Think Like a Hacker Ep 114

Episode 114: Trifecta of Compromises Affect Enterprise Systems

Attacks on unpatched SolarWinds systems continue. We’re now learning of a supply chain attack that started in late January 2021 affecting 29,000 customers of Codecov, as well as a zero-day under active attack affecting customers of PulseSecure VPN. Customers of these three services are well known enterprise and government organizations. In the WordPress space, there are two add-on plugins experiencing active attacks: Kaswara Modern WPBakery Page Builder Addons and The Plus Addons for Elementor. Vulnerabilities discovered by our threat intel team in Redirection for Contact Form 7 were patched. We also take a look at updates coming in WordPress 5.8 to prepare the way for WordPress full-site editing.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:12 WordPress 5.8 to include more tools preparing for full-site editing
3:18 Federal investigators looking into breach at software code testing company Codecov
7:33 Pulse Secure Critical Zero-Day Security Bug Under Active Exploit
10:13 Ransomware gang tries to extort Apple hours ahead of Spring Loaded event
12:08 Kaswara Modern WPBakery Page Builder Addons: 0Day Vulnerability under active attack
14:39 Severe Vulnerabilities Patched in Redirection for Contact Form 7 Plugin
18:10 Widespread Attacks Continue Targeting Vulnerabilities in The Plus Addons for Elementor Pro
21:25 Defiant is hiring

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 114 Transcript

Ram:
Welcome to Think Like A Hacker, the podcast about WordPress, security, and innovation. I am Ram Gall, Threat Analyst at Wordfence, and with me is Director of Marketing, Kathy Zant. What’s our first story, Kathy?

Kathy:
Our first story is looking forward to WordPress 5.8. It looks like we have some interesting things coming that are going to set the stage for full-site editing, which I’m excited about. How about you?

Ram:
I am extremely excited about full site editing, not least because WordPress’s built-in editor seems to be significantly faster than a lot of alternatives.

Kathy:
It sure is. And you can test all of those using Fast or Slow, but we’ve seen definite improvements with the new WordPress editor compared to, say, page builders, which we’ll talk about a little later.

Ram:
We should not mention any by name.

Kathy:
No, of course not. But obviously, if you have a system and you build something into the functionality of that system, rather than layering it on top, it’s definitely going to operate much more efficiently, much faster. So very excited to see full-site editing coming for WordPress. Josepha Haden announced on April 14th that WordPress 5.8 would start setting the stage for full site editing. Now we’re not going to see site editing and global styles landing in this next release, but we’re starting to see that some new things, basically some stepping stones on the path to full site editing are coming.

Kathy:
The biggest things that we’re going to see are improvements in Gutenberg. We’re going to see a new theme-related blocks like query, site logo, navigation, and it looks like template editing is going to probably start showing up. Obviously, this is still in development, but these are things that we are watching for editing to start showing up in WordPress. This will allow page editing that will allow users to switch out of content editing mode and into more structural editing. From there, they’ll be able to work on overall templates and we’ll start to see themes developing more block-based functionality. And I think this is going to make WordPress an easier system to use for things.

Kathy:
Obviously, WordPress started out as a blogging platform, so you’d set up the framework of your entire site, and then you’d just focus on content. But people are using WordPress for so many different things now, for commerce sites, for learning management sites, membership sites, sales pages, landing pages, all sorts of things that WordPress can do. And it looks like the editor is going to make that much easier in upcoming versions. What do you think, Ram?

Ram:
I am honestly looking forward to it. I know that Gutenberg has been in an awkward state, like when you first start to grow your hair out, like many of us have been during the pandemic and it’s not yet long, luxurious locks, and it just looks like a weird half mullet. But I fully look forward to the luxuriant full-site editing.

Kathy:
Exactly, yeah. It’s pretty exciting. We saw some definite steps in direction with 5.7 with some of the new functionality in the block editor. So I’m looking forward to seeing even more of that coming, and 5.8 looks like just another step towards full-site editing. And they did say that 2021 was going to be the year of full-site editing, at least preparing for that. So we will keep an eye on that. Now the other day we did a Wordfence live, and we talked about a particular breach with Codecov. What do we know about this, Ram?

