Episode 109: This Attack Will Make You Want to Stop Using SMS 2FA
An attack shows how a SMS enablement service was used to bypass SMS 2FA for $16. We discuss the recently patched vulnerabilities in Elementor affecting over 7 million WordPress sites and how easily these cross-site scripting vulnerabilities can be exploited. We also talk about the SQL Injection vulnerabilities in Tutor LMS. The data center fire at OVH in France that took 3.5 million sites offline also took down some advanced persistent threat (APT) actors. And there’s yet another Chrome use-after-free zero-day vulnerability being actively exploited.
Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:16 A hacker got my texts for $16
3:07 Cross-Site Scripting Vulnerabilities in Elementor Impact Over 7 Million Sites
6:31 Several Vulnerabilities Patched in Tutor LMS Plugin
10:19 OVH Data Center Fire Takes Down Government Hacking Infrastructure; Why disaster recovery plans are vital
13:43 Google Warns Mac, Windows Users of Chrome Zero-Day Flaw
15:31 Defiant is hiring
Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.
Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.
Episode 109 Transcript
Ram:
Hi, and welcome to Think Like a Hacker, the podcast about WordPress, security, and innovation. I am Ram Gall, Threat Analyst at Wordfence, and with me is Director of Marketing, Kathy Zant. So I guess we’re jumping into our first story right away. Right, Kathy?
Kathy:
Let’s jump into it. Let’s get busy. There’s lots going on. Did you hear that a hacker got somebody’s SMS texts for $16? What’s going on with this story, Ram?
Ram:
Okay. So it’s been kind of known for a while that using SMS or text messages as a second factor for authentication is not super safe.
Kathy:
No.
Ram:
I mean, we’ve heard about SIM swap attacks where someone would call up your phone provider and social engineer them to get them to change your phone number over to them. This is different. This is actually significantly scarier. It looks like there’s a growing number of SMS enablement providers, which are basically providers that hook into the telecom system and help you get out mass marketing texts or group texts out. And it turns out they have to some extent, some unregulated access. So they can basically redirect text messages from one phone number to another phone number. So this is actually from a VICE article, but the author paid a hacker to redirect his text messages, including multi-factor authentication texts, to their own text number and it only cost $16.
Ram:
This was by a provider called Sakari, but Sakari has taken steps to prevent this from going on forwards, but there’s any number of SMS enablement providers. And the sneaky thing is that, if someone actually redirects your SMS messages to their number, you’ll still get calls. It’s not the sudden, “Oh, no. I don’t have service anymore.” Of what happens when you are victimized by a SIM swap attack, it’s just, “Hey, I haven’t gotten a text in a while.” And I think that, that’s significantly trickier.
Kathy:
Yeah, because it’s not like you’re getting texts all the time. So this is just another story in a series of stories of how SMS based, second factor authentication is just not the way to go. And we should be using authenticator apps like Authy, Google Authenticator, even LastPass.
Ram:
Or hardware keys. Yeah. Some something other than SMS, like up until now, I would have said that SMS is still better than no second factor, but this is kind of making me doubt that. I guess the providers basically make you sign a letter of authorization saying that you have the authority to switch the telephone numbers, but it’s kind of like, “Oh yeah, I pinky swear that I’m allowed to do this.” They just kind of take you at your word apparently.
Kathy:
Interesting. Okay. So we’ll have a link to this in the show notes, but the takeaway is, if you are using SMS for a second factor of authentication on anything-
Ram:
And you have any other option for it, please switch to that other option. Like don’t turn it off, just switch to something else, if you can.
Kathy:
It’s time. The time has come. If you are really concerned about security of your accounts, it is time to move to TOTP authentication or something other than SMS.
But let’s talk about this Elementor series of vulnerabilities that you found in the Elementor plugin. Elementor, I think most popular page builder plugin for WordPress that exists right now that’s installed on what, seven million sites?
Ram:
That’s what they say on their blog. And I guess they also have figures saying, that they account for seven percent of all WordPress installations. They’re big. So this was a contributor level of vulnerability. So in order to exploit it, you had to be able to log in as someone who could access the Elementor editor. That’s the good news. The bad news is that with seven million sites out there, there’s bound to be quite a lot of them that have contributors that are either untrusted or that have accounts that have been compromised, just because having a larger attack surface makes it a lot easier to do something like this.
