Date: 07.27.2022
# Exploit Author: SecuriTrust
# Vendor Homepage: https://snapcreek.com/
# Software Link: https://wordpress.org/plugins/duplicator/
# Version: < 1.4.7
# Tested on: Linux, Windows
# CVE : CVE-2022-2551
# Reference: https://securitrust.fr
# Reference: https://github.com/SecuriTrust/CVEsLab/CVE-2022-2551
#Product:
WordPress Plugin Duplicator < 1.4.7
#Vulnerability:
1-It allows an attacker to download the backup file.
#Proof-Of-Concept:
1-Backup download.
The backup file can be downloaded using the "is_daws" parameter.
http://[PATH]/backups-dup-lite/dup-installer/main.installer.php
Monthly Archives: July 2022
Smart homes are hackable homes if not equipped with updated, supported tech
Smart homes are increasingly becoming hackable homes, according to consumer research.
The report by consumer rights organization Which? paints a grim picture for people who have equipped their residences with gadgets, many from trusted tech names.
As with pretty much everything in IT, if you connect a device to the internet, ensuring it’s patched and has a decent password is the very least owners can do. Even then, there are no guarantees that this is secure.
Unsurprisingly, the Which? team found that out-of-support devices were relatively straightforward for hackers to compromise. The example of an early Amazon Echo smart speaker was given where researchers were able to take control without the user being aware.
Other devices, such as smartphones and routers, were also exploited. The Which? team were able to infect a Samsung Galaxy S8 smartphone with malware disguised as a delivery text. Siphoning of user data was then possible.
However, in these cases the devices were out of support and “the attack would have been better blocked or detected by a device that was still receiving security updates,” Which? noted.
Continue Reading: https://www.theregister.com/2022/06/01/which_smart_tech_advice/
Attackers scan 1.6 million WordPress sites for vulnerable plugin
Security researchers have detected a massive campaign that scanned close to 1.6 million WordPress sites for the presence of a vulnerable plugin that allows uploading files without authentication.
The attackers are targeting the Kaswara Modern WPBakery Page Builder, which has been abandoned by its author before receiving a patch for a critical severity flaw tracked as CVE-2021-24284.
The vulnerability would allow an unauthenticated attacker to inject malicious Javascript to sites using any version of the plugin and perform actions like uploading and deleting files, which could lead to complete takeover of the site.
While the size of the campaign is impressive, with 1,599,852 unique sites being targeted, only a small portion of them are running the vulnerable plugin.
Researchers at Defiant, the maker of the Wordfence security solution for WordPress, observed an average of almost half a million attack attempts per day against customer sites they protect.
Indistinct large-scale attacks
Based on Wordfence telemetry data, the attacks started on July 4 and continue to this day. and are still ongoing today at an average of 443,868 attempts every day.
Source and more details: https://www.bleepingcomputer.com/news/security/attackers-scan-16-million-wordpress-sites-for-vulnerable-plugin/
Large-Scale Phishing Campaign Bypasses MFA
Attackers used adversary-in-the-middle attacks to steal passwords, hijack sign-in sessions and skip authentication and then use victim mailboxes to launch BEC attacks against other targets.
Microsoft researchers have uncovered a massive phishing campaign that can steal credentials even if a user has multi-factor authentication (MFA) enabled and has so far attempted to compromise more than 10,000 organizations.
The campaign, which has been active since September 2021, depends upon the use of adversary-in-the-middle (AiTM) phishing sites in the initial attacks to hijack session cookies and steal credentials. From there, attackers can access victims’ user mailboxes to launch further attacks against other targets, the Microsoft 365 Defender Research Team from the Microsoft Threat Intelligence Center (MTIC) wrote in a blog post published Tuesday.
In AiTM attacks, a threat actor deploys a proxy server between a target user and the website the user wishes to visit–that is, the site the attacker wishes to impersonate, researchers explained.
“Such a setup allows the attacker to steal and intercept the target’s password and the session cookie that proves their ongoing and authenticated session with the website,” they wrote.