Ram:
So Codecov is a company that helps develop or figure out how much of their code has tests written for it and how much of it needs to be tested. The problem is that some attackers figured out how to get into one of their tools and basically steal secret credentials from everyone who was using it, and since people were using it to deploy stuff to their websites and their databases, we’re not talking about WordPress sites, we’re talking about large-scale enterprise websites. There’s a lot of damages attackers can do, especially since they used that credential to perform the hack in the first place. Basically, they stole some secret credentials from Codecov’s build process and then used that to make some tweaks to one of their tools. And then that tweak to the tools is now stealing other people’s secret credentials.

Kathy:
Wow. Yeah, so this is what we call a supply chain attack and it affected … Well, it’s going to affect Codecov’s customers. There are 29,000 customers, and their customer list includes such notable luminaries such as GoDaddy, Atlassian, Procter & Gamble, The Washington Post. What other ones? All names that-

Ram:
Dollar Shave Club.

Kathy:
Dollar Shave Club.

Ram:
Which I think, at least, probably exonerates Proctor & Gamble because they make Gillette, at first, you know?

Kathy:
Yeah. But I think an attack like this, a supply chain attack like this is going to have a trickle-down effect, obviously, because we learned that the breach happened in January, but it wasn’t figured out. It looked like one of their customers had figured out that something didn’t look right and reported it to them, and we only learned about this last week. So the door has been opened, the animals have been in the field, so to speak, for the past couple of months. So I think there’s going to be trickle-down effects to this. We talked about it a little bit on Wordfence Live, you and Mark and Scott did. So what can anybody do about this, though?

Ram:
You can’t really do anything other than what you’ve already hopefully been doing, but if you haven’t already been doing those things, then you should start, especially if you’re an enterprise or a software developer. Conduct risk assessments, be paranoid, figure out your attack surface. You mentioned an assumption of a breach mentality. Just assume that you are or are going to be breached and figure out what you would do in that case. And a lot of the time that’s change credentials, a lot of the time that’s review who has access to what, review what software is vulnerable and could be used to pivot because here’s the thing, attackers, it’s not like a one-and-done deal. The attackers, once they get a way in, they do still need to perform other stuff, maybe if you’re an enterprise, set up some sort of software to monitor for data exfiltration.

Kathy:
Very good ideas. Yeah. No. So you mentioned something, assumption of breach. I read about this recently and it’s an interesting mindset change. So a lot of times we talk about what you need to do in case you’re breached, in case there’s an intrusion, in case your WordPress site is hacked. But this whole assumption of breached mentality changes the mindset. It’s basically saying, “You should assume that you’re going to be breached. Assume that it’s going to happen,” and just changing that mindset makes you look at security differently.

Kathy:
It means that you have to have an incident response plan because you’re assuming it’s going to happen. You’re planning for that to happen. So therefore, you’re going to practice your incident response. You’re going to go over every possible way that you can monitor that intrusion because you’re assuming it’s going to happen. So it’s just pivoting a little bit with that mindset, changes the way you look at your digital life, whether it’s your WordPress site, whether it’s your enterprise installations, whether it’s your bank account. Just assume you’re going to be breached. What are you going to do when that happens, not if?

Ram:
What are you going to do?

Kathy:
Yeah. I’ve got to think about that.

Ram:
Yeah, and speaking of assuming breach, did you hear about PulseSecure VPN?

Kathy:
I did. This is scary. Tell the story. I’ll start the campfire.

Ram:
Okay. So how secure is a VPN appliance company that’s used by government agencies, financial services company, defense contractors, and apparently there is a new remote code execution vulnerability in these appliances that’s being used in the wild by nation-state actors to gain administrator-level access to the appliance and possibly do other stuff on their networks. So there’s two really bad pieces of news, and one of them is that according to PulseSecure, the zero-day is not going to be patched until early May.

Kathy:
I thought SolarWinds was bad. This is just as bad.

Ram:
I don’t know. I think Codecov is just as bad. I feel like this is a trio of just as bad. So-

Kathy:
It does seem that way. It sounds like security podcasts are really becoming the scary campfire stories of all the terrible things that could possibly happen in your digital life coming true.

