackers will return to inject a functional malicious file later.
These “drive-by probing attacks” (ouch!) have been massive, with over 2.5 million sites probed by attackers. Since unauthenticated users can execute this attack, and the ramifications if your site is vulnerable are massive, it’s no surprise that attackers have seized on this vulnerability aggressively.
If you have the File Manager plugin installed and you haven’t updated to the latest version, do it now (but you’re likely already infected). Version 6.9 has the vulnerability removed.
(Weekly WordPress plugin updates are part of my WordPress Maintenance Plan)
What Do Hackers Want?
This is an interesting vidoe about why hackers break into to sites. While it doesn’t cover every reason, it does give a good overview of what most of them are trying to accomplish.
The “hacker motive” section begins at 19:16.
- Install backdoors to maintain access to compromised sites.
- Spam content injection: Adding visible (or hidden) links to other sites to boost the rank of those sites.
- Spam page creation: Similar to #3, except creating new pages to bump up the SEO results of another site.
- PHP mailer script creation to send spam email using a different mail (non-blacklisted) mail server.
- Phishing campaigns: For the same reason as #5 – using a different domain to make the phishing appear more legitimate.
- Malicious redirects: When a user tries to visit “yourpage.com/cool-thing” the hacker can make that link send the user to “badsite.evil/virus”.
- Set up a botnet: Usually used to execute a DDoS attack against another site.
- Cryptomining: By infecting a site with cryptomining malware, users to a site can have their computer’s resources co-opted to mine for bitcoin.
WordPress Update Breaks Things
One constant refrain on this site is how important it is to keep hardware and software up-to-date. While the new features are nice, the real reason is that the ever-growing complexity of technology today means an increase in the potential for exploits. Keeping your software (and hardware) at least somewhat current is the only defense against ever-sophisticated threats.
However, updates don’t always go as planned, and WordPress’s most recent update to version 5.5 broke a few things. However, it appears that a quick follow-up update (version 5.5.1) restored the broken functionality.
While updating is important, always make sure you have a good backup first!
(Monthly backups are part of my WordPress Maintenance Plan).
Adobe’s Magento is a popular e-commerce platform, and large automated attack has compromised almost 2,000 Magento stores since mid-September.
The attack mainly focused on stores running Magento 1. This version of Magento reached the end of its support life in June 2020, and will not be receiving any more updates.
Users are advised to update to Magento version 2 to mitigate these attacks.
Phishing Attack Disguised As Training
One of the realities of modern business is that the need to train employees to recognize phishing emails is more important now than ever. Many (if not the majority) of the data breaches of major businesses begin as phishing emails, and then escalate once an attacker has a small foothold inside a network.
As a result of this, many companies have started offering training phishing emails as a way to educate employees on how to spot fishing emails. (One of my many side jobs was working for one of those called Antespam).
In a weird example of the ever-escalating war between spam emailers and spam blockers, a new phishing campaign pretends to be a reminder from the phishing training company KnowBe4. The spam emails remind users to complete their “Security Awareness Training” within 24 hours. Clicking on the link in the email takes the user to a malicious domain, where they are asked to enter their Outlook email and password, along with other personal information (full name, birthday, address, etc.).
Remember – don’t click on links in emails! If you get an email with a link to click on, it’s much safer and more secure to type that domain into your browser!
Privacy-Focused Search Engine
DuckDuckGo – a privacy-focused search engine – had a record-breaking month, with over 2 billion total searches. Even with this massive number of searches, DuckDuckGo still accounts for less than 2% of the total US search volume.
I’ve been using DuckDuckGo instead of Google for the past few months, and while it’s not quite as good as Google for some search results, I much prefer to give DDG my “regular” search traffic and only switch to Google if necessary.
If you haven’t tried it yet, give it a shot.
Fake Apps Report…by a child
A young child did something that appears to be difficult for Google and Apple. They got fraudulent apps out of the app store.
According to this press release by Avast, the young girl saw the apps being promoted on a TikTok profile. She reported them to Avast’s “Be Safe Online” project, and eventually got the shill accounts (on TikTok and Instagram) shut down and the apps removed from their respective stores.
The apps weren’t expressly malicious, but they did cost users money (between $2-$10), displayed ads (even when the apps weren’t running), and were just generally disruptive. Many of them also provided little to no advertised functionality.
Maybe this kid will teach the app review teams a thing or two.
It wouldn’t be a month of Windows 10 updates without a short word about new security issues and what’s broken from last month’s “fixes”.
Windows 10 -New Vulnerabilities
While custom themes are a neat addition to Windows 10, it looks like not even those are safe from potential security issues.
A hacker that makes a specially-crafted custom theme (that uses a remote SMB share requiring authentication) can steal a Windows user’s login name and an NTLM hash of their password. If the user’s password is not strong, it can be easily cracked (taking ~4 seconds).
A potentially bigger threat is a recently-discovered vulnerability that allows an unprivileged user (or a connected device) to become an administrator. Potentially giving them unrestricted access to an entire network.
While this security flaw does require prior access to a network, it’s not hard to see how it can be used in conjunction with another vulnerability (like the custom theme vulnerability or a phishing email) to quickly compromise an entire Active Directory.
This vulnerability is so severe that the Department of Homeland Security issued an instruction to all federal agencies to patch all vulnerable systems before September 23. Although it seems easy, updating thousands of computers (many running custom software) can be time-consuming. It also introduces the chance for lots of things to break.
Hopefully all these updates were done on time!
Windows 10 – What Broke
This month, it looks like the security update (Windows 10 KB4571756 (what a catchy name)) broke the Windows Subsystem for Linux 2 compatibility layer.
As of the writing of this (September 22) it looks like the only fix is to uninstall this security update.
Improve Windows 10 Privacy
I’ve posted about some quick and easy ways to improve the privacy on Windows 10 here. Not surprisingly, many of these just involve turning “features” off.
If you want some more robust tools to control telemetry and data that is sent to Microsoft, this BleepingComputer postmentions two new (to me) tools: