Missing Authorization Vulnerability in Blog2Social Plugin

The Wordfence Threat Intelligence team responsibly disclosed a Missing Authorization vulnerability in Blog2Social, a WordPress plugin installed on over 70,000 sites that allows users to set up post sharing to various social networks. Vulnerable versions of the plugin make it possible for authenticated attackers with minimal permissions, such as subscribers, to change the plugin’s settings.

Blog2Social: Social Media Auto Post & Scheduler is a plugin offered by Blog2Social/Adenion that provides content-creators with the ability to quickly share site content to their social media accounts. It offers automatic post sharing as well as optimized scheduling and also extends some of its features to subscribers, enabling them to share posts to their own social media accounts.

As part of the plugin’s functionality, there are some more advanced settings that can be managed. Unfortunately, this was implemented insecurely making it possible for authenticated attackers to update these settings even without the authorization to do so.

Source & more details: https://www.wordfence.com/blog/2022/11/missing-authorization-vulnerability-in-blog2social-plugin

SURVEILLANCE SELF-DEFENSE

TIPS, TOOLS AND HOW-TOS FOR SAFER ONLINE COMMUNICATIONS

A PROJECT OF THE ELECTRONIC FRONTIER FOUNDATION

We’re the Electronic Frontier Foundation, an independent non-profit working to protect online privacy for nearly thirty years. This is Surveillance Self-Defense : our expert guide to protecting you and your friends from online spying.

Read the BASICS to find out how online surveillance works. Dive into our TOOL GUIDES for instructions to installing our pick of the best, most secure applications. We have more detailed information in our FURTHER LEARNING sections. If you’d like a guided tour, look for our list of common SECURITY SCENARIOS.

Source: https://ssd.eff.org/en

Google, like Amazon, may let police see your video without a warrant

Arlo, Apple, Wyze, and Anker, owner of Eufy, all confirmed to CNET that they won’t give authorities access to your smart home camera’s footage unless they’re shown a warrant or court order. If you’re wondering why they’re specifying that, it’s because we’ve now learned Google and Amazon can do just the opposite: they’ll allow police to get this data without a warrant if police claim there’s been an emergency. And while Google says that it hasn’t used this power, Amazon’s admitted to doing it almost a dozen times this year.

Earlier this month my colleague Sean Hollister wrote about how Amazon, the company behind the smart doorbells and security systems, will indeed give police that warrantless access to customers’ footage in those “emergency” situations. And as CNET now points out, Google’s privacy policy has a similar carveout as Amazon’s, meaning law enforcement can access data from its Nest products — or theoretically any other data you store with Google — without a warrant.

Google and Amazon’s information request policies for the US say that in most cases, authorities will have to present a warrant, subpoena, or similar court order before they’ll hand over data. This much is true for AppleArloAnker, and Wyze too — they’d be breaking the law if they didn’t. Unlike those companies, though, Google and Amazon will make exceptions if a law enforcement submits an emergency request for data.

While their policies may be similar, it appears that the two companies comply with these kinds of requests at drastically different rates. Earlier this month, Amazon disclosed that it had already fulfilled 11 such requests this year. In an email, Google spokesperson Kimberly Taylor told The Verge that the company has never turned over Nest data during an ongoing emergency. Taylor says:

If there is an ongoing emergency where getting Nest data would be critical to addressing the problem, we are, per the TOS, allowed to send that data to authorities. To date, we have never done this, [emphasis theirs] but it’s important that we reserve the right to do so.

Here’s what Google’s information request policy has to say about “requests for information in emergencies:”

If we reasonably believe that we can prevent someone from dying or from suffering serious physical harm, we may provide information to a government agency — for example, in the case of bomb threats, school shootings, kidnappings, suicide prevention, and missing persons cases. We still consider these requests in light of applicable laws and our policies

Taylor also says that Google takes emergency disclosure requests “very seriously, and have dedicated teams and strict policies in place that are designed to ensure that we provide information that can assist first responders in the event of an emergency while ensuring that we only disclose data that is reasonably necessary to avert an ongoing threat.”