Ram:
They’re cautionary tales.

Kathy:
Really. Definitely. So it looks like they’re assuming that this activity or suspecting, alleging that this activity could be state sponsored and possibly backed by China?

Ram:
Yeah. There’s two APTs that they’re identifying, which have the identifiers of UNC 2630 and UNC 2717. And the 2631, I guess, according to Mandiant, has been targeting defense sector companies in the US as early as last August. So here’s another problem. Most of the attacks aren’t actually using the shiny new zero day. Most of these attacks were actually involving three vulnerabilities that were patched in 2019 and 2020. So a lot of these could have been addressed just by people updating their … patching their VPN appliances and updating the firmware and stuff. Most of the attacks aren’t actually using the zero-day.

Kathy:
Wow. So they’re using old stuff because people aren’t patching.

Ram:
Yeah. In a bizarre twist of fate, the new president and CEO of SolarWinds is the ex-president and CEO of PulseSecure.

Kathy:
Why does this not surprise me?

Ram:
You know what? Nothing surprises me anymore.

Kathy:
Nothing surprises me either. Although, this next story-

Ram:
We can always figure out where the next breach is going to happen by figuring out where he gets hired to.

Kathy:
Yeah, exactly. We’ll just follow him around. This next story I did not expect to see. It looks like a ransomware attack is affecting an Apple subcontractor, and they are now being targeted with a 50 million dollar ransomware attack. What’s happening here?

Ram:
Okay, so the attack was against Quanta, which is a Taiwanese subcontractor who makes MacBooks for Apple. Anyways, so here’s the thing. Up until now, I think 30 million dollars has been the largest ransomware ask. So I’m pretty sure this is the largest ransomware ask in history.

Kathy:
Wow, that’s news. What are they doing with … So it looks like they got in and they stole a trove of engineering and manufacturing schematics, and I know Apple really likes to keep that private. Yes, it’s their intellectual property, so to speak.

Ram:
Yeah. This is actually part of an ongoing trend where a lot of bigger companies are using best practices now. They’re actually doing regular backups. So attackers threatening to delete stuff isn’t having as much of an impact because you can just restore from a clean backup. So nowadays a lot of ransomware attackers are leaking or at least threatening to leak stolen information rather than threatening to delete it. And it looks like this was done by REvil, which is a Russian hacking group.

Kathy:
Okay. Interesting. And it looks like they started posting these stolen images publicly on April 20th, timed specifically to coincide with Apple’s spring event. What timing.

Ram:
Yeah. The one when the released all the shiny new iMacs.

Kathy:
Lovely. I’m sure they enjoyed seeing their schematics posted publicly and seeing this lovely ransomware request. And it says that they are continuing to post these up until May 1st, promising that they’ll just keep doing it until they get paid. Kind of crazy.

Ram:
Wow. Yeah, it is. Let’s get back to WordPress, though.

Kathy:
Let’s get back to WordPress. We were going to talk about page builders.

Ram:
We were.

Kathy:
Now this is just an add-on plugin for the WPBakery Page Builder, but it looks like it has a zero-day vulnerability that’s under active attack, and it looks like the developer isn’t responsive. So it’s just going to stay vulnerable. What did we see here?

Ram:
So we found out about this fairly early in the morning yesterday from when we’re recording Wednesday, and a security researcher who goes by Robin Goodfellow, which is definitely their real name, recorded this to-

Kathy:
WPScan, right?

Ram:
Yeah. They reported it to WPScan. So it turns out that there’s multiple versions of this because Kaswara add-on, and since it had already been taken down by CodeCanyon, Chloe had to track down multiple versions of the plugins, figure out what was vulnerable, and write firewall rules for it. And she did this all in an hour and a half, okay? And we just figured out that literally every endpoint in both versions of this plugin were vulnerable, and no fix was forthcoming and could be used to do stuff like upload files, delete files, add malicious JavaScript, all by someone who wasn’t logged in.

