The majority of our client sites have already been upgraded to WP 6.0. We’ll be upgrading the rest in the near future – once we have taken recent backups of the site at the current 5.9.3 version. To our knowledge only one site has had any problems, but do let us know if the upgrade has broken anything on your site!
The Wordfence Threat Intelligence team discovered a set of vulnerabilities in the Jupiter and JupiterX Premium themes and the required JupiterX Core companion plugin for WordPress, which included a critical privilege escalation vulnerability that allowed any user to become an administrator.
Fully patched versions of all vulnerable components were made available on May 10, 2022.
Researchers found a way to exploit the tech that enables Apple’s Find My feature, which could allow attackers to track location when a device is powered down.
When you turn off an iPhone, it doesn’t fully power down. Chips inside the device continue to run in a low-power mode that makes it possible to locate lost or stolen devices using the Find My feature or use credit cards and car keys after the battery dies. Now researchers have devised a way to abuse this always-on mechanism to run malware that remains active even when an iPhone appears to be powered down.
It turns out that the iPhone’s Bluetooth chip—which is key to making features like Find My work—has no mechanism for digitally signing or even encrypting the firmware it runs. Academics at Germany’s Technical University of Darmstadt figured out how to exploit this lack of hardening to run malicious firmware that allows the attacker to track the phone’s location or run new features when the device is turned off.
The research is the first—or at least among the first—to study the risk posed by chips running in low-power mode. Not to be confused with iOS’s low-power mode for conserving battery life, the low-power mode (LPM) in this research allows chips responsible for near-field communication, ultra wideband, and Bluetooth to run in a special mode that can remain on for 24 hours after a device is turned off.
“The current LPM implementation on Apple iPhones is opaque and adds new threats,” the researchers wrote in a paper published last week. “Since LPM support is based on the iPhone’s hardware, it cannot be removed with system updates. Thus, it has a long-lasting effect on the overall iOS security model. To the best of our knowledge, we are the first who looked into undocumented LPM features introduced in iOS 15 and uncover various issues.”
The Wordfence Threat Intelligence team has been tracking a large-scale attack against a Remote Code Execution vulnerability in Tatsu Builder, which is tracked by CVE-2021-25094 and was publicly disclosed on March 24, 2022 by an independent security researcher. The issue is present in vulnerable versions of both the free and premium Tatsu Builder plugin. Tatsu Builder is a proprietary plugin that is not listed on the WordPress.org repository, so reliable installation counts are not available, but we estimate that the plugin has between 20,000 and 50,000 installations. Tatsu sent an urgent email notification to all of their customers on April 7th advising them to update, but we estimate that at least a quarter of remaining installations are still vulnerable.
All Wordfence users with the Wordfence Web Application Firewall active, including Wordfence free customers, are protected against attackers trying to exploit this vulnerability.
We began seeing attacks on May 10, 2022. The attacks are ongoing with the volume ramping up to a peak of 5.9 million attacks against 1.4 million sites on May 14, 2022. The attack volume has declined but the attacks are still ongoing at the time of publication.
Sucuri’s remediation and research teams regularly find malicious redirects on client sites. These infections automatically redirect site visitors to third-party websites with malicious resources, scam pages, or commercial websites with the intention of generating illegitimate traffic.
As outlined in Sucuri’s latest hacked website report, they’ve been tracking a long-lasting campaign responsible for injecting malicious scripts into compromised WordPress websites. This campaign leverages known vulnerabilities in WordPress themes and plugins and has impacted an enormous number of websites over the year — for example, according to PublicWWW (May 2022), the April wave for this campaign was responsible for over 9,300 infected websites alone.
Since these PublicWWW results only show detections for simple script injections, we can assume that the scope is significantly larger.
We recently investigated a number of WordPress websites complaining about unwanted redirects. Interestingly enough, they were found to be related to a new wave of this massive campaign and were sending website visitors through a series of website redirects to serve them unwanted ads.