Fulfilling emergency requests is legally allowed, but not mandated

An unnamed Nest spokesperson did tell CNET that the company tries to give its users notice when it provides their data under these circumstances (though it does say that in emergency cases that notice may not come unless Google hears that “the emergency has passed”). Amazon, on the other hand, declined to tell either The Verge or CNET whether it would even let its users know that it let police access their videos.

Legally speaking, a company is allowed to share this kind of data with police if it believes there’s an emergency, but the laws we’ve seen don’t force companies to share. Perhaps that’s why Arlo is pushing back against Amazon and Google’s practices and suggesting that police should get a warrant if the situation really is an emergency.

“If a situation is urgent enough for law enforcement to request a warrantless search of Arlo’s property then this situation also should be urgent enough for law enforcement or a prosecuting attorney to instead request an immediate hearing from a judge for issuance of a warrant to promptly serve on Arlo,” the company told CNET. Amazon told CNET that it does deny some emergency requests “when we believe that law enforcement can swiftly obtain and serve us with such a demand.”

Apple and Anker’s Eufy, meanwhile, claim that even they don’t have access to users’ video, thanks to the fact that their systems use end-to-end encryption by default. Despite all the partnerships Ring has with police, you can turn on end-to-end encryption for some of its products, though there are a lot of caveats. For one, the feature doesn’t work with its battery-operated cameras, which are, you know, pretty much the thing everybody thinks of when they think of Ring. It’s also not on by default, and you have to give up a few features to use it, like using Alexa greetings, or viewing Ring videos on your computer. Google, meanwhile, doesn’t offer end-to-end encryption on its Nest Cams last we checked.

It’s worth stating the obvious: Arlo, Apple, Wyze, and Eufy’s policies around emergency requests from law enforcement don’t necessarily mean these companies are keeping your data safe in other ways. Last year, Anker apologized after hundreds of Eufy customers had their cameras’ feeds exposed to strangers, and it recently came to light that Wyze failed failed to alert its customers to gaping security flaws in some of its cameras that it had known about for years. And while Apple may not have a way to share your HomeKit Secure Video footage, it does comply with other emergency data requests from law enforcement — as evidenced by reports that it, and other companies like Meta, shared customer information with hackers sending in phony emergency requests.

Source: https://www.theverge.com/2022/7/26/23279562/arlo-apple-wyze-eufy-google-ring-security-camera-foortage-warrant

Patch Now: The WordPress 6.0.3 Security Update Contains Important Fixes

The WordPress 6.0.3 Security Update contains patches for a large number of vulnerabilities, most of which are low in severity or require a highly privileged user account or additional vulnerable code in order to exploit.

As with every WordPress core release containing security fixes, the Wordfence Threat Intelligence team analyzed the code changes in detail to evaluate the impact of these vulnerabilities on our customers, and to ensure our customers remain protected.

The Wordfence Firewall which ProtectYourWP installs on all our clients’ sites provides protection from the majority of these vulnerabilities, and most sites should have been updated to the patched version automatically. Nonetheless, we strongly recommend updating your site as soon as possible, if it has not automatically been updated.

Source and more details: https://www.wordfence.com/blog/2022/10/patch-now-the-wordpress-6-0-3-security-update-contains-important-fixes

See also: https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release

Devious phishing method bypasses MFA using remote access software

A devious, new phishing technique allows adversaries to bypass multi-factor authentication (MFA) by secretly having victims log into their accounts directly on attacker-controlled servers using the VNC screen sharing system.

One of the biggest obstacles to successful phishing attacks is the difficulty they the attacker has trying to bypass multi-factor authentication (MFA) configured on the targeted victim’s email accounts.

Even if threat actors can convince users to enter their credentials on a phishing site, if MFA protects the account, fully compromising the account still requires the one-time passcode sent to the victim.

To gain access to a target’s MFA-protected accounts, phishing kits have been updated to use reverse proxies or other methods to collect MFA codes from unwitting victims.

However, companies are catching on to this method and have begun introducing security measures that block logins or deactivate accounts when reverse proxies are detected

VNC to the rescue

While conducting a penetration test for a customer, security researcher mr.d0x attempted to create a phishing attack on the client’s employees to gain corporate account credentials.

As the accounts were all configured with MFA, mr.d0x set up a phishing attack using the Evilginx2 attack framework that acts as a reverse proxy to steal credentials and MFA codes.

When conducting the test, the researcher found that Google prevented logins when detecting reverse proxies or man-in-the-middle (MiTM) attacks.

mr.d0x told BleepingComputer that this was a new security feature added by Google in 2019, specifically to prevent these types of attacks.

The researcher also told BleepingComputer that websites, such as LinkedIn, detect man-in-the-middle (MiTM) attacks and deactivate accounts after successful logins.

To overcome this obstacle, mr.d0x came up with a devious new phishing technique that uses the noVNC remote access software and browsers running in kiosk mode to display email login prompts running on the attacker’s server but shown in the victim’s browser.

VNC is a remote access software that allows remote users to connect to and control a logged-in user’s desktop. Most people connect to a VNC server through dedicated VNC clients that open the remote desktop in a similar manner to Windows Remote Desktop.

However, a program called noVNC allows users to connect to a VNC server directly from within a browser by simply clicking a link, which is when the researcher’s new phishing technique comes into play.

“So how do we use noVNC to steal credentials & bypass 2FA? Setup a server with noVNC, run Firefox (or any other browser) in kiosk mode and head to the website you’d like the user to authenticate to (e.g. accounts.google.com),” explains a new report by mr.d0x on his new phishing technique.

“Send the link to the target user and when the user clicks the URL they’ll be accessing the VNC session without realizing. And because you’ve already setup Firefox in kiosk mode all the user will see is a web page, as expected.”

Using this configuration, a threat actor can send out targeted spear-phishing emails that contain links that automatically launch the target’s browser and log into the attacker’s remote VNC server.

These links are highly customizable and allow the attacker to create links that don’t look like suspicious VNC login URLs, such as the ones below:

Example[.]com/index.html?id=VNCPASSWORD
Example[.]com/auth/login?name=password

As the attacker’s VNC server is configured to run a browser in kiosk mode, which runs the browser in full-screen, when the victim clicks on a link they will simply see a login screen for the targeted email service and login as normal.

However, as the login prompt is actually being displayed by the attacker’s VNC server, all login attempts will happen directly on the remote server. mr.d0x told BleepingComputer that once a user logs into the account, an attacker can use various tools to steal credentials and security tokens. 

Even more dangerous, this technique will bypass MFA as the user will enter the one-time passcode directly on the attacker’s server, authorizing the device for future login attempts.

Source and more details: https://www.bleepingcomputer.com/news/security/devious-phishing-method-bypasses-mfa-using-remote-access-software/

PayPal Phishing Scam Uses Invoices Sent Via PayPal

Scammers are using invoices sent through PayPal.com to trick recipients into calling a number to dispute a pending charge. The missives — which come from Paypal.com and include a link at Paypal.com that displays an invoice for the supposed transaction — state that the user’s account is about to be charged hundreds of dollars. Recipients who call the supplied toll-free number to contest the transaction are soon asked to download software that lets the scammers assume remote control over their computer.

KrebsOnSecurity recently heard from a reader who received an email from paypal.com that he immediately suspected was phony. The message’s subject read, “Billing Department of PayPal updated your invoice.”

A copy of the phishing message included in the PayPal.com invoice.

While the phishing message attached to the invoice is somewhat awkwardly worded, there are many convincing aspects of this hybrid scam. For starters, all of the links in the email lead to paypal.com. Hovering over the “View and Pay Invoice” button shows the button indeed wants to load a link at paypal.com, and clicking that link indeed brings up an active invoice at paypal.com.

Also, the email headers in the phishing message (PDF) show that it passed all email validation checks as being sent by PayPal, and that it was sent through an Internet address assigned to PayPal.

Both the email and the invoice state that “there is evidence that your PayPal account has been accessed unlawfully.” The message continues:

“$600.00 has been debited to your account for the Walmart Gift Card purchase. This transaction will appear in the automatically deducted amount on PayPal activity after 24 hours. If you suspect you did not make this transaction, immediately contact us at the toll-free number….”

The reader who shared this phishing email said he logged into his PayPal account and could find no signs of the invoice in question. A call to the toll-free number listed in the invoice was received by a man who answered the phone as generic “customer service,” instead of trying to spoof PayPal or Walmart. Very quickly into the conversation he suggested visiting a site called globalquicksupport[.]com to download a remote administration tool. It was clear then where the rest of this call was going.

I can see this scam tricking a great many people, especially since both the email and invoice are sent through PayPal’s systems — which practically guarantees that the message will be successfully delivered. The invoices appear to have been sent from a compromised or fraudulent PayPal Business account, which allows users to send invoices like the one shown above. Details of this scam were shared Wednesday with PayPal’s anti-abuse (phishing@paypal.com) and media relations teams.

PayPal said in a written statement that phishing attempts are common and can take many forms.

Source and more details: https://krebsonsecurity.com/2022/08/paypal-phishing-scam-uses-invoices-sent-via-paypal/

These ransomware hackers gave up when they hit multi-factor authentication

More evidence that multi-factor authentication works. Police explain how they have seen ransomware gangs abandon attacks when they hit MFA security.

ransomware attack was prevented just because the intended victim was using multi-factor authentication (MFA) and the attackers decided it wasn’t worth the effort to attempt to bypass it. 

It’s often said that using MFA, also known as two-factor authentication (2FA), is one of the best things you can do to help protect your accounts and computer networks from cyberattacks because it creates an effective barrier – and now Europol has seen this in action while investigating ransomware gangs.  

“We’ve done investigations where ransomware criminals were monitored. In certain investigations, we saw them trying to access companies – but as soon as they would hit two-factor authentication in this process, they would immediately drop this victim and go to the next,” said Marijn Schuurbiers, head of operations at Europol’s European Cybercrime Centre (EC3), speaking about an undisclosed incident the agency investigated.  

It demonstrates how useful MFA can be in preventing ransomware and other cyberattacks. Even if the attacker has the legitimate password for the account – either because it’s been guessed or it’s been stolen – using MFA usually prevents them from being able to log in.  

An unexpected alert from an MFA authenticator app can also notify the intended victim that something is wrong and should be investigated, which can also help to prevent further attacks and incidents. 

Not only can cyber criminals exploit hacked accounts to gain initial access to the network and install ransomware, the access they gain can also be used as part of double-extortion attacks, where criminals steal information before encrypting it, with threats to publish the data if a ransom isn’t received. 

However, if attackers can’t access that data due to the use of MFA, they can’t attempt to exploit it for extortion. 

“This is really crucial information that companies can use for their counter strategies. Know that if you implement two-factor authentication for your systems in general – or maybe specifically, your crown jewels – you will significantly reduce your chances of falling victim to a ransomware group, which uses double extortion,” said Schuurbiers, who was speaking at the sixth anniversary of No More Ransom

No More Ransom is an initiative by Europol, additional law enforcement agencies, cybersecurity companies, academia and others that provides victims of ransomware attacks with decryption keys for free. So far, the scheme has helped 1.5 million people get their files back without paying ransomware gangs.

Implementing 2FA is one of several recommendations Europol recommends to help prevent ransomware attacks. Others include regularly backing up data on devices, so it can be recovered without paying a ransom in the event of an attack encrypting files, as well as ensuring that security software and operating systems are up to date with the latest security patches.

Source: https://www.zdnet.com/article/why-you-really-need-multi-factor-authentication-these-ransomware-hackers-gave-up-when-they-saw-it/

Here’s why you need to update your Google Chrome right now

Google has just released a new version of Chrome, and it’s crucial that you get your browser updated as soon as possible.

The patch was deployed to fix a major zero-day security flaw that could potentially pose a risk to your device. The latest update is now available for Windows, Mac, and Linux — here’s how to make sure your browser is safe.

The vulnerability, now referred to as CVE-2022-3075, was discovered by an anonymous security researcher and reported straight to Google. It was caused by sub-par data validation in Mojo, which is a collection of runtime libraries. Google doesn’t say much beyond that, and that makes sense — the vulnerability is still out in the wild, so it’s better to not make the exact details public just yet.

What we do know is that the vulnerability was assigned a high priority level, which means that it could potentially be dangerous if abused. Suffice it to say that it’s better if you update your browser right now.

Although Google is keeping the information close right now, this is an active vulnerability, and once spotted, it could be taken advantage of on devices that haven’t downloaded the latest patch. The patch, said to fix the problem, is included in version 105.0.5195.102 of Google Chrome. Google predicts that it might take a few days or even weeks until the entire user base receives automatic access to the new fix.

Your browser should download the update automatically the next time you open it. If you want to double-check and make sure you’re up to date, open up your Chrome Menu and then follow this path: Help -> About Google Chrome. Alternatively, you can simply type “Update Chrome” into the address bar and then click the result that pops up below your search, before you even confirm it.

You will be asked to re-launch the browser once the update has been downloaded. If it’s not available to you yet, make sure to check back shortly, as Google will be rolling it out to more and more users.

Google Chrome continues to be a popular target for various cyberattacks and exploits. It’s not even just the browser itself that is often targeted, but its extensions, too. To that end, make sure to only download and use extensions from reputable companies, and don’t be too quick to stack too many of them at once.

Source: https://www.digitaltrends.com/computing/google-chrome-new-update-fixes-zero-day-vulnerability/

Sudden Increase In Attacks On Modern WPBakery Page Builder Addons Vulnerability

The Wordfence Threat Intelligence team has been monitoring a sudden increase in attack attempts targeting Kaswara Modern WPBakery Page Builder Addons. This ongoing campaign is attempting to take advantage of an arbitrary file upload vulnerability, tracked as CVE-2021-24284, which has been previously disclosed and has not been patched on the now closed plugin. As the plugin was closed without a patch, all versions of the plugin are impacted by this vulnerability. The vulnerability can be used to upload malicious PHP files to an affected website, leading to code execution and complete site takeover. Once they’ve established a foothold, attackers can also inject malicious JavaScript into files on the site, among other malicious actions.

All ProtectYourWP.com customers have been protected from this attack campaign by the Wordfence Firewall since May 21, 2021, with Wordfence Premium, Care, and Response customers having received the firewall rule 30 days earlier on April 21, 2021. Even though Wordfence provides protection against this vulnerability, we strongly recommend completely removing Kaswara Modern WPBakery Page Builder Addons as soon as possible and finding an alternative as it is unlikely the plugin will ever receive a patch for this critical vulnerability. We are currently protecting over 1,000 websites that still have the plugin installed, and we estimate that between 4,000 and 8,000 websites in total still have the plugin installed.

WordFence has blocked an average of 443,868 attack attempts per day against the network of sites that we protect during the course of this campaign. Please be aware that while 1,599,852 unique sites were targeted, a majority of those sites were not running the vulnerable plugin.

Source: https://www.wordfence.com/blog/2022/07/attacks-on-modern-wpbakery-page-builder-addons-vulnerability

A Sinister Way to Beat Multifactor Authentication Is on the Rise

Lapsus$ and the group behind the SolarWinds hack have utilized prompt bombing to defeat weaker MFA protections in recent months.

MULTIFACTOR AUTHENTICATION (MFA) is a core defense that is among the most effective at preventing account takeovers. In addition to requiring that users provide a username and password, MFA ensures they must also use an additional factor—be it a fingerprint, physical security key, or one-time password—before they can access an account. Nothing in this article should be construed as saying MFA isn’t anything other than essential.

That said, some forms of MFA are stronger than others, and recent events show that these weaker forms aren’t much of a hurdle for some hackers to clear. In the past few months, suspected script kiddies like the Lapsus$ data extortion gang and elite Russian-state threat actors (like Cozy Bear, the group behind the SolarWinds hack) have both successfully defeated the protection.

Enter MFA Prompt Bombing

The strongest forms of MFA are based on a framework called FIDO2, which was developed by a consortium of companies to balance security and simplicity of use. It gives users the option of using fingerprint readers or cameras built into their devices or dedicated security keys to confirm that they are authorized to access an account. FIDO2 forms of MFA are relatively new, so many services for both consumers and large organizations have yet to adopt them.

That’s where older, weaker forms of MFA come in. They include one-time passwords sent through SMS or generated by mobile apps like Google Authenticator or push prompts sent to a mobile device. When someone is logging in with a valid password, they also must either enter the one-time password into a field on the sign-in screen or push a button displayed on the screen of their phone.

It’s this last form of authentication that recent reports say is being bypassed. One group using this technique, according to security firm Mandiant, is Cozy Bear, a band of elite hackers working for Russia’s Foreign Intelligence Service. The group also goes under the names Nobelium, APT29, and the Dukes.

“Many MFA providers allow for users to accept a phone app push notification or to receive a phone call and press a key as a second factor,” Mandiant researchers wrote. “The [Nobelium] threat actor took advantage of this and issued multiple MFA requests to the end user’s legitimate device until the user accepted the authentication, allowing the threat actor to eventually gain access to the account.”

Lapsus$, a hacking gang that has breached Microsoft, Okta, and Nvidia in recent months, has also used the technique.

“No limit is placed on the amount of calls that can be made,” a member of Lapsus$ wrote on the group’s official Telegram channel. “Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device.”

The Lapsus$ member claimed that the MFA prompt-bombing technique was effective against Microsoft, which earlier this week said the hacking group was able to access the laptop of one of its employees.

“Even Microsoft!” the person wrote. “Able to login to an employee’s Microsoft VPN from Germany and USA at the same time and they didn’t even seem to notice. Also was able to re-enroll MFA twice.”

Mike Grover, a seller of red-team hacking tools for security professionals and a red-team consultant who goes by the Twitter handle _MG_, told Ars the technique is “fundamentally a single method that takes many forms: tricking the user to acknowledge an MFA request. ‘MFA Bombing’ has quickly become a descriptor, but this misses the more stealthy methods.”

Methods include:

  • Sending a bunch of MFA requests and hoping the target finally accepts one to make the noise stop.
  • Sending one or two prompts per day. This method often attracts less attention, but “there is still a good chance the target will accept the MFA request.”
  • Calling the target, pretending to be part of the company, and telling the target they need to send an MFA request as part of a company process.

“Those are just a few examples,” Grover said, but it’s important to know that mass bombing is NOT the only form this takes.”

In a Twitter thread, he wrote, “Red teams have been playing with variants on this for years. It’s helped companies fortunate enough to have a red team. But real world attackers are advancing on this faster than the collective posture of most companies has been improving.”

Good Boy, FIDO

As noted earlier, FIDO2 forms of MFA aren’t susceptible to the technique, as they’re tied to the physical machine someone is using when logging in to a site. In other words, the authentication must be performed on the device that is logging in. It can’t happen on one device to give access to a different device.

But that doesn’t mean organizations that use FIDO2-compliant MFA can’t be susceptible to prompt bombing. It’s inevitable that a certain percentage of people enrolled in these forms of MFA will lose their key, drop their iPhone in the toilet, or break the fingerprint reader on their laptop.

Organizations must have contingencies in place to deal with these unavoidable events. Many will fall back on more vulnerable forms of MFA in the event that an employee loses the key or device required to send the additional factor. In other cases, the hacker can trick an IT administrator into resetting the MFA and enrolling a new device. In still other cases, FIDO2-compliant MFA is merely one option, but less secure forms are still permitted.

“Reset/backup mechanisms are always very juicy for attackers,” Grover said.

In other cases, companies that use FIDO2-compliant MFA rely on third parties to manage their network or perform other essential functions. If the third-party employees can access the company’s network with weaker forms of MFA, that largely defeats the benefit of the stronger forms.

Source & more details: https://www.wired.com/story/multifactor-authentication-prompt-bombing-on-the-rise