Vulnerabilities in PageLayer Plugin Affect Over 200,000 WordPress Sites

None of the sites we currently manage use PageLayer, but I’m posting this in the event that someone out there needs to read it. From WordFence:

These are considered high-level security issues that could potentially lead to attackers wiping your site’s content or taking over your site. We highly recommend an immediate update to the latest version available at the time of this publication, which is version 1.1.4.

Full details at WordFence.

Breaches R Them

Tons of breaches recently. Apparently, some people on lockdown have been getting busy, as predicted:

A massive database of 8 billion Thai internet records leaks

25 million user records leak online from popular math app Mathway

Wishbone Breach: 40 Million Records Leaked

Home Chef announces data breach after hacker sells 8M user records

British airline easyJet breached, data of 9 million customers compromised

Information of Over 115 Million Pakistani Mobile Subscribers Exposed in a Massive Data Leak

Ransomware attack impacts Texas Department of Transportation

Texas Courts hit by ransomware, network disabled to limit spread

… just a few of the major data breaches and ransomware attacks which were reported in the last week!

And this shouldn’t really surprise you:  86% of data breaches are conducted for financial gain https://www.techrepublic.com/article/86-of-data-breaches-are-conducted-for-financial-gain/

 

One Attacker Outpaces All Others

Starting April 28th, the WordFence team saw a 30 times increase in cross site scripting attack volume, originating from a single attacker, and targeting over a million WordPress sites. WordFence published research detailing the threat actor and attack volume increase on May 5th. By the time they published, the attack volume had dropped back down to baseline levels.

As of May 11, 2020, attacks by this same threat actor have once again ramped up, and are ongoing. This attacker has now attacked over 1.3 million sites in the past month. As of May 12, 2020, attacks by this threat actor have outpaced all other attacks targeting vulnerabilities across the WordPress ecosystem.

What should I do?

As with the previous attacks, the majority of vulnerabilities being targeted are Cross-Site Scripting (XSS) flaws. The Wordfence Firewall’s built-in XSS protection provides protection from these attacks. But you should still insure that all plugins, themes, and WordPress core are up to date.

Full story at https://www.wordfence.com/blog/2020/05/one-attacker-rules-them-all

28,000 GoDaddy Hosting Accounts Compromised

Public service announcement (PSA) from the Wordfence team regarding a security issue which may impact some of our customers. On May 4, 2020, GoDaddy, one of the world’s largest website hosting providers, disclosed that the SSH credentials of approximately 28,000 GoDaddy hosting accounts were compromised by an unauthorized attacker.

SSH, while extremely secure if configured correctly, can allow logins with either a username/password combination, or a username and a public/private key pair. In the case of this breach, it appears likely that an attacker placed their public key on the affected accounts so that they could maintain access even if the account password was changed.

It is unclear which of GoDaddy’s hosting packages were affected by this breach. According to GoDaddy’s public statement:

“On April 23, 2020, we identified SSH usernames and passwords had been compromised by an unauthorized individual in our hosting environment. This affected approximately 28,000 customers. We immediately reset these usernames and passwords, removed an authorized SSH file from our platform, and have no indication the individual used our customers’ credentials or modified any customer hosting accounts. The individual did not have access to customers’ main GoDaddy accounts.”

The breach itself appears to have occurred on October 19, 2019.

See https://www.wordfence.com/blog/2020/05/28000-godaddy-hosting-accounts-compromised/ for suggested actions

Note that breaches like this can create a prime target for attackers who use phishing campaigns as a means to infect users. If you are a GoDaddy user, be extra wary of any emails you may receive.

Nearly a Million WP Sites Targeted in Large-Scale Attacks

The WordFence Threat Intelligence Team has been tracking a sudden uptick in attacks targeting Cross-Site Scripting(XSS) vulnerabilities that began on April 28, 2020 and increased over the next few days to approximately 30 times the normal volume we see in our attack data.

The majority of these attacks appear to be caused by a single threat actor, based on the payload they are attempting to inject – a malicious JavaScript that redirects visitors and takes advantage of an administrator’s session to insert a backdoor into the theme’s header.

After further investigation, we found that this threat actor was also attacking other vulnerabilities, primarily older vulnerabilities allowing them to change a site’s home URL to the same domain used in the XSS payload in order to redirect visitors to malvertising sites.

Full details at https://www.wordfence.com/blog/2020/05/nearly-a-million-wp-sites-targeted-in-large-scale-attacks/