Think Like a Hacker Episode 118

Episode 118: Four Android Vulnerabilities Under Active Attack

Four memory corruption vulnerabilities are being actively exploited on Android devices and nearly 2 dozen popular Android apps exposed over 100 Million users’ sensitive information in cloud databases. Over 600,000 sites using WP Statistics required a patch to fix a blind SQL injection vulnerability. WP User Avatar undergoes a dramatic rebranding to ProfilePress, adding completely divergent functionality and causing a user revolt in reviews. More details emerge about the ransomware attack on Colonial Pipeline, as DarkSide shuts down after losing access to their infrastructure. A popular Russian language hacking forum bans ransomware discussions, and an Apple executive claims there are unacceptable levels of Mac malware during the Epic Games lawsuit.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:14 Four vulnerabilities under attack give hackers full control of Android devices
2:57 Nearly 2 dozen popular android apps exposed sensitive user info in their cloud databases
5:24 Over 600,000 Sites Impacted by WP Statistics Patch
8:00 ProfilePress Rebrands and Repurposes WP User Avatar
11:02 Colonial Pipeline did pay ransom to hackers, sources now say
13:14 DarkSide shuts down operations
15:18 XSS Hacker Forum bans Ransomware discussions
17:35 Apple Exec Calls Level of Mac Malware ‘Unacceptable’
22:16 Wordfence site cleaning service

And Defiant is hiring for a number of positions. We offer exceptional benefits, and we’ll always be remote.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 118 Transcript

Ram:
Welcome to Think Like a Hacker, the podcast about WordPress, security, and innovation. I am Ram Gall, Threat Analyst at Wordfence, and with me is Director of Marketing, Kathy Zant. So it kind of looks like it’s a bad week for Android, doesn’t it, Kathy?

Kathy:
Well, it’s got to be a bad week for someone. It’s one of those years, but yes, it definitely looks like it’s a bad week for Android. Looks like there are four vulnerabilities under attack that will give hackers full control of Android devices. What do we know about this one, Ram?

Ram:
They’re all memory corruption vulnerabilities can apparently be chained together, at least in pairs of two. Two are in the Qualcomm devices, and two are in the Mali GPU’s that usually come with Android handsets. So these are being actively exploited. They are memory corruption vulnerabilities that can give attackers root access to the device. The good news is that when I looked at the CVSS vectors of these, they all appear to require local access. Now, usually that means you’d have to download an untrustworthy app. You’d probably require a separate vulnerability to exploit those from a browser or something. Good thing there’s not a whole bunch of Chrome zero days, am I right? But anyways, unfortunately a lot of people do install untrusted apps on Android devices all the time.

Ram:
Android does have some protections that usually limit the damage that untrusted apps can do without user interaction or social engineering. So if an app asks you if it can make calls or send text messages on your behalf and it’s a calculator, it does not need to do those things. But what’s worrying is that an app that’s able to use this to obtain root access could do anything without asking you and hide its tracks. There’s still not a lot of details on who’s exploiting these or the exact details of how they work, but it does seem it’s likely to be nation state actors just because they’re not easy vulnerabilities. Nation state actors are the primary buyers for mobile vulnerabilities anyways.

Kathy:
Yeah, interesting. So really the average Android user is probably not at super high risk, but just general security hygiene of not downloading untrustworthy apps, any app that… There’s a lot of game apps and things like that, that you really don’t need. Just be really careful, especially right now, downloading those apps, and just some good general security hygiene. When there is an update available for your Android device, make sure that it is applied. It looks the Google Pixel devices have received patches for this, but some other implementations of Android have not yet received that.

Ram:
Generally there is a bit of a delay anywhere from one to three months or three months to forever, depending on your device manufacturer.

Kathy:
Forever seems like a very bad thing.

Ram:
Long time, yes. That’s a long time to go unpatched.

Kathy:
Yes, it is. And it looks there’s a couple dozen, about 24, popular Android apps that were exposing sensitive user information in cloud databases. What do we know about this?

