More evidence that multi-factor authentication works. Police explain how they have seen ransomware gangs abandon attacks when they hit MFA security.
A ransomware attack was prevented just because the intended victim was using multi-factor authentication (MFA) and the attackers decided it wasn’t worth the effort to attempt to bypass it.
It’s often said that using MFA, also known as two-factor authentication (2FA), is one of the best things you can do to help protect your accounts and computer networks from cyberattacks because it creates an effective barrier – and now Europol has seen this in action while investigating ransomware gangs.
“We’ve done investigations where ransomware criminals were monitored. In certain investigations, we saw them trying to access companies – but as soon as they would hit two-factor authentication in this process, they would immediately drop this victim and go to the next,” said Marijn Schuurbiers, head of operations at Europol’s European Cybercrime Centre (EC3), speaking about an undisclosed incident the agency investigated.
It demonstrates how useful MFA can be in preventing ransomware and other cyberattacks. Even if the attacker has the legitimate password for the account – either because it’s been guessed or it’s been stolen – using MFA usually prevents them from being able to log in.
An unexpected alert from an MFA authenticator app can also notify the intended victim that something is wrong and should be investigated, which can also help to prevent further attacks and incidents.
Not only can cyber criminals exploit hacked accounts to gain initial access to the network and install ransomware, the access they gain can also be used as part of double-extortion attacks, where criminals steal information before encrypting it, with threats to publish the data if a ransom isn’t received.
However, if attackers can’t access that data due to the use of MFA, they can’t attempt to exploit it for extortion.
“This is really crucial information that companies can use for their counter strategies. Know that if you implement two-factor authentication for your systems in general – or maybe specifically, your crown jewels – you will significantly reduce your chances of falling victim to a ransomware group, which uses double extortion,” said Schuurbiers, who was speaking at the sixth anniversary of No More Ransom.
No More Ransom is an initiative by Europol, additional law enforcement agencies, cybersecurity companies, academia and others that provides victims of ransomware attacks with decryption keys for free. So far, the scheme has helped 1.5 million people get their files back without paying ransomware gangs.
On September 8, 2022, the Wordfence Threat Intelligence team became aware of an actively exploited zero-day vulnerability being used to add a malicious administrator user to sites running the WPGateway plugin. They released a firewall rule to Wordfence Premium customers to block the exploit on the same day, September 8, 2022. (Consider upgrading to WordFence Premium: $81/year)
Sites still running the free version of Wordfence will receive the same protection 30 days later, on October 8, 2022. The Wordfence firewall has successfully blocked over 4.6 million attacks targeting this vulnerability against more than 280,000 sites in the past 30 days.
The WPGateway plugin is a premium plugin tied to the WPGateway cloud service, which offers its users a way to setup and manage WordPress sites from a single dashboard. Part of the plugin functionality exposes a vulnerability that allows unauthenticated attackers to insert a malicious administrator.
The Wordfence team obtained a current copy of the plugin on September 9, 2022, and determined that it is vulnerable, at which time they contacted the plugin vendor with their initial disclosure. Wordfence has reserved vulnerability identifier CVE-2022-3180 for this issue.
As this is an actively exploited zero-day vulnerability, and attackers are already aware of the mechanism required to exploit it, we are releasing this public service announcement (PSA) to all of our users. We are intentionally withholding certain details to prevent further exploitation. As a reminder, an attacker with administrator privileges has effectively achieved a complete site takeover.
Google has just released a new version of Chrome, and it’s crucial that you get your browser updated as soon as possible.
The patch was deployed to fix a major zero-day security flaw that could potentially pose a risk to your device. The latest update is now available for Windows, Mac, and Linux — here’s how to make sure your browser is safe.
The vulnerability, now referred to as CVE-2022-3075, was discovered by an anonymous security researcher and reported straight to Google. It was caused by sub-par data validation in Mojo, which is a collection of runtime libraries. Google doesn’t say much beyond that, and that makes sense — the vulnerability is still out in the wild, so it’s better to not make the exact details public just yet.
What we do know is that the vulnerability was assigned a high priority level, which means that it could potentially be dangerous if abused. Suffice it to say that it’s better if you update your browser right now.
Although Google is keeping the information close right now, this is an active vulnerability, and once spotted, it could be taken advantage of on devices that haven’t downloaded the latest patch. The patch, said to fix the problem, is included in version 105.0.5195.102 of Google Chrome. Google predicts that it might take a few days or even weeks until the entire user base receives automatic access to the new fix.
Your browser should download the update automatically the next time you open it. If you want to double-check and make sure you’re up to date, open up your Chrome Menu and then follow this path: Help -> About Google Chrome. Alternatively, you can simply type “Update Chrome” into the address bar and then click the result that pops up below your search, before you even confirm it.