Once the website had been compromised, attackers had attempted to automatically infect any .js files with jQuery in the names. They injected code that begins with “/* trackmyposs*/eval(String.fromCharCode…”
In brief: Netskope’s new security report shows that there’s been a fivefold yearly increase in malicious PDF phishing downloads, with a lot of victims getting referred from search engines. Meanwhile, downloads of Microsoft Office files containing malware have returned to pre-Emotet levels.
Netskope, a security service edge provider, just published their new Cloud and Threat Report, which examines the past 12 months of malware downloads from the cloud and web.
Research shows that there’s been a 450 percent yearly increase in malicious PDF phishing downloads, with attackers using search engine optimization (SEO) techniques to improve the ranking of malicious PDF files on search engines such as Google and Bing.
These files often take the form of fake file sharing requests, fake invoices, or even fake Captchas that redirect users to phishing, spam, scam, and malware websites.
According to the report, most malware is being downloaded from within the same region as its victim in order to avoid geofencing filters. Over 80 percent of all malware downloads by victims in North America were downloaded from websites hosted there.
There are several other noteworthy findings in the report. Trojans continue to be effective, with 77 percent of malware downloads being Trojans. There is no single Trojan family that is globally dominant, with the top 10 families accounting for only 13 percent of all downloads.
Cybercriminals use a combination of web and cloud to target their victims, as 53 percent of malware downloads originate from traditional websites and the rest from cloud apps used for collaboration and webmail. Here, attackers can send messages to their victims through emails, direct messages, comments, and document shares.
Zero-click attacks, especially when combined with zero-day vulnerabilities, are difficult to detect and becoming more common.
Zero-click attack definition
Zero-click attacks, unlike most cyberattacks, don’t require any interaction from the users they target, such as clicking on a link, enabling macros, or launching an executable. They are sophisticated, often used in cyberespionage campaigns, and tend to leave very few traces behind—which makes them dangerous.
Once a device is compromised, an attacker can choose to install surveillance software, or they can choose to enact a much more destructive strategy by encrypting the files and holding them for ransom. Generally, a victim can’t tell when and how they’ve been infected through a zero-click attack, which means users can do little to protect themselves.
How zero-click attacks work
Zero-click attacks have become increasingly popular in recent years, fueled by the rapidly growing surveillance industry. One of the most popular spyware is NSO Group’s Pegasus, which has been used to monitor journalists, activists, world leaders, and company executives. While it’s not clear how each victim was targeted, it is believed that at least a few of them have received a WhatsApp call they didn’t even have to answer.
Messaging apps are often targeted in zero-click attacks because they receive large amounts of data from unknown sources without requiring any action from the device owner. Most often, the attackers exploit a flaw in how data is validated or processed.
Other less-known zero-click attack types have stayed under the radar, says Aamir Lakhani, cybersecurity researcher at Fortinet’s FortiGuard Labs. He gives two examples: parser application exploits (“while a user views a picture in a PDF or a mail application, the attacker is silently exploiting a system without user clicks or interaction needed”) and “WiFi proximity attacks that seek to find exploits on a WiFi stack and upload exploit code into [the] user’s space [in the] kernel to remotely take over systems.”
Zero-click attacks often rely on zero-days, vulnerabilities that are unknown to the software maker. Not knowing they exist, the maker can’t issue patches to fix them, which can put users at risk. “Even very alert and aware users cannot avoid those double-whammy zero-day and zero-click attacks,” Lakhani says.
These attacks are often used against high-value targets because they are expensive. “Zerodium, which purchases vulnerabilities on the open market, pays up to $2.5M for zero-click vulnerabilities against Android,” says Ryan Olson, vice president of threat intelligence, Unit 42 at Palo Alto Networks.
Examples of zero-click attacks
The target of a zero-click attack can be anything from a smartphone to a desktop computer and even an IoT device. One of the first defining moments in their history happened in 2010 when security researcher Chris Paget demonstrated at DEFCON18 how to intercept phone calls and text messages using a Global System for Mobile Communications (GSM) vulnerability, explaining that the GSM protocol is broken by design. During his demo, he showed how easy it was for his international mobile subscriber identity (IMSI) catcher to intercept the mobile phone traffic of the audience.