It’s important to point out that this type of attack does not denote a vulnerability in the type of MFA employed by a corporate email system, they added. AiTM phishing steals the session cookie, so the attacker gets authenticated to a session on the user’s behalf regardless of the sign-in method the latter uses, researchers said.
Indeed, attackers are getting wise to organizations’ increasing use of MFA to better secure user accounts and creating more sophisticated phishing attacks like these that can bypass it, noted a security professional.
“While MFA is certainly valuable and should be used when possible, by capturing the password and session cookie–and because the session cookie shows that MFA was already used to login–the attackers can often circumvent the need for MFA when they login to the account again later using the stolen password,” observed Erich Kron, security awareness advocate at security awareness training firm KnowBe4, in an email to Threatpost.
AiTM Phishing, Unpacked
In their observation of the campaign, Microsoft researchers took a deeper dive into how these types of attacks work and how they can be used to mount secondary business email compromise (BEC) attacks once initial access to someone’s account is gained, they said.
AiTM phishing attacks depend upon the session that every modern web service implements with a user after successful authentication so that the user doesn’t have to be authenticated at every new page they visit, researchers explained.
“This session functionality is implemented through a session cookie provided by an authentication service after initial authentication,” they wrote. “The session cookie is proof for the web server that the user has been authenticated and has an ongoing session on the website.”
In AiTM phishing, an attacker attempts to steal a target user’s session cookie so they can skip the whole authentication process and act as if they are the legitimate authenticated user, researchers said.
“To do this, the attacker deploys a webserver that proxies HTTP packets from the user that visits the phishing site to the target server the attacker wishes to impersonate and the other way around,” they wrote. “This way, the phishing site is visually identical to the original website (as every HTTP is proxied to and from the original website).”
This attack is especially convenient for threat actors because it precludes the need for them to craft their own phishing sites such as the ones used in conventional phishing campaigns, researchers noted.
Specific Attack Vector
In the phishing campaign observed by Microsoft researchers, attackers initiate contact with potential victims by sending emails with an HTML file attachment to multiple recipients in different organizations. The messages claim that the recipients have a voicemail message and need to click on the attachment to access it or it will be deleted in 24 hours.
If a user clicks on the link, they are redirected to a site that tells them they will be redirected again to their mailbox with the audio in an hour. Meanwhile, they are asked to sign in with their credentials.
At this point, however, the attack does something unique using clever coding by automatically filling in the phishing landing page with the user’s email address, “thus enhancing its social engineering lure,” researchers noted.
If a target enters his or her credentials and gets authenticated, he or she is redirected to the legitimate Microsoft office.com page. However, in the background, the attacker intercepts the credentials and gets authenticated on the user’s behalf, providing free reign to perform follow-on activities, researchers said.
In the phishing email chain that researchers observed, the threat actor used the authentication to commit payment fraud in secondary attacks from within the organization, researchers said.
Follow-Up BEC and Payment Fraud
Attackers took less than five minutes after hijacking sessions and stealing credentials to begin the process of conducting payment fraud by authenticating to Outlook to access finance-related emails and file attachments, researchers said. The following day, they accessed these emails and files every few hours to search for opportunities to commit fraud.
The threat actor also deleted from the compromised account’s Inbox folder the original phishing email they sent to hide traces of their initial access, researchers added.
“These activities suggest the attacker attempted to commit payment fraud manually,” they wrote.
Attackers also used Outlook Web Access (OWA) on a Chrome browser to commit payment fraud while using the compromised account’s stolen session cookie, researchers added.
Source: https://threatpost.com/large-scale-hishing-bypasses-mfa/180212/
WordPress 6.0.1 released
WordPress 6.0.1 was released on July 12, 2022.
This maintenance release features 12 bug fixes in Core and 18 bug fixes for the block editor.
Details on the 6.0.1 release: https://wordpress.org/support/wordpress-version/version-6-0-1/
Details on the upcoming 6.1 release: https://wptavern.com/wordpress-6-1-to-focus-on-refining-full-site-editing-next-phase-collaboration-and-multilingual-features-anticipated-in-2023-2025#:~:text=WordPress%206.1%20will%20bring%20better,patterns%20and%20managing%20saved%20patterns.