You will be asked to re-launch the browser once the update has been downloaded. If it’s not available to you yet, make sure to check back shortly, as Google will be rolling it out to more and more users.
Google Chrome continues to be a popular target for various cyberattacks and exploits. It’s not even just the browser itself that is often targeted, but its extensions, too. To that end, make sure to only download and use extensions from reputable companies, and don’t be too quick to stack too many of them at once.
All ProtectYourWP.com customers have been protected from this attack campaign by the Wordfence Firewall since May 21, 2021, with Wordfence Premium, Care, and Response customers having received the firewall rule 30 days earlier on April 21, 2021. Even though Wordfence provides protection against this vulnerability, we strongly recommend completely removing Kaswara Modern WPBakery Page Builder Addons as soon as possible and finding an alternative as it is unlikely the plugin will ever receive a patch for this critical vulnerability. We are currently protecting over 1,000 websites that still have the plugin installed, and we estimate that between 4,000 and 8,000 websites in total still have the plugin installed.
WordFence has blocked an average of 443,868 attack attempts per day against the network of sites that we protect during the course of this campaign. Please be aware that while 1,599,852 unique sites were targeted, a majority of those sites were not running the vulnerable plugin.
Lapsus$ and the group behind the SolarWinds hack have utilized prompt bombing to defeat weaker MFA protections in recent months.
MULTIFACTOR AUTHENTICATION (MFA) is a core defense that is among the most effective at preventing account takeovers. In addition to requiring that users provide a username and password, MFA ensures they must also use an additional factor—be it a fingerprint, physical security key, or one-time password—before they can access an account. Nothing in this article should be construed as saying MFA isn’t anything other than essential.
That said, some forms of MFA are stronger than others, and recent events show that these weaker forms aren’t much of a hurdle for some hackers to clear. In the past few months, suspected script kiddies like the Lapsus$ data extortion gang and elite Russian-state threat actors (like Cozy Bear, the group behind the SolarWinds hack) have both successfully defeated the protection.
Enter MFA Prompt Bombing
The strongest forms of MFA are based on a framework called FIDO2, which was developed by a consortium of companies to balance security and simplicity of use. It gives users the option of using fingerprint readers or cameras built into their devices or dedicated security keys to confirm that they are authorized to access an account. FIDO2 forms of MFA are relatively new, so many services for both consumers and large organizations have yet to adopt them.
That’s where older, weaker forms of MFA come in. They include one-time passwords sent through SMS or generated by mobile apps like Google Authenticator or push prompts sent to a mobile device. When someone is logging in with a valid password, they also must either enter the one-time password into a field on the sign-in screen or push a button displayed on the screen of their phone.
It’s this last form of authentication that recent reports say is being bypassed. One group using this technique, according to security firm Mandiant, is Cozy Bear, a band of elite hackers working for Russia’s Foreign Intelligence Service. The group also goes under the names Nobelium, APT29, and the Dukes.
“Many MFA providers allow for users to accept a phone app push notification or to receive a phone call and press a key as a second factor,” Mandiant researchers wrote. “The [Nobelium] threat actor took advantage of this and issued multiple MFA requests to the end user’s legitimate device until the user accepted the authentication, allowing the threat actor to eventually gain access to the account.”
Lapsus$, a hacking gang that has breached Microsoft, Okta, and Nvidia in recent months, has also used the technique.
“No limit is placed on the amount of calls that can be made,” a member of Lapsus$ wrote on the group’s official Telegram channel. “Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device.”
The Lapsus$ member claimed that the MFA prompt-bombing technique was effective against Microsoft, which earlier this week said the hacking group was able to access the laptop of one of its employees.
“Even Microsoft!” the person wrote. “Able to login to an employee’s Microsoft VPN from Germany and USA at the same time and they didn’t even seem to notice. Also was able to re-enroll MFA twice.”
Mike Grover, a seller of red-team hacking tools for security professionals and a red-team consultant who goes by the Twitter handle _MG_, told Ars the technique is “fundamentally a single method that takes many forms: tricking the user to acknowledge an MFA request. ‘MFA Bombing’ has quickly become a descriptor, but this misses the more stealthy methods.”
Sending a bunch of MFA requests and hoping the target finally accepts one to make the noise stop.
Sending one or two prompts per day. This method often attracts less attention, but “there is still a good chance the target will accept the MFA request.”
Calling the target, pretending to be part of the company, and telling the target they need to send an MFA request as part of a company process.
“Those are just a few examples,” Grover said, but it’s important to know that mass bombing is NOT the only form this takes.”