Ram:
Anyway, it was kind of cool because Elementor has a bunch of different elements, where you can even like insert a heading or insert a column or insert a divider or like an image box. Anyways, for a lot of these, they have this little drop down that let you choose what size heading you wanted or, if you wanted to use like a span or a div tag, but turns out that you could manipulate the request. And instead of sending like an H1 tag or a div tag, you could change that into a script tag and get some executable JavaScript. And once you have executable JavaScript … Here’s the thing about contributor posts is, contributors can’t publish their own posts. So the write-up a post, they’ll save it. And then, an admin or an editor is going to have to go in and look over the post and actually publish it.
Ram:
So at some point, someone with higher privileges is guaranteed to be exposed to this malicious JavaScript. And you can use that malicious JavaScript in an administrator session to do stuff like add another administrator or add a backdoor to a theme file, any number of things like that.
Kathy:
So worst case scenario, you could have somebody who has a contributor account, they haven’t contributed in a while. They are reusing their passwords, for some reason. And that ends up in someone’s hands who’s malicious. They log in, they add a post. They might not even contact you as the administrator to let you know the post is there. You log in, you look around, you see that they’ve added a post and you go to look at it and boom, you’re infected?
Ram:
Exactly. Cross-site scripting, I feel like people don’t take it seriously enough, but it is incredibly easy to abuse.
Kathy:
Yeah. This was a great post. You really wrote it up in a way that made it very apparent as a WordPress user, for me to understand exactly how this could be compromised. But this is patched now, in the latest version?
Ram:
It is. It has been patched in 3.1.2, but then it looks like they made some additional changes just in case in 3.1.4.
Kathy:
Nice. So good to know that Elementor is on this and that they are making sure that their users, all seven million of them are safe. That’s great.
Ram:
Exactly. And I also want to say that they have a security contact, which is a thing that I really wish every plugin developer had, because it means I can just send the full disclosure to them directly instead of having to find out, if I’m talking to the right person.
Kathy:
Yes, we love our plugin friends who have security contacts easily findable on their website. So even, if it’s just a security at your domain name, email address, it’s always good to make that easy for security researchers to find, so that they can notify you, if there is a concern.
Now, it looks like we found another vulnerability or several vulnerabilities in the Tutor LMS plugin, what do you know about this one?
Ram:
So this was one of Chloe’s finds, and I think is really cool. So Tutor LMS is basically a plugin that lets you create like online courses on your website, in case you want to like teach people how to do stuff using your website and maybe charge for it, if you need to. It looks like there were a number of SQL injection vulnerabilities. SQL injection vulnerabilities are tricky because you can use them to extract sensitive info from the database, like hashed passwords and user email addresses and street addresses, if you’re storing that kind of thing.
Ram:
There was a union-based SQL injection attack, which is basically where you kind of get yourself into the middle of an existing database question and say, “Hey, while you’re looking this up, can you look some other stuff up for me too, while you’re at it?” Then there was a blind SQL injection, actually … Yeah, there was a blind SQL injection vulnerability where … So blind SQL injections are basically where you sort of ask the database a question and most of the time it will return an error. But if you guess right, it’ll give you like an okay or vice versa. So it’d be like, “Hey, does this username start with the letter A, give me an error if it doesn’t.” And that’s basically how blind SQL injection works.
Ram:
And there was also a time-based SQL injection vulnerability, which is kind of like blind SQL injection. But it’s like, “Okay, if, if the username starts with the letter A, wait for 10 seconds before telling me, if it doesn’t then just tell me right away.”
Kathy:
And it looks like Chloe worked with the team over at Tutor LMS for a couple of months to really go over all of these vulnerabilities and ensure that this plugin secured all of their SQL statements.
Ram:
End points too. Yeah, it looks like they had a bunch of vulnerable AJAX end points too. A lot of them, you couldn’t necessarily do anything like super critical on the site, but still a little things like changing course content or like cheating on tests, that kind of stuff.
