Zero-Day Vulnerability in WPGateway Actively Exploited in the Wild

On September 8, 2022, the Wordfence Threat Intelligence team became aware of an actively exploited zero-day vulnerability being used to add a malicious administrator user to sites running the WPGateway plugin. They released a firewall rule to Wordfence Premium customers to block the exploit on the same day, September 8, 2022. (Consider upgrading to WordFence Premium: $81/year)

Sites still running the free version of Wordfence will receive the same protection 30 days later, on October 8, 2022. The Wordfence firewall has successfully blocked over 4.6 million attacks targeting this vulnerability against more than 280,000 sites in the past 30 days.

The WPGateway plugin is a premium plugin tied to the WPGateway cloud service, which offers its users a way to setup and manage WordPress sites from a single dashboard. Part of the plugin functionality exposes a vulnerability that allows unauthenticated attackers to insert a malicious administrator.

The Wordfence team obtained a current copy of the plugin on September 9, 2022, and determined that it is vulnerable, at which time they contacted the plugin vendor with their initial disclosure. Wordfence has reserved vulnerability identifier CVE-2022-3180 for this issue.

As this is an actively exploited zero-day vulnerability, and attackers are already aware of the mechanism required to exploit it, we are releasing this public service announcement (PSA) to all of our users. We are intentionally withholding certain details to prevent further exploitation. As a reminder, an attacker with administrator privileges has effectively achieved a complete site takeover.

Source and more details:

Nearly 5 Million Attacks Blocked Targeting 0-Day in BackupBuddy Plugin

Late evening, on September 6, 2022, the Wordfence Threat Intelligence team was alerted to the presence of a vulnerability being actively exploited in BackupBuddy, a WordPress plugin we estimate has around 140,000 active installations. This vulnerability makes it possible for unauthenticated users to download arbitrary files from the affected site which can include sensitive information.

After reviewing historical data, we determined that attackers started targeting this vulnerability on August 26, 2022, and that we have blocked 4,948,926 attacks targeting this vulnerability since that time.

The vulnerability affects versions to, and has been fully patched as of September 2, 2022 in version 8.7.5. Due to the fact that this is an actively exploited vulnerability, we strongly encourage you to ensure your site has been updated to the latest patched version 8.7.5 (or later) which iThemes has made available to all site owners running a vulnerable version regardless of licensing status.

All customers have been and will continue to be protected against any attackers trying to exploit this vulnerability due to the Wordfence firewall’s built-in directory traversal and file inclusion firewall rules. Of course, we have also updated your plugin.

Source and more details:

Attackers scan 1.6 million WordPress sites for vulnerable plugin

Security researchers have detected a massive campaign that scanned close to 1.6 million WordPress sites for the presence of a vulnerable plugin that allows uploading files without authentication.

The attackers are targeting the Kaswara Modern WPBakery Page Builder, which has been abandoned by its author before receiving a patch for a critical severity flaw tracked as CVE-2021-24284.

The vulnerability would allow an unauthenticated attacker to inject malicious Javascript to sites using any version of the plugin and perform actions like uploading and deleting files, which could lead to complete takeover of the site.

While the size of the campaign is impressive, with 1,599,852 unique sites being targeted, only a small portion of them are running the vulnerable plugin.

Researchers at Defiant, the maker of the Wordfence security solution for WordPress, observed an average of almost half a million attack attempts per day against customer sites they protect.

Indistinct large-scale attacks

Based on Wordfence telemetry data, the attacks started on July 4 and continue to this day. and are still ongoing today at an average of 443,868 attempts every day.

Source and more details:

Large-Scale Phishing Campaign Bypasses MFA

Attackers used adversary-in-the-middle attacks to steal passwords, hijack sign-in sessions and skip authentication and then use victim mailboxes to launch BEC attacks against other targets.

Microsoft researchers have uncovered a massive phishing campaign that can steal credentials even if a user has multi-factor authentication (MFA) enabled and has so far attempted to compromise more than 10,000 organizations.

The campaign, which has been active since September 2021, depends upon the use of adversary-in-the-middle (AiTM) phishing sites in the initial attacks to hijack session cookies and steal credentials. From there, attackers can access victims’ user mailboxes to launch further attacks against other targets, the Microsoft 365 Defender Research Team from the Microsoft Threat Intelligence Center (MTIC) wrote in a blog post published Tuesday.

In AiTM attacks, a threat actor deploys a proxy server between a target user and the website the user wishes to visit–that is, the site the attacker wishes to impersonate, researchers explained.

“Such a setup allows the attacker to steal and intercept the target’s password and the session cookie that proves their ongoing and authenticated session with the website,” they wrote.

It’s important to point out that this type of attack does not denote a vulnerability in the type of MFA employed by a corporate email system, they added. AiTM phishing steals the session cookie, so the attacker gets authenticated to a session on the user’s behalf regardless of the sign-in method the latter uses, researchers said.

Indeed, attackers are getting wise to organizations’ increasing use of MFA to better secure user accounts and creating more sophisticated phishing attacks like these that can bypass it, noted a security professional.