In a Twitter thread, he wrote, “Red teams have been playing with variants on this for years. It’s helped companies fortunate enough to have a red team. But real world attackers are advancing on this faster than the collective posture of most companies has been improving.”
Good Boy, FIDO
As noted earlier, FIDO2 forms of MFA aren’t susceptible to the technique, as they’re tied to the physical machine someone is using when logging in to a site. In other words, the authentication must be performed on the device that is logging in. It can’t happen on one device to give access to a different device.
But that doesn’t mean organizations that use FIDO2-compliant MFA can’t be susceptible to prompt bombing. It’s inevitable that a certain percentage of people enrolled in these forms of MFA will lose their key, drop their iPhone in the toilet, or break the fingerprint reader on their laptop.
Organizations must have contingencies in place to deal with these unavoidable events. Many will fall back on more vulnerable forms of MFA in the event that an employee loses the key or device required to send the additional factor. In other cases, the hacker can trick an IT administrator into resetting the MFA and enrolling a new device. In still other cases, FIDO2-compliant MFA is merely one option, but less secure forms are still permitted.
“Reset/backup mechanisms are always very juicy for attackers,” Grover said.
In other cases, companies that use FIDO2-compliant MFA rely on third parties to manage their network or perform other essential functions. If the third-party employees can access the company’s network with weaker forms of MFA, that largely defeats the benefit of the stronger forms.
Proof of Concept
Steps to reproduce:
1) As a Contributor, go to portfolio on the dashboard and add new item.
2) on the editing page that comes up, scroll down to the slider section
3) Add the payload in the description area. "<img src=1 onerror=alert('xss')>"
4) save and preview the item and watch the script trigger.
5)login as an administrator or editor and also preview the created portfolio item and the script gets triggered
After reviewing historical data, we determined that attackers started targeting this vulnerability on August 26, 2022, and that we have blocked 4,948,926 attacks targeting this vulnerability since that time.
The vulnerability affects versions 126.96.36.199 to 188.8.131.52, and has been fully patched as of September 2, 2022 in version 8.7.5. Due to the fact that this is an actively exploited vulnerability, we strongly encourage you to ensure your site has been updated to the latest patched version 8.7.5 (or later) which iThemes has made available to all site owners running a vulnerable version regardless of licensing status.
All ProtectYourWP.com customers have been and will continue to be protected against any attackers trying to exploit this vulnerability due to the Wordfence firewall’s built-in directory traversal and file inclusion firewall rules. Of course, we have also updated your plugin.
On August 30, 2022, the WordPress core team released WordPress version 6.0.2, which contains patches for 3 vulnerabilities, including a High Severity SQLi vulnerability in the Links functionality as well as two Medium Severity Cross-Site Scripting vulnerabilities.
These patches have been backported to every version of WordPress since 3.7. WordPress has supported automatic core updates for security releases since WordPress 3.7, and the vast majority of WordPress sites should receive a patch for their major version of WordPress automatically over the next 24 hours. We recommend verifying that your site has been automatically updated to one of the patched versions. Patched versions are available for every major version of WordPress since 3.7, so you can update without risking compatibility issues. If your site has not been updated automatically we recommend updating manually.
As with every WordPress core release containing security fixes, the Wordfence Threat Intelligence team analyzed the code changes in detail to evaluate the impact of these vulnerabilities on our customers, and to ensure our customers remain protected.
They have determined that these vulnerabilities are unlikely to be targeted for exploitation due to the special cases needed to exploit. In most circumstances these vulnerabilities require either elevated privileges, such as those of an administrator, or the presence of a separate vulnerable or malicious plugin. Nonetheless, the Wordfence firewall should protect against any exploits that do not require administrative privileges. In nearly all cases administrators already have the maximum level of access and attackers with that level of access are unlikely to use convoluted and difficult exploits when simpler paths to making configuration changes or obtaining sensitive information are readily available.
QR codes have become embedded in daily life for many adults. Their spread was highlighted on Super Bowl Sunday, when a bouncing QR code on a brightly colored field occupied 30 seconds of very expensive air time. Capturing that particular QR code led viewers to information on cryptocurrency. Codes that have popped up on restaurant tables across the country lead to menus and apps for paying meal charges. Other codes could lead to much less benign destinations.
The same qualities that make QR codes so valuable make them a legitimate threat to enterprise (and personal) cybersecurity. A type of bar code introduced in 1994 by automotive supplier Denso Wave, QR codes were first used to track components and subassemblies through an automobile assembly process. There are now 40 versions of the QR code, each carrying a different amount of information. Depending on the error correction employed, QR code capacity can range from 72 to 16,568 bits — more than enough to carry significant information about a part, or a malicious instruction for your mobile device or enterprise network.