Kathy:
So this would be like a dream come true for like a high school student to be able to go in and maybe change all their grades.
Ram:
If their school was using the plugin then yeah, definitely.
Kathy:
Yeah. Wow. So it looks like Wordfence users, premium users received firewall rules as these vulnerabilities were found and all vulnerabilities … Free users get all of the vulnerabilities firewalled…
Ram:
Thirty days after we released the rules to premium users and-
Kathy:
Thirty days after.
Ram:
Yeah, I realistically like the vast majority of exploits were protected already by our built-in rules, but we did find a weird workaround at some point, a bypass on February 25th. So we put out an extra rule, just in case and that becomes available to free users on March 27th.
Kathy:
Wow. So the big takeaway from this post that I got. First of all, you learn more about SQL injection vulnerabilities than you will anywhere else. And actual practical application of like how these vulnerabilities work, but also the disclosure timeline, just reading over how much work went into working with this plugin developer, too. It’s just amazing. Our team really does not only find these vulnerabilities, but tests them when they’re patched and ensures that everything is working as it should. And really ensures that the end users of these types of plugins are as safe as possible. And so those were my takeaways.
Ram:
We don’t even always write an article about every vulnerability we find and disclose. We’ll still let people know if we find a vulnerability, but it’s not like breaking news. It’s just like, “Hey, we found a little thing. You might want to fix this.” We are working to improve the security of WordPress, one plugin at a time, sometimes a bunch of plugins at a time.
Kathy:
And thank you to our Premium customers who make all of that work possible because you’re making WordPress safer by supporting our threat intel team.
We talked last week about this OVH data center fire. And then after, we were kind of talking as it was like just coming out what had happened. And it looks like it took down 3.5 million sites and some C2s in the process. What do we know about that?
Ram:
So C2s are command and control servers used by advanced persistent threats, organized crime syndicates, basically malicious actors. They use them to maintain control of websites or computers that they’ve hacked in the past and tell them to do whatever it is they want them to do, which in a lot of cases is hacking other sites or DDoSing targets or grabbing information from places that they’ve hacked into. It’s a place where they use to exfiltrate data to. SolarWinds had C2 infrastructure and that’s where they put all the information they stole.
Ram:
In this case, it looks like 140 of those servers were used by government hackers and sophisticated criminal groups. And that 36% of them are still down, including APTs such as Charming Kitten and APT39, which are from Iran, Bahamut, which is hack for hire out of India and OceanLotus, which is a group of Vietnamese hackers. So yeah, not everyone has all of their C2s in the same place, but I’m not super surprised by this. I mean, OVH is the third largest host in the world. You would expect there to be some malicious actors using their hosting. But we see a lot OVH IPs attacking sites that we’re protecting as well. So like I’m not super surprised to find out that, they’re the third largest hosting company in the world. Not like anyone is perfect.
Kathy:
Right. Now, some of this research comes from Kaspersky lab and they noted that a lot of these C2 servers are starting to act up again elsewhere, which I thought was kind of funny. I mean, obviously if you’re an APT and you’re running a command and control server, the probability of being shut down versus Sally’s cat blog being shut down is much higher.
Ram:
They have really good business continuity plans. Their disaster recovery plans are probably great.
Kathy:
Yes. It looks like they are. And it also looks like … I mean, there were some people who were using OVH that lost everything because they didn’t have offsite backups.
Ram:
You mean like Rust?
Kathy:
Like Rust. Yes.
Ram:
Facepunch is the developer that makes Rust.
Kathy:
Right and-
Ram:
And I think they lost all their data.
Kathy:
Yes. That was a worst case scenario. And these APTs apparently have better disaster plans than Rust. Sorry, Rust.
Ram:
And a lot of them are government sponsored. So that’s-
Kathy:
Sure. Yep.
Ram:
Say what you will, but disaster recovery is one of those things that they drill into you in all the training materials.
Kathy:
Right. And I found this VentureBeat article, that was pretty interesting about how this OVH data center really is showing why recovery plans and backups offsite, off server, off system, backups and the other.
Ram:
Out of country, possibly on the moon. I don’t know.