Another early zero-click threat was discovered in 2015 when the Android malware family Shedun took advantage of the Android Accessibility Service’s legitimate functions to install adware without the user doing anything. “By gaining the permission to use the accessibility service, Shedun is able to read the text that appears on screen, determine if an application installation prompt is shown, scroll through the permission list, and finally, press the install button without any physical interaction from the user,” according to Lookout.
A year later, in 2016, things got even more complicated. A zero-click attack was implemented into the United Arab Emirates surveillance tool Karma, which took advantage of a zero-day found in iMessage. Karma only needed a user’s phone number or email address. Then, a text message was sent to the victim, who didn’t even have to click on a link to be infected.
Once that text arrived on an iPhone, the attackers were able to see photos, emails, and location data, among other items. The hacking unit that used this tool, dubbed Project Raven, included U.S. intelligence hackers who helped the United Arab Emirates monitor governments and human rights activists.
By the end of that decade, zero-click attacks were being noticed more often, as surveillance companies and nation-state actors started to develop tools that didn’t require any action from the user. “Attacks that we were previously seeing through links in SMS, moved to zero-click attacks by network injections,” says Etienne Maynier, technologist at Amnesty International.
Amnesty and the Citizen Lab worked on several cases involving NSO Group’s Pegasus spyware, which was linked to several murders, including that of the Washington Post journalist Jamal Khashoggi. Once installed on a phone, Pegasus can read text messages, track calls, monitor a victim’s location, access the device’s mic and camera, collect passwords, and gather information from apps.
Khashoggi and his close ones were not the only victims. In 2019, a flaw in WhatsApp was exploited to target civil society and political figures in Catalonia. The attack started with a video call made on WhatsApp to the victim. Answering the call wasn’t necessary, as the data sent to the chat app wasn’t sanitized properly. This allowed the Pegasus code to be executed on the target device, effectively installing the spyware software. WhatsApp has since patched this vulnerability and has notified 1,400 users who have been targeted.
Another sophisticated zero-click attack associated with NSO Group’s Pegasus was based on a vulnerability in Apple’s iMessage. In 2021, Citizen Lab found traces of this exploit being used to target a Saudi activist. This attack relies on an error in the way GIFs are parsed in iMessage and disguises a PDF document containing malicious code as a GIF. In its analysis of the exploit, Google Project Zero stated, “The most striking takeaway is the depth of the attack surface reachable from what would hopefully be a fairly constrained sandbox.” The iMessage vulnerability was fixed on September 13, 2021, in iOS 14.8.
Zero-click attacks don’t only target phones. In 2021, a zero-click vulnerability gave unauthenticated attackers full control over Hikvision security cameras. Later the same year, a flaw in Microsoft Teams was proved to be exploitable through a zero-click attack that gave hackers access to the target device across major operating systems (Windows, MacOS, Linux).
How to detect and mitigate zero-click attacks
Realistically, knowing if a victim is infected is quite tricky, and protecting against a zero-click attack is almost impossible. “Zero-click attacks are way more common than we thought,” says Maynier. He recommends potential targets encrypt all their data, update their devices, have strong passwords, and do everything in their power to protect their digital lives. There’s also something else he tells them: “Consider that they may be compromised and adapt to that.”
Still, users can do a few things to minimize the risk of being spied on. The simplest one is to restart the phone periodically if they own an iPhone. Experts at Amnesty have shown that this could potentially stop Pegasus from working on iOS—at least temporarily. This has the advantage of disabling any code running that has not achieved persistence. However, the disadvantage is that rebooting the device may erase the signs that an infection has occurred, making it much harder for security researchers to determine whether a device has been targeted with Pegasus.
Users should also avoid jailbreaking their devices, because it removes some of the security controls that are built into the firmware. In addition to that, since they can install unverified software on a jailbroken device, this opens them up to installing vulnerable code that might be a prime target for a zero-click attack.