And the opportunities to deliver those malicious instructions exploded shortly after the beginning of the pandemic when countless restaurants, eager to avoid the appearance of delivering viruses along with menus, moved customers to a menu viewed on their mobile phones. How did those menus get to the customers’ mobile phones? Through a scanned QR code. Convenient, hygienic, and ubiquitous, QR codes have revolutionized menu delivery and customer feedback. They have also revolutionized delivery methods for malware and social engineering attacks.
Take a Closer Look The problem isn’t really with the capability of QR codes — those capabilities make the codes very useful for any number of legitimate business and consumer purposes. The problem is that so many people have stopped thinking about the codes that they scan. How many times have you seen people walk into a restaurant and scan the QR code from a sticker attached to the table, often scanning the code before they’re fully settled in their seats? That kind of reflexive scanning is the human component of the vulnerability that the code introduces to the enterprise.
So, what is an enterprise security staff to do about it? Given the square code’s ubiquity, a blanket prohibition on scanning is unlikely to work. The best approach, as in so many things cyber, is solid education on the threat and best practices for minimizing its impact.
The first thing employees must learn is that scanning a QR code should never be automatic. Want to see a menu on your smartphone? Great — ask the server to bring you a sheet with the QR code printed on it. Want to leave a review? Great — scan the code on the bottom of your receipt. QR codes on random stickers stuck to tables and doors should be treated with suspicion since they’re in far too public a set of locations to trust.
Next up is learning to consider context when scanning a QR code. On an official sign with a logo in your bank’s lobby? Perhaps. On a crooked sticker at the front of a gas pump? Hard no. Treating QR codes as you would any other bit of electronic kit is important because that’s exactly what they are: mechanisms for carrying and delivering code to a device. Just because they’re made of ink and paper rather than silicon and gallium arsenide doesn’t mean they’re any less effective — or dangerous.
Consider Training The potential danger of QR codes is actually a good excuse to introduce training about dangers beyond the obvious phishing email message and dodgy website. Criminals and threat actors are eager to take advantage of actions taken without thought — times when employees are on “auto pilot” regarding their actions. Train employees to stop and think about codes, images, and stickers before they launch the attached URL and you may well cut down on the number of malware packages that come attached to orders for gooey cookies.
The Russian invasion of Ukraine began on February 20, 2022. By mid-March it was clear the cyber-war had begun, and the attacks have been consistent ever since. Prior to this, on March 1, 2022, Wordfence reported on an attack campaign on Ukrainian university websites. In response, we deployed our real-time threat intelligence to all sites running Wordfence with a .ua top-level domain (TLD). In the following months, we have continued to monitor the situation, and to block attack attempts aimed at Ukrainian websites.
Based on the data we have tracked, it has become clear that most of the attacks being levied against Ukrainian entities since the initial campaign are fairly routine, though regularly increasing in quantity. While there are some more sophisticated attacks, the vast majority of what we are seeing is routine spam content and defacements. These types of attacks are often perpetrated by lesser-skilled actors probing for easily exploitable random web targets with simple scripts. What we are seeing does not indicate the highly skilled and coordinated attacks that would be seen from larger criminal organizations or nation-state attackers.
Today’s post will focus on the quantitative threat landscape targeting Ukrainian websites that we’ve monitored in 2022, while next week we will follow-up with an article diving deeper into the attack data and exploits we are seeing targeting Ukrainian domains.
Broader Attacks Increasing in Volume
As we approach the six-month mark since the initial invasion, the cyber-front remains a volatile but constant battleground. Just after the invasion officially began, there was a spike in attacks against Ukrainian websites, then things were quiet for almost a week. At that point, on March 3, 2022, a barrage of attack attempts were brought against Ukrainian websites, with these attacks not only continuing, but generally increasing as the war continued. At first, the attack attempts were close to normal levels, but quickly increased to more than 50,000 attempts per day.
In the six months leading up to February 20, 2022 there were an average of just over 52,480 attack attempts against .ua websites blocked by the Wordfence firewall per day. The average during the conflict has increased almost 50% to nearly 75,000 attack attempts blocked per day, excluding any exploits coming from blocklisted IP Addresses.
The largest spike we have seen at this point began on June 24th, and subsided on the 28th. During this spike, we blocked 1,875,045 total attack attempts. In this time, most of the attack attempts were coming from known malicious IP addresses, with a substantial number of the attempts being brute force attacks. Directory traversal, file uploads, and information disclosure rounded out the most common attack types. There are no indicators in our data that these attacks were connected, meaning it is likely that this was not a large attacking organization, but rather a concerted effort from many smaller groups and individuals.
