Zero-Day Vulnerability in WPGateway Actively Exploited in the Wild

On September 8, 2022, the Wordfence Threat Intelligence team became aware of an actively exploited zero-day vulnerability being used to add a malicious administrator user to sites running the WPGateway plugin. They released a firewall rule to Wordfence Premium customers to block the exploit on the same day, September 8, 2022. (Consider upgrading to WordFence Premium: $81/year)

Sites still running the free version of Wordfence will receive the same protection 30 days later, on October 8, 2022. The Wordfence firewall has successfully blocked over 4.6 million attacks targeting this vulnerability against more than 280,000 sites in the past 30 days.

The WPGateway plugin is a premium plugin tied to the WPGateway cloud service, which offers its users a way to setup and manage WordPress sites from a single dashboard. Part of the plugin functionality exposes a vulnerability that allows unauthenticated attackers to insert a malicious administrator.

The Wordfence team obtained a current copy of the plugin on September 9, 2022, and determined that it is vulnerable, at which time they contacted the plugin vendor with their initial disclosure. Wordfence has reserved vulnerability identifier CVE-2022-3180 for this issue.

As this is an actively exploited zero-day vulnerability, and attackers are already aware of the mechanism required to exploit it, we are releasing this public service announcement (PSA) to all of our users. We are intentionally withholding certain details to prevent further exploitation. As a reminder, an attacker with administrator privileges has effectively achieved a complete site takeover.

Source and more details: https://www.wordfence.com/blog/2022/09/psa-zero-day-vulnerability-in-wpgateway-actively-exploited-in-the-wild

Here’s why you need to update your Google Chrome right now

Google has just released a new version of Chrome, and it’s crucial that you get your browser updated as soon as possible.

The patch was deployed to fix a major zero-day security flaw that could potentially pose a risk to your device. The latest update is now available for Windows, Mac, and Linux — here’s how to make sure your browser is safe.

The vulnerability, now referred to as CVE-2022-3075, was discovered by an anonymous security researcher and reported straight to Google. It was caused by sub-par data validation in Mojo, which is a collection of runtime libraries. Google doesn’t say much beyond that, and that makes sense — the vulnerability is still out in the wild, so it’s better to not make the exact details public just yet.

What we do know is that the vulnerability was assigned a high priority level, which means that it could potentially be dangerous if abused. Suffice it to say that it’s better if you update your browser right now.

Although Google is keeping the information close right now, this is an active vulnerability, and once spotted, it could be taken advantage of on devices that haven’t downloaded the latest patch. The patch, said to fix the problem, is included in version 105.0.5195.102 of Google Chrome. Google predicts that it might take a few days or even weeks until the entire user base receives automatic access to the new fix.

Your browser should download the update automatically the next time you open it. If you want to double-check and make sure you’re up to date, open up your Chrome Menu and then follow this path: Help -> About Google Chrome. Alternatively, you can simply type “Update Chrome” into the address bar and then click the result that pops up below your search, before you even confirm it.

You will be asked to re-launch the browser once the update has been downloaded. If it’s not available to you yet, make sure to check back shortly, as Google will be rolling it out to more and more users.

Google Chrome continues to be a popular target for various cyberattacks and exploits. It’s not even just the browser itself that is often targeted, but its extensions, too. To that end, make sure to only download and use extensions from reputable companies, and don’t be too quick to stack too many of them at once.

Source: https://www.digitaltrends.com/computing/google-chrome-new-update-fixes-zero-day-vulnerability/

Sudden Increase In Attacks On Modern WPBakery Page Builder Addons Vulnerability

The Wordfence Threat Intelligence team has been monitoring a sudden increase in attack attempts targeting Kaswara Modern WPBakery Page Builder Addons. This ongoing campaign is attempting to take advantage of an arbitrary file upload vulnerability, tracked as CVE-2021-24284, which has been previously disclosed and has not been patched on the now closed plugin. As the plugin was closed without a patch, all versions of the plugin are impacted by this vulnerability. The vulnerability can be used to upload malicious PHP files to an affected website, leading to code execution and complete site takeover. Once they’ve established a foothold, attackers can also inject malicious JavaScript into files on the site, among other malicious actions.

