Spam attempts increase 4x

Here at ProtectYourWP.com we’ve noticed a substantial increase in incoming spam on our clients’ sites – on average there have been four times as many spam comments over the past few weeks as usual levels.

It appears that either someone has figured out how to get around the comment filtering mechanisms built in to WordPress, or else the spammers are just sending many more than before.

The good news is that the vast majority of them are caught before they get to you, our clients. (Did you know that we delete most of the obviously spammy comments on a daily basis, so that you never have to deal with them?)

If you’d like even better protection, we’ve had excellent results using Anti-Spam by Clean Talk. It’s a service that costs just $6.00/year and is well worth it! We have no relation to CleanTalk other than being a satisfied customer!

Let us or your site developer know if you’d like us to install it on your site.

Local File Inclusion Vulnerability Patched in Shield Security WordPress Plugin

Wordfence received a submission for a Local File Inclusion vulnerability in Shield Security, a WordPress plugin with more than 50,000+ active installations, as part of their bug bounty program. It’s important to note that this vulnerability is limited to just the inclusion of PHP files, however, it could be leveraged by an attacker who has the ability to upload PHP files but can not directly access those files to execute.

Props to hir0ot who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $938.00 for this discovery during our Bug Bounty Program Extravaganza.

All Wordfence customers are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Directory Traversal and Local File Inclusion protection.

Wordfence contacted the Shield Security Team on December 21, 2023, and received a response on December 23, 2023. After providing full disclosure details, the developer released a patch on December 23, 2023. We would like to commend the Shield Security Team for their prompt response and timely patch, which was released on the same day.

The Shield Security – Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 18.5.9 via the render_action_template parameter. This makes it possible for an unauthenticated attacker to include and execute PHP files on the server, allowing the execution of any PHP code in those files.

We urge users to update their sites with the latest patched version of Shield Security, which is version 18.5.10, as soon as possible.

Source and more details: https://www.wordfence.com/blog/2024/02/local-file-inclusion-vulnerability-patched-in-shield-security-wordpress-plugin

Cloudflare Breach: Nation-State Hackers Access Source Code and Internal Docs

Cloudflare has revealed that it was the target of a likely nation-state attack in which the threat actor leveraged stolen credentials to gain unauthorized access to its Atlassian server and ultimately access some documentation and a limited amount of source code.

The intrusion, which took place between November 14 and 24, 2023, and detected on November 23, was carried out “with the goal of obtaining persistent and widespread access to Cloudflare’s global network,” the web infrastructure company said, describing the actor as “sophisticated” and one who “operated in a thoughtful and methodical manner.”

As a precautionary measure, the company further said it rotated more than 5,000 production credentials, physically segmented test and staging systems, carried out forensic triages on 4,893 systems, reimaged and rebooted every machine across its global network.

The incident involved a four-day reconnaissance period to access Atlassian Confluence and Jira portals, following which the adversary created a rogue Atlassian user account and established persistent access to its Atlassian server to ultimately obtain access to the Bitbucket source code management system by means of the Sliver adversary simulation framework.

As many as 120 code repositories were viewed, out of which 76 are estimated to have been exfiltrated by the attacker.

“The 76 source code repositories were almost all related to how backups work, how the global network is configured and managed, how identity works at Cloudflare, remote access, and our use of Terraform and Kubernetes,” Cloudflare said.

“A small number of the repositories contained encrypted secrets which were rotated immediately even though they were strongly encrypted themselves.”

The threat actor is then said to have unsuccessfully attempted to “access a console server that had access to the data center that Cloudflare had not yet put into production in São Paulo, Brazil.”

The attack was made possible by using one access token and three service account credentials associated with Amazon Web Services (AWS), Atlassian Bitbucket, Moveworks, and Smartsheet that were stolen following the October 2023 hack of Okta’s support case management system.

Cloudflare acknowledged that it had failed to rotate these credentials, mistakenly assuming they were unused.

The company also said it took steps to terminate all malicious connections originating from the threat actor on November 24, 2023. It also involved cybersecurity firm CrowdStrike to perform an independent assessment of the incident.

“The only production systems the threat actor could access using the stolen credentials was our Atlassian environment. Analyzing the wiki pages they accessed, bug database issues, and source code repositories, it appears they were looking for information about the architecture, security, and management of our global network,” Cloudflare said.

Source: https://thehackernews.com/2024/02/cloudflare-breach-nation-state-hackers.html

The WordPress 6.4.3 Security Update – What You Need to Know

Today, January 30, 2024, WordPress released version 6.4.3, which contains two security patches for longstanding, albeit minor, security concerns in WordPress Core.

The first patch addresses an issue that allows users with Administrator (or Super Administrator on Multisite) privileges to upload PHP files directly to a site via the Plugin and Theme file upload mechanism. This is only a concern in heavily locked-down configurations that disallow Administrators and Super Administrators from installing plugins and themes via a separate mechanism. Wordfence has tracked this as a low-priority informational security alert since August 2023, though it has been public since August 2018.

The second patch addresses the way that options are stored – it first sanitizes them before checking the data type of the option – arrays and objects are serialized, as well as already serialized data, which is serialized again. While this already happens when options are updated, it was not performed during site installation, initialization, or upgrade. According to the 6.4.3 release post, this is intended to address a potential PHP Object Injection issue.

Both issues appear to require a highly privileged user or an attacker stumbling upon a site with an incomplete installation to exploit, and are likely to impact few WordPress sites in the real world.

Both patches have been backported to version 4.1 and later of WordPress.

Conclusion

The WordPress 6.4.3 security patches addressed two minor issues in WordPress core and can primarily be considered increased hardening, as the circumstances in which they are likely to have a security impact are incredibly rare. Nonetheless, we recommend updating in a reasonable time frame, especially if your site relies on a hardened configuration due to regulatory requirements.

Source and more details: https://www.wordfence.com/blog/2024/01/the-wordpress-6-4-3-security-update-what-you-need-to-know