Ram:
Researchers at Check Point found that a cloud databases storing user information for, I think it was 23 popular Android apps, were left unprotected. Sure sounds like a case of the old unsecured S3 buckets, which was a big source of data breaches a few years ago. Anyways, anyone could access personal information, some of it sensitive, belonging to over a hundred million users. And this is stuff like names, email addresses, birth dates, chat messages, location, gender, passwords, photos, payment details, phone numbers, and push notifications. And they also found developer keys and secrets embedded in some of the tested apps. They found the credentials for the push notification services, so someone with access to that could send messages through the app on the app’s behalf to anyone with the app installed. That could be potentially bad or used for social engineering. So yeah. This is one of those cases where even if you trust the actual app to not be purposefully doing anything malicious, it can still act in an insecure manner and expose your data.

Kathy:
Yeah, definitely. So again, we’ve talked about some of these data breaches in the past and this change in mindset of what you should do if you have your data breached, if you have an intrusion on your business network, to have continuity of business plans in place. It applies to you personally as well, to assume that there’s going to be a breach of your data, assume that a password for some random app might end up exposed because a developer isn’t performing basic security hygiene with their app. You cannot reuse passwords. Use a password manager and be very, very judicious in terms of what data you provide to apps and what apps that you are actually using.

Ram:
And what permissions you allow those apps, too. Even if they are legit, they still might not necessarily need that ability to send text messages access, or push notification access.

Kathy:
Yeah. If only everybody had extreme QA support, like we have here at Wordfence.

Ram:
Extreme QA.

Kathy:
That’s what you guys… You guys are amazing. The amount of rigors you put our software through and that you put other software through in the WordPress space, like WP Statistics, looks you found a vulnerability there.

Ram:
Oh yeah. Well this was from March, it’s in the WP Statistics plugin, which basically lets you see how many people are accessing your site, where they land. It’s all site based, so you don’t have to call out to any external services like Google. It’s fairly popular. It’s got 600,000 installations. But this was a blind SQL injection. It ran a query on this page that you were supposed to have to be in administrative access, and you couldn’t actually see what was on the page unless you’re an administrator, but it started running the query if you just asked nicely. And it turns out that you could add some parameters and inject some… basically get the database to tell you information depending on how long it delayed in its response. It’d be a slow way to extract information, but it’s surprisingly reliable and you can still use it to grab things like keys and salts, user password hashes, all that kind of stuff.

Kathy:
And this is affecting over half a million sites that are using this particular plugin and you highlighted how important it is to prepare your SQL statements. Talk a little bit about that.

Ram:
This is the second instance we’ve seen recently where SQL query was vulnerable, even though it used attempts to sanitize or escape the input. And the thing is, sanitizing or escaping input to your SQL query can make them secure, but it’s not a reliable method of doing so. It’s really important to use prepared statements, which basically slot each parameter into its specific place and doesn’t let that parameter escape that area. I can understand why, if you’re just using raw PDO, preparing your statements can be a little bit of a pain, but WordPress has wpdb::prepare, which is a function that makes it super easy to prepare your statements. Just use it if you’re writing a plugin, I’m not going to say that it’s 100% hack proof. I’m sure you could intentionally make a vulnerable query if you really tried. It’s a lot safer. It’s a lot more likely to be secure.

Kathy:
Sure, okay, great. Yeah, so we’ll have a link to Ram’s research on our show notes, if you want to take a look.

Ram:
And speaking of best practices that some people aren’t following.

Kathy:
Yeah, not everybody can have best practices out there and we’re all in some state of learning and trying to improve the way we do things, but it looks there was a plugin called WP User Avatar, which was installed on over 400,000 WordPress sites. It was a simple, single purpose, custom avatar solution. The plugin changed hands at some point in 2020, and recently it was relaunched with a new name called ProfilePress and tons of new user functionality. It is now a full-fledged user registration, profile, login, and member management plugin. And it has a commercial component, so you can upgrade to the ProfilePress Premium plugin. The backlash from the WordPress community has been rather epic, many one-star reviews in the repository, because people who were using WP User Avatar and had that installed on their site, nearly half a million people who had that installed on their site, all of a sudden upgraded, and it was a completely different plugin. It wasn’t what they originally signed up for.

