Think Like a Hacker Episode 85

Episode 85: 0Day in File Manager Plugin and WordPress 5.5.1 Fixes Broken Sites

Over 700,000 WordPress users were affected by a zero-day vulnerability in the File Manager plugin, and the WordPress 5.5.1 release fixed millions of sites affected by deprecation of jQuery Migrate. SendGrid is under siege from spammers using hacked accounts, and Apple approves a notorious malware variant to run on Macs.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:00 700,000 WordPress Users Affected by Zero-Day Vulnerability in File Manager Plugin
1:36 WordPress 5.5.1 Fixes Millions of Broken Sites
3:06 SendGrid Under Siege from Hacked Accounts
4:28 Apple approves notorious malware to run on Macs

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 85 Transcript

Scott Miller:

Hello everyone. It’s Scott from Wordfence. This is Think like a Hacker, the weekly podcast about WordPress, security, and innovation. Let’s get caught up with this week’s stories.

First up, our Threat Intelligence team here at Wordfence was alerted of a vulnerability being actively exploited in FileManager, a WordPress plugin with over 700,000 active installations. Now, the vulnerability allowed unauthenticated users to execute commands and gave the ability to attackers to upload malicious files on a target site. Thankfully, Wordfence premium users, as well as those still using the free version, are protected against the attack campaign via the Wordfence firewall’s built-in file upload protection, though the Wordfence firewall will need to be optimized in order to protect your site from this vulnerability. So if you’re not currently using the extended protection for the firewall, go ahead and set that up in the Wordfence firewall section.

If you’re using a utility plugin like FileManager, Wordfence recommends installing the plugin when you need it, but then removing it when you’re done. This is due to the functionality that these kinds of plugins have within them, which can expose your site to more damage if a vulnerability is found within those plugins, as we saw here. So pretty much, if a plugin isn’t needed for the front end functionality of your site, install it when you need to use it, then uninstall it when you’re done.

Join us on Tuesday for Wordfence Live, where we’re going to have more advice on how to choose the right plugins for your site.

In our next story, a WordPress 5.5.1 maintenance release fixed problems introduced by deprecation of jQuery Migrate. In the new 5.5.1 release, there were 34 bug fixes as well as five enhancements. There were also five bug fixes for the block editor as well. Now, these bugs affect WordPress version 5.5, which came out on August 11th, so you’ll want to upgrade to 5.5.1 if you’ve already upgraded to 5.5.

Another thing to take note of is that there were no security fixes included in WordPress version 5.5.1. Some of the bugs that were fixed relate to the deprecation of jQuery Migrate, which we reported on recently. The jQuery Migrate plugin released by the WordPress team had 10,000 plus downloads when we last reported on it, and fixed various conflicts on sites that were using plugins or themes with older code. There initially was some speculation that the impact was limited to thousands of websites, which correlated with the download number we were seeing for that jQuery Migrate plugin. However, looking at the full review of data shows WordPress 5.5 negatively impacted millions of websites, and was a widespread issue.

make.wordpress.org published a spreadsheet, detailing the number of plugins and themes affected by the deprecation, showing millions of sites affected. And you can take a look at that by visiting make.wordpress.org.

In our next story this week, SendGrid is under siege from hacked accounts. The popular email service provider, SendGrid has seen a large number of their customer accounts have their passwords cracked. Those cracked passwords are then sold to spammers and used for sending phishing and malware attacks. So if you’re not familiar with SendGrid, it’s a transactional email service provider. You may be familiar with their parent company, Twilio, which has begun working on a plan to require multifactor authentication for all of their customers, as a response to these recent issues. The worry is that this proposed solution might not be implemented fast enough for businesses and customers having issues due to these problems in the meantime.

An anti-spam company, whose solutions are deployed by several Fortune 100 companies commented that no other email service provider has come close to generating the volume of spam that’s been generated from SendGrid’s accounts since this issue began. Due to the fact that SendGrid obfuscates links in emails, it’s a very attractive target to hackers looking to get users to click on malicious links. The takeaway here is to be very careful in general while clicking links in emails with SendGrid links. Also, be sure to use 2FA on all of your accounts, especially if you’re using SendGrid.

In our last story of the week, Apple approves notorious malware to run on Macs. So Apple has strict rules in place to prevent malware from being present in its app store. Last year, Apple began requiring developers to submit apps for security checks. Apple calls the process notarization, which consists of scanning applications for malware and other security issues. It is only after being approved through this process that the app can then be run. Of course, submitted applications that failed this notarization review are then denied and not able to be used and run.

Recently, security researchers have found that the first Mac malware that made its way through the notarization process from Apple. This came in the form of common malware disguised as an Adobe Flash installer and ended up leading to code used by the popular malware called Shlayer malware being approved by Apple. This Shlayer malware has mentioned to be the most common threat that Macs faced last year, and is a sort of adware that has the ability to intercept encrypted traffic, even if a site is sending the data through HTTPS. It then replaces the websites and search results with its own ads, making ad money along the way. Mac users have not seen anything similar to this since the notarization process was introduced, and it shows that a process like this can be exploited.

It’s recommended to be conscious as to what you’re downloading and installing, and just because it’s on a trusted service with a process like this, things can still slip by. Always research what you’re installing, when at all possible.

That covers it for this week on, Think like a Hacker. Remember if you’re not subscribed to our mailing list, you might be missing some important and breaking security news. Until next week, I hope the news found you well this time and from all of us here at Wordfence, have a great weekend, and we’ll catch you soon.

Follow me on Twitter @wfscottmiller. You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

Did you enjoy this post? Share it!

Comments

No Comments