Wordfence deployed its real-time threat intelligence, which includes an IP Blocklist, to all .ua domains on March 1, 2022. The IP blocklist is updated in real-time to block the latest active known threats and is very effective at doing so. It provides a drastic increase in protection on any sites running the Wordfence firewall due to the simple fact that an IP that targets several sites will end up on the blocklist before they can target many more. As such, we excluded this data from our attack data trends to demonstrate the general threat landscape, without the added benefit of Wordfence real-time Threat Intelligence, a feature of Wordfence Premium, Wordfence Care, and Wordfence Response, to be comparative with the attack data we saw before we made that deployment. Astonishingly, once we added the real-time IP blocklist attack data to our analysis, the percentage of attacks the Wordfence firewall blocked on all .ua domains jumped nearly 450% demonstrating the effectiveness of deploying our real-time Threat Intelligence to those domains.
The spike at the beginning of the invasion largely consisted of attacks against Ukrainian educational institutions as part of a defacement campaign. While these institutions have continued to experience attack attempts, they have not been as directly targeted since the initial attack on Universities in February. At the same time, the rate of attacks brought against educational institutions has remained higher than pre-invasion levels, with (comparatively small) spikes primarily in March, April, and July. The trend continues upward, with the average number of daily attack attempts per day nearing the 100,000 mark. Since the invasion began, we have logged 46,698,709 attack attempts against .ua domains. Of those attempts, 2,903,923 were against .edu.ua domains, and 1,903,806 were against .gov.ua domains.
A Shift In The Threat Landscape
When we first wrote about the attack on Ukrainian universities, there was one IP address, 184.108.40.206, that stood out as the primary attacking IP. The IP address was registered through Njalla, a hosting company that is run by the co-founder of Pirate Bay. After the initial attack against the universities subsided, there is no indication that this IP address has been reused in further attacks against Ukraine.
The top attacking IP currently is 220.127.116.11, which is assigned to Chang Way Technologies. The company is based in Hong Kong, but the IP address is assigned to a server located in Russia and registered to the Russian organization Sierra LLC. The IP block this address is a part of was registered to Sierra LLC on October 13, 2021. In contrast to the 104,098 attack attempts in a single day by the Njalla IP address that attacked universities in February, the Sierra LLC. IP address is only responsible for 205,223 attack attempts in 30 days, and those attempts were not targeted against a specific type of potential victim.
Despite the fact that this IP address does not appear to be targeting victims in any particular industry, the attacks coming from this address are relatively consistent. The majority of what we are seeing from this IP address is SQL injection attacks, sending a GET request to the site with the payload in a URL encoded string, as seen here.
With this string decoded, it begins to look more like a normal SQL query, though portions are using character encoding which we see here as CHR encoded strings.
When we convert this and combine the string as is the purpose of the || operator, we end with this final payload string.
This is essentially using the SQL CASE statement to iterate through options to determine if specific content exists within the database, and uses the CAST statement to convert content to a specific data type. As with many attacks, this does not mean that a SQL injection vulnerability is present, or that the desired content is in the database. This is the malicious actor fishing for information, and hoping they get something in return.
Similar to the lack of focus we are seeing with the types of attacks, there does not appear to be any primary attacker in recent attempts. While the top nine attacking IP addresses are responsible for more than 50,000 attack attempts each, there is a long tail of IP addresses responsible for just under 50,000 attacks each and slowly working down to sub-100 volumes. This is a fairly typical pattern in attack data, rather than having one attacking organization stand out above the others.
In this post, we reviewed the data collected from attack attempts against Ukrainian domains with a .ua TLD since the beginning of the Russian invasion of Ukraine on February 20, 2022. The initial attacks we saw were very targeted around educational institutions, however the attacks we have been blocking since the initial campaign have been much more varied. Attack attempts are coming from a variety of malicious actors, in varying locations. The volume of attack attempts has remained high compared to pre-invasion levels, but with our continued protection these attempts are blocked, preventing damage to Ukrainian websites.
If you want to know more about the types of attacks we are blocking on Ukrainian websites, keep an eye on the Wordfence blog. A post next week will discuss these attacks, the vulnerabilities they are attempting to exploit, and how malicious actors can use them to damage an affected website.
Wordfence deployed Real-Time Threat Intelligence, an exclusive feature of Wordfence Premium, Wordfence Care, and Wordfence Response, to all .ua domain names regardless of their product tier. This means that all .ua domains, including those running Wordfence Free, have the latest protection against the newest threats, including vulnerabilities, IP addresses, and malware.