As always, maintaining good security hygiene can help. “Segmentation of networks, applications, and users, use of multifactor authentication, use of strong traffic monitoring, good cybersecurity hygiene, and advanced security analytics may prove to slow down or mitigate risks in specific situations,” says Lakhani. “[These] will also make post-exploitation activities difficult for attackers, even if they do compromise [the] systems.”
Maynier adds that high-profile targets should segregate data and have a device only for sensitive communications. He recommends users keep “the smallest amount of information possible on their phone (disappearing messages are a very good tool for that)” and leave it out of the room when they have important face-to-face conversations.
Organizations such as Amnesty and Citizen Lab have published guides instructing users to connect their smartphone to a PC and check to see whether they have been infected with Pegasus. The software used for this, Mobile Verification Toolkit, relies on known Indicators of Compromise such as cached favicons and URLs present in SMS messages. A user does not have to jailbreak their device to run this tool.
Also, Apple and WhatsApp have both sent messages to people who might have been targeted by zero-click attacks that aimed to install Pegasus. After that, some of them reached out to organizations such as Citizen Lab to further analyze their devices.
Yet technology alone won’t solve the problem, says Amnesty’s Maynier. “This is ultimately a question of policy and regulation,” he adds. “Amnesty, EDRi and many other organizations are calling for a global moratorium on the use, sale, and transfer of surveillance technology until there is a proper human rights regulatory framework in place that protects human rights defenders and civil society from the misuse of these tools.”
The policy answers will have to cover different aspects of this problem, he says, from export control to mandatory human rights due diligence for companies. “We need to put a stop on these widespread abuses first,” Maynier adds.
Attackers pounce before site owners can activate the installation wizard.
Attackers are abusing the Certificate Transparency (CT) system to compromise new WordPress sites in the typically brief window of time before the content management system (CMS) has been configured and therefore secured.
CT is a web security standard for monitoring and auditing TLS (aka SSL) certificates, which are issued by certificate authorities (CAs) to validate websites’ identity.
First implemented by the DigiCert CA in 2013, the standard mandates that CAs immediately record all newly issued certificates on public logs in the interests of transparency and the prompt discovery of rogue or misused certificates.
However, evidence is growing that malicious hackers are monitoring these logs in order to detect new WordPress domains and configure the CMS themselves after web admins upload the WordPress files, but before they manage to secure the website with a password.
Multiple testimonies have emerged detailing sites being hacked within minutes – within seconds, even – of TLS certificates being requested.
Domain owners report the appearance of a malicious file (/wp-includes/.query.php) and sites being press-ganged into joining DDoS attacks.
Helping to prevent doxxing
What just happened? You can find out a lot about a person just by Googling their name, but Google is now letting people remove more of their personal information from these results that could pose a danger, including physical addresses, phone numbers, and passwords.
Google has long allowed people to request certain sensitive, personally identifiable content be removed from its search results, such as confidential government identification, images of handwritten signatures, and bank account/credit card details.
Now, Google has expanded its list to include images of ID docs, confidential login credentials, and personal contact info (physical addresses, phone numbers, and email addresses). Additionally, Google will remove non-consensual explicit or intimate personal images, Deepfakes, images of minors, and doxxing content, which requires explicit or implicit threats or explicit or implicit calls to action for others to harm or harass.
“Research has told us there’s a larger amount of personally identifiable information that users consider as sensitive,” Michelle Chang, global policy lead for Google search, told Reuters. “They are increasingly unwilling to tolerate this content online.”
Asking Google to remove something from its search results involves sending in URLs that include your personal information and search pages that surface the links. The company will then decide if it warrants removal from the search results but warns that it will try to preserve anything newsworthy, professionally relevant, from the government (part of the public record), or is determined to be in the public interest.
Google does remind people that the information is only being removed from its search results, not from the sites hosting it, and can be surfaced through other search engines.
Google approves only about 13% of the tens of thousands of removal requests it receives each year, though it expects the removal rate to increase in light of the expanded options.