“While MFA is certainly valuable and should be used when possible, by capturing the password and session cookie–and because the session cookie shows that MFA was already used to login–the attackers can often circumvent the need for MFA when they login to the account again later using the stolen password,” observed Erich Kron, security awareness advocate at security awareness training firm KnowBe4, in an email to Threatpost.

AiTM Phishing, Unpacked

In their observation of the campaign, Microsoft researchers took a deeper dive into how these types of attacks work and how they can be used to mount secondary business email compromise (BEC) attacks once initial access to someone’s account is gained, they said.

AiTM phishing attacks depend upon the session that every modern web service implements with a user after successful authentication so that the user doesn’t have to be authenticated at every new page they visit, researchers explained.

“This session functionality is implemented through a session cookie provided by an authentication service after initial authentication,” they wrote. “The session cookie is proof for the web server that the user has been authenticated and has an ongoing session on the website.”

In AiTM phishing, an attacker attempts to steal a target user’s session cookie so they can skip the whole authentication process and act as if they are the legitimate authenticated user, researchers said.

“To do this, the attacker deploys a webserver that proxies HTTP packets from the user that visits the phishing site to the target server the attacker wishes to impersonate and the other way around,” they wrote. “This way, the phishing site is visually identical to the original website (as every HTTP is proxied to and from the original website).”

This attack is especially convenient for threat actors because it precludes the need for them to craft their own phishing sites such as the ones used in conventional phishing campaigns, researchers noted.

Specific Attack Vector

In the phishing campaign observed by Microsoft researchers, attackers initiate contact with potential victims by sending emails with an HTML file attachment to multiple recipients in different organizations. The messages claim that the recipients have a voicemail message and need to click on the attachment to access it or it will be deleted in 24 hours.

If a user clicks on the link, they are redirected to a site that tells them they will be redirected again to their mailbox with the audio in an hour. Meanwhile, they are asked to sign in with their credentials.

At this point, however, the attack does something unique using clever coding by automatically filling in the phishing landing page with the user’s email address, “thus enhancing its social engineering lure,” researchers noted.

If a target enters his or her credentials and gets authenticated, he or she is redirected to the legitimate Microsoft page. However, in the background, the attacker intercepts the credentials and gets authenticated on the user’s behalf, providing free reign to perform follow-on activities, researchers said.

In the phishing email chain that researchers observed, the threat actor used the authentication to commit payment fraud in secondary attacks from within the organization, researchers said.

Follow-Up BEC and Payment Fraud

Attackers took less than five minutes after hijacking sessions and stealing credentials to begin the process of conducting payment fraud by authenticating to Outlook to access finance-related emails and file attachments, researchers said. The following day, they accessed these emails and files every few hours to search for opportunities to commit fraud.

The threat actor also deleted from the compromised account’s Inbox folder the original phishing email they sent to hide traces of their initial access, researchers added.

“These activities suggest the attacker attempted to commit payment fraud manually,” they wrote.

Attackers also used Outlook Web Access (OWA) on a Chrome browser to commit payment fraud while using the compromised account’s stolen session cookie, researchers added.


Massive WordPress JavaScript Injection Campaign Redirects to Ads 

Sucuri’s remediation and research teams regularly find malicious redirects on client sites. These infections automatically redirect site visitors to third-party websites with malicious resources, scam pages, or commercial websites with the intention of generating illegitimate traffic.

As outlined in Sucuri’s latest hacked website report, they’ve been tracking a long-lasting campaign responsible for injecting malicious scripts into compromised WordPress websites. This campaign leverages known vulnerabilities in WordPress themes and plugins and has impacted an enormous number of websites over the year — for example, according to PublicWWW (May 2022), the April wave for this campaign was responsible for over 9,300 infected websites alone.

Since these PublicWWW results only show detections for simple script injections, we can assume that the scope is significantly larger.

Investigating Obfuscated JavaScript in WordPress Sites

We recently investigated a number of WordPress websites complaining about unwanted redirects. Interestingly enough, they were found to be related to a new wave of this massive campaign and were sending website visitors through a series of website redirects to serve them unwanted ads.

The websites all shared a common issue — malicious JavaScript had been injected within their website’s files and the database, including legitimate core WordPress files such as:

  • ./wp-includes/js/jquery/jquery.min.js
  • ./wp-includes/js/jquery/jquery-migrate.min.js

Once the website had been compromised, attackers had attempted to automatically infect any .js files with jQuery in the names. They injected code that begins with “/* trackmyposs*/eval(String.fromCharCode…”

Continue reading:

Cybercriminals are using SEO to improve the ranking of malicious PDFs on search results

In brief: Netskope’s new security report shows that there’s been a fivefold yearly increase in malicious PDF phishing downloads, with a lot of victims getting referred from search engines. Meanwhile, downloads of Microsoft Office files containing malware have returned to pre-Emotet levels.

Netskope, a security service edge provider, just published their new Cloud and Threat Report, which examines the past 12 months of malware downloads from the cloud and web.