All ProtectYourWP.com customers have been protected from this attack campaign by the Wordfence Firewall since May 21, 2021, with Wordfence Premium, Care, and Response customers having received the firewall rule 30 days earlier on April 21, 2021. Even though Wordfence provides protection against this vulnerability, we strongly recommend completely removing Kaswara Modern WPBakery Page Builder Addons as soon as possible and finding an alternative as it is unlikely the plugin will ever receive a patch for this critical vulnerability. We are currently protecting over 1,000 websites that still have the plugin installed, and we estimate that between 4,000 and 8,000 websites in total still have the plugin installed.

WordFence has blocked an average of 443,868 attack attempts per day against the network of sites that we protect during the course of this campaign. Please be aware that while 1,599,852 unique sites were targeted, a majority of those sites were not running the vulnerable plugin.

Source: https://www.wordfence.com/blog/2022/07/attacks-on-modern-wpbakery-page-builder-addons-vulnerability

A Sinister Way to Beat Multifactor Authentication Is on the Rise

Lapsus$ and the group behind the SolarWinds hack have utilized prompt bombing to defeat weaker MFA protections in recent months.

MULTIFACTOR AUTHENTICATION (MFA) is a core defense that is among the most effective at preventing account takeovers. In addition to requiring that users provide a username and password, MFA ensures they must also use an additional factor—be it a fingerprint, physical security key, or one-time password—before they can access an account. Nothing in this article should be construed as saying MFA isn’t anything other than essential.

That said, some forms of MFA are stronger than others, and recent events show that these weaker forms aren’t much of a hurdle for some hackers to clear. In the past few months, suspected script kiddies like the Lapsus$ data extortion gang and elite Russian-state threat actors (like Cozy Bear, the group behind the SolarWinds hack) have both successfully defeated the protection.

Enter MFA Prompt Bombing

The strongest forms of MFA are based on a framework called FIDO2, which was developed by a consortium of companies to balance security and simplicity of use. It gives users the option of using fingerprint readers or cameras built into their devices or dedicated security keys to confirm that they are authorized to access an account. FIDO2 forms of MFA are relatively new, so many services for both consumers and large organizations have yet to adopt them.

That’s where older, weaker forms of MFA come in. They include one-time passwords sent through SMS or generated by mobile apps like Google Authenticator or push prompts sent to a mobile device. When someone is logging in with a valid password, they also must either enter the one-time password into a field on the sign-in screen or push a button displayed on the screen of their phone.

It’s this last form of authentication that recent reports say is being bypassed. One group using this technique, according to security firm Mandiant, is Cozy Bear, a band of elite hackers working for Russia’s Foreign Intelligence Service. The group also goes under the names Nobelium, APT29, and the Dukes.

“Many MFA providers allow for users to accept a phone app push notification or to receive a phone call and press a key as a second factor,” Mandiant researchers wrote. “The [Nobelium] threat actor took advantage of this and issued multiple MFA requests to the end user’s legitimate device until the user accepted the authentication, allowing the threat actor to eventually gain access to the account.”

Lapsus$, a hacking gang that has breached Microsoft, Okta, and Nvidia in recent months, has also used the technique.

“No limit is placed on the amount of calls that can be made,” a member of Lapsus$ wrote on the group’s official Telegram channel. “Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device.”

The Lapsus$ member claimed that the MFA prompt-bombing technique was effective against Microsoft, which earlier this week said the hacking group was able to access the laptop of one of its employees.

“Even Microsoft!” the person wrote. “Able to login to an employee’s Microsoft VPN from Germany and USA at the same time and they didn’t even seem to notice. Also was able to re-enroll MFA twice.”

Mike Grover, a seller of red-team hacking tools for security professionals and a red-team consultant who goes by the Twitter handle _MG_, told Ars the technique is “fundamentally a single method that takes many forms: tricking the user to acknowledge an MFA request. ‘MFA Bombing’ has quickly become a descriptor, but this misses the more stealthy methods.”