Kathy:
Wow. That’s scary. So you guys got busy analyzing these vulnerabilities, taking a look at what we knew about it, and then started writing firewall rules in order to protect Wordfence Premium customers. But you also felt like it was important to get the word out to the community that if the 10,000 people who are using this particular plugin, that there’s really no recourse, there’s no fix for this. You need to, what, delete the plugin, stop using it?

Ram:
Yeah. That’s honestly what we would recommend doing. Again, Wordfence premium users are protected by firewall rules already, but even if you are a Wordfence Premium user, we do recommend getting rid of this plugin. But we definitely wanted to send out a PSA just because 10,000 installations is not a huge installation base, but every single one was vulnerable.

Kathy:
Yeah.

Ram:
So-

Kathy:
And it was under-

Ram:
And that’s why we decided to-

Kathy:
… under active attack. We were actually seeing that people were targeting this, and go over to the Wordfence blog, take a look at that post. As you are listening to this, there may be further information that we haven’t figured out yet that these attackers are doing. We are watching this situation very carefully because it is an active attack. So keep informed over there. What’s up next?

Ram:
Well, another one of Chloe’s finds.

Kathy:
Oh, really? She is so busy.

Ram:
She is. This was in the Redirection for Contact Form 7 plugin. Just to be clear, this is not Contact Form 7 the plugin, this is for yet another add-on for our popular plugin. That seems to be a theme lately, is add-ons for popular plugins maybe don’t have the same code review standards as the popular plugins themselves do.

Kathy:
Sure. Well, you have WordPress, which can’t do everything, but you can plug anything into it. And then you have plugins that you can expand upon by plugging more into WordPress. So this actually has a pretty high install base with 200,000 installations, which-

Ram:
I heard you like plugins, so I made some plugins for your plugins so you could plug in while you plug in.

Kathy:
Okay, so Chloe found this and there were actually several vulnerabilities in this particular plugin. Each of them were, what, not individually dangerous, but you could chain them together to basically take over a site?

Ram:
Yeah, yeah. That was the really interesting thing. One was it could generate any nonce, which in itself doesn’t seem all that bad until you realize that there’s a lot of plugins out there that only use nonces for access control, which in a normal situation might be fine if the nonce only appears on a page that can be accessed by administrators, but this is basically a way to say, “You know what? Actually, I don’t need to be an administrator to get that page. I can just ask for the nonce from this plugin.” Then the pivotal one was that an authenticated attacker could install any plugin from the WordPress repo.

Kathy:
But it would be the current version of a plugin. They couldn’t go back and say, “Install this old version of a plugin that was vulnerable three or four years ago.”

Ram:
Correct, but there’s still a lot of plugins in the repo where they’re not really considered vulnerable. They’re just not using best practices. Like I said, if they’re only using a nonce for access control, that’s not a best practice, but it’s not vulnerable on its own if the nonce only shows up on an admin option page. So it’s not necessarily something that developers will fix. And that’s the thing, the other thing she found was an object injection vulnerability, which can be used to execute code on a site, but it needs a specific type of vulnerable code to actually be exploited.

Kathy:
A magic method?

Ram:
Yes, a magic method. So you could install a plugin with one of these magic methods. And again, having these magic methods that can do these things, that’s not considered a vulnerability on its own because you need an object injection to actually exploit it. But it’s maybe not a best practice.

Kathy:
Got you. Okay. See, this is why security is so interesting to me because the vulnerabilities here on their own seem a little bit “meh,” but the creative way that Chloe can envision how these can all work together, she actually can think like a hacker because we’ve seen hackers do creative things like this, where they might not have a specific vulnerability to take over an entire site, but they’ll do something really creative that you would have not ever foreseen in order to take over a lot of sites.

Ram:
Yeah. I can think of two plugins off the top of my head that I could install to take over a site using these.

Kathy:
Interesting. Okay. And you’re not going to say what those are.

Ram:
I’m not going to mention which ones, but yeah.

Kathy:
Yeah. Interesting. Okay. Well, hackers are definitely busy creatures on the web these days. What did you see earlier this week with these widespread attacks that are targeting vulnerabilities in The Plus Add-ons for Elementor?

