Vulnerabilities in PageLayer Plugin Affect Over 200,000 WordPress Sites

None of the sites we currently manage use PageLayer, but I’m posting this in the event that someone out there needs to read it. From WordFence:

These are considered high-level security issues that could potentially lead to attackers wiping your site’s content or taking over your site. We highly recommend an immediate update to the latest version available at the time of this publication, which is version 1.1.4.

Full details at WordFence.

Breaches R Them

Tons of breaches recently. Apparently, some people on lockdown have been getting busy, as predicted:

A massive database of 8 billion Thai internet records leaks

25 million user records leak online from popular math app Mathway

Wishbone Breach: 40 Million Records Leaked

Home Chef announces data breach after hacker sells 8M user records

British airline easyJet breached, data of 9 million customers compromised

Information of Over 115 Million Pakistani Mobile Subscribers Exposed in a Massive Data Leak

Ransomware attack impacts Texas Department of Transportation

Texas Courts hit by ransomware, network disabled to limit spread

… just a few of the major data breaches and ransomware attacks which were reported in the last week!

And this shouldn’t really surprise you:  86% of data breaches are conducted for financial gain


One Attacker Outpaces All Others

Starting April 28th, the WordFence team saw a 30 times increase in cross site scripting attack volume, originating from a single attacker, and targeting over a million WordPress sites. WordFence published research detailing the threat actor and attack volume increase on May 5th. By the time they published, the attack volume had dropped back down to baseline levels.

As of May 11, 2020, attacks by this same threat actor have once again ramped up, and are ongoing. This attacker has now attacked over 1.3 million sites in the past month. As of May 12, 2020, attacks by this threat actor have outpaced all other attacks targeting vulnerabilities across the WordPress ecosystem.

What should I do?

As with the previous attacks, the majority of vulnerabilities being targeted are Cross-Site Scripting (XSS) flaws. The Wordfence Firewall’s built-in XSS protection provides protection from these attacks. But you should still insure that all plugins, themes, and WordPress core are up to date.

Full story at

28,000 GoDaddy Hosting Accounts Compromised

Public service announcement (PSA) from the Wordfence team regarding a security issue which may impact some of our customers. On May 4, 2020, GoDaddy, one of the world’s largest website hosting providers, disclosed that the SSH credentials of approximately 28,000 GoDaddy hosting accounts were compromised by an unauthorized attacker.

SSH, while extremely secure if configured correctly, can allow logins with either a username/password combination, or a username and a public/private key pair. In the case of this breach, it appears likely that an attacker placed their public key on the affected accounts so that they could maintain access even if the account password was changed.

It is unclear which of GoDaddy’s hosting packages were affected by this breach. According to GoDaddy’s public statement:

“On April 23, 2020, we identified SSH usernames and passwords had been compromised by an unauthorized individual in our hosting environment. This affected approximately 28,000 customers. We immediately reset these usernames and passwords, removed an authorized SSH file from our platform, and have no indication the individual used our customers’ credentials or modified any customer hosting accounts. The individual did not have access to customers’ main GoDaddy accounts.”

The breach itself appears to have occurred on October 19, 2019.

See for suggested actions

Note that breaches like this can create a prime target for attackers who use phishing campaigns as a means to infect users. If you are a GoDaddy user, be extra wary of any emails you may receive.

Nearly a Million WP Sites Targeted in Large-Scale Attacks

The WordFence Threat Intelligence Team has been tracking a sudden uptick in attacks targeting Cross-Site Scripting(XSS) vulnerabilities that began on April 28, 2020 and increased over the next few days to approximately 30 times the normal volume we see in our attack data.

The majority of these attacks appear to be caused by a single threat actor, based on the payload they are attempting to inject – a malicious JavaScript that redirects visitors and takes advantage of an administrator’s session to insert a backdoor into the theme’s header.

After further investigation, we found that this threat actor was also attacking other vulnerabilities, primarily older vulnerabilities allowing them to change a site’s home URL to the same domain used in the XSS payload in order to redirect visitors to malvertising sites.

Full details at

How to send sensitive data

How should you send sensitive data like passwords?

  • Putting them in an email and praying that nobody finds it is very much not the best way to do it.
  • Encrypting your email with PGP is secure (and recommended), but most people don’t have the technical knowhow to set that up and use it properly.
  • Texting is a little better than email, but still could be hacked.
  • Encrypted texting with an app like Signal is better, IF both you and the recipient use Signal.
  • Sharing them through your password manager (LastPass, KeePass, etc) is good, IF both you and the recipient use the same password manager.
  • A phone call can be inconvenient.

We’ve recently started using one of several services (that we are currently aware of) which generate a random web address which you send to the recipient. The notes are encrypted using a key that is never stored on the server. Only the valid URL can display the notes – it is the key.  The resulting web page can only be opened and viewed a specific number of times or for a specific duration, then the data is wiped forever from the server.  (Or at least that’s what the operators of the services tell us. We have no way of verifying that they actually do …or don’t.) – one time read; you can set it to notify you by email when it has been read. – can notify you when opened, allows you to set a password for reading the page, allows either automatic expiration (1 hr to 30 days) OR deletion on first reading. – allows you to set a password for reading the page, allows you to set an automatic expiration (5 min to 7 days), and allows you to delete the data before it has been read.– allows you to set a password for reading the page, allows you to set an automatic expiration (1 hr to 14 days) OR deletion after it has been read a specific number of times (not both, but if you set 3 times and it’s only read twice it will still be auto-destroyed after 14 days), and allows you to delete the data before it has been read.

Disclaimer: has no connection to any of the above, and takes no responsibility should your data be lost or leaked.

iOS Mail Zero-day

UPDATE: A patch has been issued in iOS 13.4.5 beta, with an expected final release soon.  No word on patches for earlier iOS versions.


A zero-day exploit has been discovered in the iOS Mail app.  The security hole has existed as far back as iOS 6 (September 2012), and extends to the current iOS (13.x).

As of today (4/22/2020) this has NOT been patched.  It is recommended that you DISABLE iOS mail at this time.

We advise that you update as soon as an iOS patch is available.

Full details at


Definition: Fleeceware

Fleeceware:  Apps which are marketed as “free”, but which then trick the user into subscribing for paid services (which are available free elsewhere), often for excessive fees.

Common examples are horoscope apps, QR code or barcode scanners, and face filter apps targeted at younger users. Publishers of fleeceware target users who may be less cognizant or sensitive to initial fees and reoccurring charges.

Often users are hooked in by free trials, which turn out to be difficult to extricate yourself from after the “free” period has lapsed.

These are currently most common on phone apps (both iPhone and Android), but the same techniques can be found with some desktop applications as well.

Emerging Threat Mounts Mass iPhone Surveillance Campaign

From Threatpost

A recently discovered, mass-targeted watering hole campaign has been aiming at Apple iPhone users in Hong Kong – infecting website visitors with a newly developed custom surveillance malware.

The malware specifically targets vulnerabilities in versions 12.1 and 12.2 of Apple’s iOS.

The campaign uses links posted on multiple forums that purport to lead to various news stories that would be of interest to Hong Kong residents, according to a pair of research notes from Kaspersky and Trend Micro. The links lead to both newly created websites set up specifically for this campaign by the operators, as well as legitimate sites that have been compromised. In both cases, a hidden iframe is used to load and execute malicious code.

Continue reading…

Definition: Watering-hole campaigns

Watering-hole campaigns make use of malicious websites that lure visitors in with targeted content – cyberattackers often post links to that content on discussion boards and on social media to cast a wide net. When visitors click through to a malicious website, background code will then infect them with malware.