Kathy:
On the moon. Backups on the moon, backups Mars, who knows? Just get your backups off of the server on which your site is running, so that you can have business continuity, if you would like to continue to be in business. Very important. So there’s lots of lessons there.
And it looks like Google is warning of another Chrome… It’s like 2021 is the year of Chrome zero-day flaws.
Ram:
The year of “use-after-free Chrome zero day flaws!” This is the third in three months.
Kathy:
That’s kind of crazy. It’s like every time I open up the Security News, I am seeing that there’s another Google Chrome flaw that needs to be patched. What do we know about this one?
Ram:
That’s a use-after-free vulnerability, which we’ve covered in the past. It’s under active attack, which is basically what’s implied by zero days, and it could allow remote code execution and denial of service attacks on effected systems.
Kathy:
Another bad one.
Ram:
This is not to say that Chrome is inherently insecure compared to other browsers. It just has an enormous market share. Just like everyone is always attacking WordPress because everyone uses WordPress. Everyone uses Chrome, so that’s where people are looking and they’re finding …
Kathy:
Yeah. The bigger you are, the more of a target you are. So the more secure you have to be. I mean, obviously there are benefits of using … There are reasons that Chrome is the number one browser and why WordPress is the number one content management system, because they work in certain ways that are beneficial to the users that use them. But with that-
Ram:
And people fix stuff fast.
Kathy:
And people fix stuff fast. That’s why we’re here, is to fix stuff fast in the WordPress world. Right?
Ram:
Exactly.
Kathy:
Same thing with Google fixing Chrome. Just another reminder that if you see the little update in the upper right hand corner on Google Chrome, do the update. If you don’t see the update, go look in your settings and there-
Ram:
Check for the update, anyways. Just in case.
Kathy:
I did it today. When I read this, I’m like, “Huh, I wonder if that-
Ram:
Yeah, me too. I’m like, “Did I actually check for today’s or was that a few days ago? I don’t know.”
Kathy:
Yeah. Yeah. So I’m patched. I’m good.
So let’s talk a little bit about what’s going on here at Wordfence. We are hiring, we’ve been hiring, we’ve got a number of roles open. We still have the similar roles that we’ve had open in the past. Security operations, PHP developers, a performance researcher, somebody who is really into website performance. And we have a new one. Ram, you want to talk about that? A little?
Ram:
Yes. We are hiring a producer role for someone who likes to produce cool media content for our various media outlet channels, of which we have so many.
Kathy:
We have so many, and more in the works.
Ram:
We do actually, if we count the podcast channels.
Kathy:
We do. We have numerous places and we would love some help. So if you like security, if you like WordPress, if you like media and you like publishing things and you want to work with a fast paced fun team, basically, if you want to work with Ram and me, because we’re-
Ram:
We are fast paced and fun. I actually do think we’re fun.
Kathy:
We are fun. I always say, “I’m here for the lulz.”
Ram:
We’re fast paced, but not frenetic.
Kathy:
Not frenetic.
Ram:
How’s that?
Kathy:
No, no. We all work from home. We have a good time. Our benefits are exceptional. We just got a new benefit that was added, beverage.
Ram:
Are you talking about the coffee benefit because I am totally getting a Moccamaster, as soon as they have like the one in copper.
Kathy:
Nice. Yeah. We’ll have to share some notes on … Because I’m going to have to get a new coffee machine too, because it helps create good content. So anyway, if you’re interested in any of those roles, we’ll have links in the show notes. Go take a look, send us your resume. We’d love to talk to you. We also want to mention too, that we still have this ongoing program for kindergarten through 12th grade kids, whatever you want to call it in your country, public schools funded by the government, schools who have been under duress over the past year with lockdowns and remote learning and all of that. If they need any support, whether it’s an audit to ensure that their sites are secure, or if, God forbid their sites were hacked, we are offering free cleanings and free security audits to help these schools get back in business. So we will have links to that in our show notes, too. If we know of a school, we’re counting on you to get this to them, if they could use our help. And with that, I think we’re done.
Ram:
I think we are. And thank you so much, Kathy. It’s always fun.
Kathy:
It’s always fun. Thanks, Ram. And I will talk to you soon.
Ram:
Bye.
Kathy:
Bye.
You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.
Comments