Multiple Vulnerabilities Patched in WordPress Download Manager

The WordFence team found two separate vulnerabilities, including a sensitive information disclosure as well as a file upload vulnerability which could have resulted in Remote Code Execution in some configurations.

A patched version of the WP Download Manager plugin was released within days of disclosure.

Original article: https://www.wordfence.com/blog/2021/07/wordpress-download-manager-vulnerabilities/

Estonian Citizen Pleads Guilty to Computer Fraud and Abuse

At least 60 devices and internet routers were compromised in Alaska

ANCHORAGE – An Estonian national pleaded guilty today in the District of Alaska to two counts of computer fraud and abuse.   

According to court documents, Pavel Tsurkan, 33, operated a criminal proxy botnet by remotely accessing and compromising more than 1,000 computer devices and internet routers worldwide, including at least 60 victims in Alaska. He used the victims’ devices to build and operate an Internet of Things (IoT)-based botnet dubbed the “Russian2015” using the domain Russian2015.ru. He modified the operation of each compromised internet router so it could be used as a proxy to transmit third-party internet traffic without the owners’ knowledge or consent. He then sold access to global cybercriminals who channeled their traffic through the victims’ home routers, using the victims’ devices to engage in spam campaigns and other criminal activity. The Alaska victims experienced significant data overages even when there were no home computers connected to the victims’ home networks. The data overages resulted in hundreds to thousands of dollars per victim.   

“Today’s cybercriminals rely on increasingly sophisticated techniques to hijack computers and personal electronic devices for their criminal activities. Botnets like the ‘Russian2015’ are a dangerous threat to all Americans and today’s guilty plea demonstrates we can and will hold accountable foreign cybercriminals and their enablers,” said Acting U.S. Attorney Bryan Wilson, District of Alaska. “Our success in disrupting this botnet was the result of a strong partnership between private industry experts and law enforcement.”

Tsurkan is scheduled to be sentenced on November 10, 2021 and faces a maximum penalty of 10 years in prison. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.

The FBI’s Anchorage Field Office is investigating the case with support from GCI and Palo Alto Networks Unit 42. The FBI’s New Haven, Connecticut, Field Office provided assistance during the investigation.

Assistant U.S. Attorney Adam Alexander and Trial Attorney Alden Pelker of the Criminal Division’s Computer Crime and Intellectual Property Section are prosecuting the case.

Press release from: https://www.justice.gov/usao-ak/pr/estonian-citizen-pleads-guilty-computer-fraud-and-abuse

Don’t Wanna Pay Ransom Gangs? Test Your Backups.

Important article from the ever-insightful Brian Krebs. Though it is geared more toward organizations than individuals, the important point is that it’s critical to know how to restore a damaged system – and how long it will typically take!

FYI, we can usually restore a website to the most recent backup within 10 min (depending on the size of the site, of course). And yes, we have tested! Not everyone’s site, of course, but we’ve done enough site restorations that we’re pretty confident about yours too.

Read the full article here: https://krebsonsecurity.com/2021/07/dont-wanna-pay-ransom-gangs-test-your-backups/

WordPress Update to 5.8

WordPress 5.8 was released on July 20 and nearly all our client’s sites were updated the same day.

This release includes additional improvements to the Block editing system, drops support for Internet Explorer 11, and adds support for the reasonably new WebP image format. WebP images are around 30% smaller on average than their JPEG or PNG equivalents, resulting in sites that are faster and use less bandwidth.

Full details on the release: https://wordpress.org/news/2021/07/tatum/

Critical SQL Injection Vulnerability Patched in WooCommerce

If you run a WooCommerce store on your site you may not see this update in this month’s report. That’s because this one was critical enough that WordPress made the rare decision to “push” the update as soon as it was available. Trust us, all our WooCommerce sites are safe and up to date!

WooCommerce is the leading e-Commerce platform for WordPress and is installed on over 5 million websites. Additionally, the WooCommerce Blocks feature plugin, installed on over 200,000 sites, was affected by the vulnerability and was patched at the same time.

Stories at https://woocommerce.com/posts/critical-vulnerability-detected-july-2021/ and https://www.wordfence.com/blog/2021/07/critical-sql-injection-vulnerability-patched-in-woocommerce/

Security Vulnerability Discovered in FileBird Plugin; Update Available

On June 9, 2021, a 10up Engineer conducted a routine code review of the FileBird plugin on behalf of a client. The code review followed 10up’s Engineering Best Practices and focused on areas that did not pass our initial automated scans. It uncovered that the code was vulnerable to a Blind SQL Injection attack — a clever type of exploit that involves sending “yes or no” questions to MySQL to extract information from the database when it cannot be output directly to the browser.

That same day, our team responsibly disclosed the vulnerability. We reached out to the team at WPScan, who we’ve previously collaborated with on our WP-CLI Vulnerability Scanner and WordPress Composer Scanner, to report the vulnerability and collaborate on disclosure.

The FileBird plugin authors responded quickly and responsibly, and issued a patch within 36 hours.

This is a critical vulnerability that only impacts version 4.7.3 of the FileBird plugin. It does not impact any previous versions and has been patched in version 4.7.4. All users of FileBird version 4.7.3 are advised to upgrade immediately.

Source and more details: https://10up.com/blog/2021/security-vulnerability-filebird-wordpress-plugin/