Research shows that there’s been a 450 percent yearly increase in malicious PDF phishing downloads, with attackers using search engine optimization (SEO) techniques to improve the ranking of malicious PDF files on search engines such as Google and Bing.

These files often take the form of fake file sharing requests, fake invoices, or even fake Captchas that redirect users to phishing, spam, scam, and malware websites.

According to the report, most malware is being downloaded from within the same region as its victim in order to avoid geofencing filters. Over 80 percent of all malware downloads by victims in North America were downloaded from websites hosted there.

There are several other noteworthy findings in the report. Trojans continue to be effective, with 77 percent of malware downloads being Trojans. There is no single Trojan family that is globally dominant, with the top 10 families accounting for only 13 percent of all downloads.

Cybercriminals use a combination of web and cloud to target their victims, as 53 percent of malware downloads originate from traditional websites and the rest from cloud apps used for collaboration and webmail. Here, attackers can send messages to their victims through emails, direct messages, comments, and document shares.


Dangerous new one-click Gmail hack puts your private data at risk

If you need any more reasons to be particularly careful when opening an email attachment, here’s one for you. A new Gmail hack campaign is currently making the rounds, and a single click could be enough to infect your computer and put your data at risk.

Last week, Trustwave senior security researcher Diana Lopera published a blog post about a frightening new email hack campaign. According to Lopera, scammers are sneakily attaching malicious files to emails using file formats that would not normally raise suspicion. They are using this technique to spread the data-stealing Vidar malware.

The emails are short and direct the reader’s attention to the attachment. The attachment in question is often named “request.doc,” but it is really an ISO file. As Lopera explains, ISO is a disk image file format cybercriminals occasionally use to store malware. It might look like a text document, but the ISO actually contains two files. One is a Microsoft Compiled HTML Help (CHM) file named “pss10r.chm” and the other is an executable named “app.exe.”

As you hopefully know by now, never ever open an email attachment from a source you don’t recognize. In fact, even if you do recognize the sender, double-check everything first. There are plenty of scams that involve using similar addresses to convince victims of their legitimacy.

More details:

Reflected XSS in Spam protection, AntiSpam, FireWall by CleanTalk

CleanTalk is a WordPress plugin designed to protect websites from spam comments and registrations. One of the features it includes is the ability to check comments for spam and present the spammy comments for deletion.

Thanks to a quirk of how WordPress processes the page parameter and the default PHP request order, it is possible to use this parameter to perform a reflected cross-site scripting attack, which is almost identical to a vulnerability recently covered by the folks at WordFence.

The vulnerability can be used to execute JavaScript in the browser of a logged-in administrator, for instance, by tricking them into visiting a self-submitting form that sends a POST request to the site at wp-admin/edit-comments.php?page=ct_check_spam, with the $_POST[‘page’] parameter set to malicious JavaScript.

As with any Cross-Site Scripting vulnerability, executing JavaScript in an administrator’s session can be used to take over a site by adding a new malicious administrator or injecting a backdoor, among other potential methods.

A patched version was released on March 25th and installed on all our clients’ websites the same day.

Increase In Malware Sightings on GoDaddy Managed Hosting

On March 15, 2022, The Wordfence Incident Response team alerted the WordFence Threat Intelligence team to an increase in infected websites hosted on GoDaddy’s Managed WordPress service, which includes MediaTemple, tsoHost, 123Reg, Domain Factory, Heart Internet, and Host Europe Managed WordPress sites. These affected sites have a nearly identical backdoor prepended to the wp-config.php file. Of the 298 sites that have been newly infected by this backdoor starting 5 days ago on March 11, at least 281 are hosted with GoDaddy.

The backdoor in question has been in use since at least 2015. It generates spammy Google search results and includes resources customized to the infected site. The main backdoor is added to the very beginning of wp-config.php and looks like this:

The encoded file that is downloaded contains a template based on the infected site source code, but with links to pharmaceutical spam added. This spam link template is set to display whenever the site is accessed.

If your site is hosted on GoDaddy’s Managed WordPress platform (which includes MediaTemple, tsoHost, 123Reg, Domain Factory, Heart Internet, and Host Europe Managed WordPress sites), we strongly recommend that you manually check your site’s wp-config.php file, or run a scan with a malware detection solution such as the free Wordfence scanner to ensure that your site is not infected.

If your site is infected you will need to have it cleaned and may also need to remove spam search engine results. 


Beware: new IRS rules will lead to a wave of phishing frauds

Thanks to new legislation that went into place at the beginning of this year, I predict that a lot of unsuspecting small business owners are about to fall victim to a fresh scam.

The scam will relate to legislation around new tax reporting rules that will affect millions of freelancers and small businesses. As explained in an earlier column, beginning for the 2022 tax year, if you receive more than $600 in total payments during the course of the year from a payment service like PayPal, Venmo (which is owned by PayPal), Square, Stripe or online sales of your products made through Amazon, Etsy and other marketplaces – regardless of how many customers are paying – that payment service is required to report that amount to the IRS and to you by sending a Form 1099-K – used for reporting payments via these third parties – in early 2023.

Full story: