New WordPress sites getting hacked ‘within seconds’ of TLS certificates being issued

Attackers pounce before site owners can activate the installation wizard.

Attackers are abusing the Certificate Transparency (CT) system to compromise new WordPress sites in the typically brief window of time before the content management system (CMS) has been configured and therefore secured.

CT is a web security standard for monitoring and auditing TLS (aka SSL) certificates, which are issued by certificate authorities (CAs) to validate websites’ identity.

First implemented by the DigiCert CA in 2013, the standard mandates that CAs immediately record all newly issued certificates on public logs in the interests of transparency and the prompt discovery of rogue or misused certificates.

However, evidence is growing that malicious hackers are monitoring these logs in order to detect new WordPress domains and configure the CMS themselves after web admins upload the WordPress files, but before they manage to secure the website with a password.

Multiple testimonies have emerged detailing sites being hacked within minutes – within seconds, even – of TLS certificates being requested.

Domain owners report the appearance of a malicious file (/wp-includes/.query.php) and sites being press-ganged into joining DDoS attacks.

More details at: https://portswigger.net/daily-swig/wordpress-sites-getting-hacked-within-seconds-of-tls-certificates-being-issued

You Need to Update iOS, Android, and Chrome Right Now

APRIL HAS BEEN a big month for security updates, including emergency patches for Apple’s iOS and Google Chrome to fix vulnerabilities already being used by attackers.

Microsoft has released important fixes as part of its mid-April Patch Tuesday, while Android users across multiple devices need to make sure they are applying the latest update when it becomes available.

Apple iOS and iPadOS 15.4.1, macOS 12.3.1

Just two weeks after the launch of iOS 15.4, Apple issued iOS and iPad 15.4.1 to fix a vulnerability in AppleAVD that’s already being used to attack iPhones. By exploiting the vulnerability, labeled CVE-2022-22675, adversaries could execute arbitrary code with kernel privileges via an app, according to Apple’s support page. This could give an attacker full control over your device, so it’s important to apply the fix.

As an added bonus, iOS and iPadOS 15.4.1 fixes a battery drain issue affecting some iPhones on iOS 15.4. The updates are available for iPhone 6s and later, iPad Pro, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch 7th generation.

Meanwhile, macOS Monterey 12.3.1 fixes the same issue in macOS, as well as another vulnerability in the Intel graphics driver, CVE-2022-22674, which could allow an app to read kernel memory. It’s another important fix—Apple says the issue may have been exploited by attackers.

Apple also released tvOS 15.4.1 and watchOS 8.5.1 including bug fixes.

Apple updates have been coming thick and fast over the past year, with the iPhone maker fixing a number of significant vulnerabilities, including the zero-click issue exploited by the Pegasus spyware, the highly targeted malware developed by Israeli firm NSO Group. This was the subject of a recent report by security researchers at Citizen Lab, who have detailed how Pegasus and other similar zero-click attacks targeted members of the European Parliament, legislators, political activists, and civil society organizations.

A zero-click attack is particularly scary because, as the name implies, it requires no interaction to work. That means an image sent via iMessage could infect your iPhone with spyware.

Citizen Lab detailed a previously undisclosed iOS zero-click vulnerability called HOMAGE used by NSO Group. Some iOS versions prior to iOS 13.2 could be at risk, making it all the more important your iPhone is up to date.Android’s April 2022 Patches

Android users also need to be on alert, as Google has patched 44 flaws in its mobile operating system this month. According to Google’s Android Security Bulletin, the most severe issue in the framework component could allow local privilege escalation without any interaction from the user.

The update is split into two parts: the 2022-04-01 security patch level for most Android devices, and the 2022-04-05 security patch level applying to specific phones and tablets. The later of the two fixes 30 issues in system and kernel components, among other areas. There are also patches for five security issues specific to Google’s Pixel smartphones, one of which could allow an app to escalate privileges and execute code on certain versions of Linux.

To find the update, you’ll need to check your device settings. Devices that have received the Android April update so far include Google’s Pixel devices and some third-party Android phones, including the Samsung Galaxy A32 5G, A51, A52 5G, A53 5G, A71, S10 series, S20 series, Note20 series, Z Flip 5G, Z Flip3, Z Fold, Z Fold2, and the Z Fold3, as well as the OnePlus 9 and OnePlus 9 Pro.Google Chrome Emergency Updates

As the world’s biggest browser with over 3 billion users, it’s no surprise attackers are targeting Google Chrome. Browser-based attacks are particularly worrying because they can potentially be chained together with other vulnerabilities and used to take over your device.

It has been a particularly busy month for the team behind Google’s Chrome browser, which has seen several security updates within weeks of each other. The latest, pushed out in mid-April, fixes two issues including a high-severity zero-day vulnerability, CVE-2022-1364, which is already being used by attackers.

The technical details aren’t currently available, but the timing of the fix—just a day after it was reported—indicates it’s pretty serious. If you use Chrome, your browser should now be on version 100.0.4896.127 to include the fix. You’ll need to restart Chrome after the update has installed to ensure it activates.

The Chrome issue also impacts other Chromium-based browsers, including Brave, Microsoft Edge, Opera, and Vivaldi, so if you use one of those, make sure you apply the patch.

But that’s not all. On April 27, Google announced another Chrome update, fixing 30 security vulnerabilities. None of these have been exploited yet, the company says, but seven are rated as being a high risk. The update takes the browser to version 101.0.4951.41.

Microsoft’s Busy April Patch Tuesday

Microsoft had a major Patch Tuesday in April, issuing fixes for over 100 vulnerabilities, including 10 critical RCE flaws. One of the most important, CVE-2022-24521, is already being exploited by attackers, according to the company.

Reported by the NSA and researchers at CrowdStrike, the issue in the Windows Common Log File system driver doesn’t require human interaction to be exploited and can be used to obtain administrative privileges on a logged-in system. Other notable fixes include CVE-2022-26904—a publicly known issue—and CVE-2022-26815, a severe DNS Server flaw.

Mozilla Thunderbird 91.8.0 Fix

On April 5, Mozilla released a patch to fix security issues in its Thunderbird email client as well as its Firefox browser. The details are scant, but Thunderbird 91.8 fixes four vulnerabilities rated as having a high impact, some of which could be exploited to run arbitrary code.

Firefox ESR 91.8 and Firefox 99 also fix multiple security issues.

Source: https://www.wired.com/story/ios-android-chrome-updates-april-2022/

PHP Object Injection Vulnerability in Booking Calendar Plugin

On April 18, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for an Object Injection vulnerability in the Booking Calendar plugin for WordPress, which has over 60,000 installations.

They received a response the same day and sent over their full disclosure early the next day, on April 19, 2022. A patched version of the plugin, 9.1.1, was released on April 21, 2022.

As usual, all our ProtectYourWP clients who use this plugin were updated to the patched version within 24 hrs of its release.

Source: https://www.wordfence.com/blog/2022/04/php-object-injection-in-booking-calendar-plugin

Critical Remote Code Execution Vulnerability in Elementor

WordFence discovered a critical vulnerability in the Elementor plugin that allowed any authenticated user to upload arbitrary PHP code. Elementor is one of the most popular WordPress plugins and is installed on over 5 million websites.

A patched version of the plugin, 3.6.3, was released on April 12, 2022.

This is a critical vulnerability that allows any authenticated user to upload and execute malicious code on a site running a vulnerable version of the Elementor plugin. The good news is that the vulnerability is not present in versions prior to 3.6.0 and was successfully patched in 3.6.3.

Source: https://www.wordfence.com/blog/2022/04/elementor-critical-remote-code-execution-vulnerability

WordPress Plugin ‘Social Warfare’ < 3.5.3 XSS

Malicious eval() is being inserted into the wp_options table, in the option_name: social_wafare_settings, in the Twitter field.

When the plugin is active, it causes the site to issue a JavaScript redirect to porn sites.

Deactivating the plugin disables the redirect, but the malicious eval() is still in the database.

The plugin has been pulled from the WordPress repository.

https://wordpress.org/support/topic/malware-into-new-update/

So far we have seen this exploited on live sites running 3.5.1 and 3.5.2.