Methods include:

  • Sending a bunch of MFA requests and hoping the target finally accepts one to make the noise stop.
  • Sending one or two prompts per day. This method often attracts less attention, but “there is still a good chance the target will accept the MFA request.”
  • Calling the target, pretending to be part of the company, and telling the target they need to send an MFA request as part of a company process.

“Those are just a few examples,” Grover said, but it’s important to know that mass bombing is NOT the only form this takes.”

In a Twitter thread, he wrote, “Red teams have been playing with variants on this for years. It’s helped companies fortunate enough to have a red team. But real world attackers are advancing on this faster than the collective posture of most companies has been improving.”

Good Boy, FIDO

As noted earlier, FIDO2 forms of MFA aren’t susceptible to the technique, as they’re tied to the physical machine someone is using when logging in to a site. In other words, the authentication must be performed on the device that is logging in. It can’t happen on one device to give access to a different device.

But that doesn’t mean organizations that use FIDO2-compliant MFA can’t be susceptible to prompt bombing. It’s inevitable that a certain percentage of people enrolled in these forms of MFA will lose their key, drop their iPhone in the toilet, or break the fingerprint reader on their laptop.

Organizations must have contingencies in place to deal with these unavoidable events. Many will fall back on more vulnerable forms of MFA in the event that an employee loses the key or device required to send the additional factor. In other cases, the hacker can trick an IT administrator into resetting the MFA and enrolling a new device. In still other cases, FIDO2-compliant MFA is merely one option, but less secure forms are still permitted.

“Reset/backup mechanisms are always very juicy for attackers,” Grover said.

In other cases, companies that use FIDO2-compliant MFA rely on third parties to manage their network or perform other essential functions. If the third-party employees can access the company’s network with weaker forms of MFA, that largely defeats the benefit of the stronger forms.

Source & more details: https://www.wired.com/story/multifactor-authentication-prompt-bombing-on-the-rise

Inspiro Pro < 7.2.3 - Contributor+ Stored Cross-Site Scripting

Description

The plugin does not sanitize the portfolio slider description, allowing users with privileges as low as Contributor to inject JavaScript into the description.

Proof of Concept

Steps to reproduce:
1) As a Contributor, go to portfolio on the dashboard and add new item.
2) on the editing page that comes up, scroll down to the slider section
3) Add the payload in the description area. "<img src=1 onerror=alert('xss')>"
4) save and preview the item and watch the script trigger.
5)login as an administrator or editor and also preview the created portfolio item and the script gets triggered 

Source: https://wpscan.com/vulnerability/dd6ebf6b-209b-437c-9fe4-527ab9e3b9e3

Nearly 5 Million Attacks Blocked Targeting 0-Day in BackupBuddy Plugin

Late evening, on September 6, 2022, the Wordfence Threat Intelligence team was alerted to the presence of a vulnerability being actively exploited in BackupBuddy, a WordPress plugin we estimate has around 140,000 active installations. This vulnerability makes it possible for unauthenticated users to download arbitrary files from the affected site which can include sensitive information.

After reviewing historical data, we determined that attackers started targeting this vulnerability on August 26, 2022, and that we have blocked 4,948,926 attacks targeting this vulnerability since that time.

The vulnerability affects versions 8.5.8.0 to 8.7.4.1, and has been fully patched as of September 2, 2022 in version 8.7.5. Due to the fact that this is an actively exploited vulnerability, we strongly encourage you to ensure your site has been updated to the latest patched version 8.7.5 (or later) which iThemes has made available to all site owners running a vulnerable version regardless of licensing status.

All ProtectYourWP.com customers have been and will continue to be protected against any attackers trying to exploit this vulnerability due to the Wordfence firewall’s built-in directory traversal and file inclusion firewall rules. Of course, we have also updated your plugin.

Source and more details: https://www.wordfence.com/blog/2022/09/psa-nearly-5-million-attacks-blocked-targeting-0-day-in-backupbuddy-plugin