Ram:
Again, an add-on plugin for a popular plugin, not Elementor itself, but the Plus Add-ons for Elementor, which has had a bad few months. They’ve worked with us very well. They’re taking security seriously. It’s just security is hard and you have to keep pushing at it. Anyways, this was a set of zero-day vulnerabilities that were already being actively attacked once we found out about them. And we estimate that the plugin has about 30,000 installations. It’s a premium plugin, so we don’t have as much visibility into it. At this point we suspect only maybe 10,000 are vulnerable. Anyways, this is one of the largest sustained attacks we’ve ever seen. Literally, more than a week of a million and a half sites being attacked or 1.2 million sites being attacked per day.

Kathy:
Interesting. So these attackers are basically just spraying the entire WordPress ecosphere out there, looking for these 10,000 possible vulnerable sites. So they’re attacking sites that don’t even have … They might not even be using Elementor. They might not be using this particular plugin at all, but your site is still feeling the weight of these attacks because they are just spraying out attacks by using bots, trying to find the needle in a haystack of vulnerable sites out there.

Ram:
Yeah, They’re not going to check to see if you have the vulnerable plugin installed. They’re just going to find a giant list of sites and try a couple variations of each attack on every single site that they can find out about. Sometimes they’re not even checking if it’s a WordPress site or the kind of CMS that they’re actually targeting. We see attacks against Joomla vulnerabilities all the time, not at the same kind of scale because someone on the attacker side at least does have, sometimes, some degree of, “Let’s not waste resources,” but botnets are really cheap these days.

Kathy:
They are. Interesting. Are we seeing just one threat actor doing this, or do we see numerous ones?

Ram:
I suspect it’s the single threat actor just because the kind of payloads we’re seeing installed on infected sites are really similar to the large-scale attacker we saw attacking a bunch of sites last year with similar spray-and-pray methods.

Kathy:
Spray and pray? Nice. Interesting. Okay. Cool. Are these still happening or are we seeing them die down?

Ram:
They’re finally starting to die down. I want to say it took more than a week for them to start to die down. There are still some. They’re just not at the same scale that they were even yesterday.

Kathy:
Okay. That’s good news. Okay.

Ram:
It is.

Kathy:
But I’m sure they’re probably moving on to something else. It’s just what they do.

Ram:
The next time a zero-day or the next time you get a critical vulnerability that doesn’t require authentication pop-up, I would probably see something like this again.

Kathy:
Sounds fun. Well, it’ll keep you busy and keep you on your toes. I think we should hire some more people to help us out. Don’t you think?

Ram:
I really think we’d should. We are hiring for a SecOps role. If you like AWS and you like security, you should come work for us. And if you are a really cool PHP developer and you don’t absolutely hate WordPress, even though you will probably not be developing for WordPress at this point, though I can’t really say that or not. Or if you like doing QA and don’t hate PHP mostly, or if you really like researching website performance, or if you have designed instructional content for technical materials in the past, any of those things, if you’re good at those, you should come work for us.

Kathy:
Yeah. We have a number of roles open. You can find more at defiant.com/employment. All of those are listed along with our awesome benefits. We would love to talk to you. If you have any questions about those roles, you can obviously write to us. We would love to hear from you, feedback@wordfence.com. If you have any feedback about the podcast, about Wordfence Live, about anything that we’re doing, if you have a question about WordPress security, we would just love to hear from you. We hope you’re using Wordfence.

Kathy:
We love you if you’re using Wordfence Premium because Wordfence Premium customers are the ones that make this podcast, Wordfence live, all of the threat research that Ram and Chloe are doing, all of the educational materials that we’re putting out there in order to help WordPress community stay safer, Wordfence premium customers make that possible. So we just wanted to say thank you for making all of that possible so that we can stay, well, one, two, three, four steps ahead of the hackers. But it is an endless job, is it not?

Ram:
It is an endless job, and I’m fine with just staying at the same pace of.

Kathy:
Yeah.

Ram:
I think we’re pretty good at that, honestly.

Kathy:
I think we’re doing a darn good job. We definitely try, and we’re doing it for you in the WordPress community. So thank you. Thank you for listening, and we will talk to you again next week.

Ram:
Goodbye.

You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

Did you enjoy this post? Share it!

Comments

No Comments