Source: https://www.tenable.com/plugins/nessus/159570

See also: https://wpscan.com/vulnerability/9238

Critical Authentication Bypass Vulnerability Patched in SiteGround Security Plugin

On March 10, 2022 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability they discovered in “SiteGround Security”, a WordPress plugin that is installed on over 400,000 sites. This flaw makes it possible for attackers to gain administrative user access on vulnerable sites when two-factor authentication (2FA) is enabled but not yet configured for an administrator.

A patch was released the next day on March 11, 2022. While the plugin was partially patched immediately, it wasn’t optimally patched until April 7, 2022.

SiteGround Security is a plugin designed to enhance the security of WordPress installations via several features like login security including 2FA, general WordPress hardening, activity monitoring, and more. It’s also worth noting that it comes pre-installed on all SiteGround hosted WordPress sites. Unfortunately, the 2FA functionality of the plugin was insecurely implemented making it possible for unauthenticated attackers to gain access to privileged accounts.

Source & more details: https://www.wordfence.com/blog/2022/04/critical-authentication-bypass-vulnerability-patched-in-siteground-security-plugin

Questionable URL? Here’s a tool to help.

We recently heard of VirusTotal.com’s FREE web-based web address checker.

Have you received email which looks suspicious or has a link which you’re uncertain about? (This is how phishing often takes advantage of you!)

Right click on the link and copy the link address, then go to https://www.virustotal.com/gui/home/url and paste it in. It’ll return a rating as to whether it’s likely to be malicious or not.

It’s not perfect – I entered a link to an exploit reporting website and six out of 93 reports said it was malicious (it isn’t). But it will definitely give you a better idea as to the trustworthiness of any random URL you receive.

By the way, it works on most shortened URLs too: bit.ly, goo.gl, etc.

Dangerous new one-click Gmail hack puts your private data at risk

If you need any more reasons to be particularly careful when opening an email attachment, here’s one for you. A new Gmail hack campaign is currently making the rounds, and a single click could be enough to infect your computer and put your data at risk.

Last week, Trustwave senior security researcher Diana Lopera published a blog post about a frightening new email hack campaign. According to Lopera, scammers are sneakily attaching malicious files to emails using file formats that would not normally raise suspicion. They are using this technique to spread the data-stealing Vidar malware.

The emails are short and direct the reader’s attention to the attachment. The attachment in question is often named “request.doc,” but it is really an ISO file. As Lopera explains, ISO is a disk image file format cybercriminals occasionally use to store malware. It might look like a text document, but the ISO actually contains two files. One is a Microsoft Compiled HTML Help (CHM) file named “pss10r.chm” and the other is an executable named “app.exe.”

As you hopefully know by now, never ever open an email attachment from a source you don’t recognize. In fact, even if you do recognize the sender, double-check everything first. There are plenty of scams that involve using similar addresses to convince victims of their legitimacy.

More details: https://bgr.com/tech/dangerous-new-one-click-gmail-hack-puts-your-private-data-at-risk

Compromised WordPress sites launch DDoS on Ukrainian websites

Threat actors compromised WordPress sites to deploy a script that was used to launch DDoS attacks, when they are visited, on Ukrainian websites.

MalwareHunterTeam researchers discovered the malicious script on a compromised WordPress site, when the users were visiting the website the script launched a DDoS attack against ten Ukrainian sites.

The JavaScript was designed to perform thousands of HTTP GET requests to the targeted sites.

The only evidence of the ongoing attack is the slowing down of the browser performance.

According to BleepingComputer, which first reported the discovery, DDoS attacks targeted pro-Ukrainian sites and Ukrainian government agencies, including think tanks, recruitment sites for the International Legion of Defense of Ukraine, and financial sites.

The script generates random requests to avoid that they are served through a caching service.

In an interesting twist, BleepingComputer discovered that the same script is being used by the pro-Ukrainian site to launch attacks against Russian websites.

“When visiting the site, users’ browsers are used to conduct DDoS attacks on 67 Russian websites.” states BleepingComputer.

Source: https://securityaffairs.co/wordpress/129597/hacking/wordpress-compromsied-sites-ddos-ukraine.html