Ram:
It’s a bait and switch right there.

Kathy:
It is kind of a bait and switch. Yeah, you think you have one thing on your site and then all of a sudden you update, which is a good practice, more best practices for WordPress, and all of a sudden you have something completely different. This is obviously an attempt to gain market share by getting those 400,000 users and to create a paid plugin with an upgrade path from freemium. But these people are not your market for this. They installed the plugin for one reason, they trusted the plugin and its developer for one reason, because it did something very specific and now it is something completely different. It’s like walking into your garage and all of a sudden you have a bicycle instead of a car. It’s just something-

Ram:
It’s more eco-friendly. Actually, it’s more walking into your garage and finding a bus instead of a car. Well sure, this is bigger and it can do more, but it doesn’t fit and I don’t know how to drive a bus and I don’t have my commercial driving license.

Kathy:
Exactly. Adding features can be a bug. It can be a significant bug to your market, to your users. Software is about trust. Software is… Especially in the open source WordPress world, you have your website, it’s your website because it’s all licensed under open source GPL and you install plugins and you trust the makers of those plugins to do a specific thing. So obviously this is not because of all of the functionality that was added that users are backlashing against ProfilePress. It is because their trust in what that plugin was supposed to do was violated. I find it an interesting cautionary tale.

Ram:
Yeah, definitely. And speaking of cautionary tales,

Kathy:
You’re so good with these segues.

Ram:
You hear about the Colonial Pipeline hackers? So there’s actually two-

Kathy:
Just a little bit!

Ram:
There’s actually two and the that… Apart from everyone pouring gasoline into trash bags, which I guess the point is that if something is scarce, you should try and make it more scarce for whatever reason. I don’t know.

Kathy:
Many cautionary tales from this.

Ram:
And there was that person who whose car blew up because they had their gasoline in trash bags, too. Do you hear about that. Anyways.

Kathy:
I didn’t hear about that. I’m glad I didn’t hear about that. That would just make me sad for humanity.

Ram:
Anyways, this had a lot of knock on effects, but there’s a couple really interesting things going on here. One of them is that the ransomware didn’t actually hit the main system. Colonial did not have to shut down that pipeline. What happened is that the ransomware hit their billing systems. So either they couldn’t figure out how much to charge their customers or they couldn’t trust the data they were getting on how much to charge the customer, so they just shut the whole thing down. So Colonial Pipeline took the pipeline down themselves.

Kathy:
So the hackers didn’t take down the… They didn’t ransomware the pipeline. They ransomwared the billing system, but because the billing system has to be tied to quantity of goods served, I guess, or pipeline oil that’s flowing…

Ram:
I can to some extent see the whole like, “I do not want to give away free gasoline,” aspect, but at the same time, if something is basically a national security issue, one would think that there would be provisions in the plan for that kind of thing happening.

Kathy:
Yeah, definitely. A lot of very bad things could have been prevented had someone had an actual incident response plan, tabletop exercises done, and actually planned out what could have possibly happened. And they could have possibly foreseen the dramatic impacts of shutting down the entire system and how that would have affected all 17 of these states. But it looks like the ransomware actors DarkSide, they had some ramifications to this as well too. What do we know about this?

Ram:
Well they received $5 million in Bitcoin, but then all of their infrastructure got shut down. Looks their servers and their Bitcoin were seized, which is kind of weird because in order to actually seize someone’s Bitcoin, you actually have to seize their physical hardware wallet and also grab their encryption keys. So it does sound state actors might have been involved with that.

Kathy:
Yeah, it’s really interesting because DarkSide said when they decided to shut down that they didn’t want to have societal impacts to whatever that they were doing and that they were completely and totally apolitical, but they also had this list of do-not-install localities, including Russia, Ukraine, Belarus, Tajikistan, and Armenian-language servers. So they would detect what language was being… What was being used on that server. And if it was any of those particular languages or locales, they would just, “Okay, that’s off limits. We’re not going to install there.” So just by doing that, they’re already making some geopolitical decisions. So I find this incredibly interesting. And I also find it very interesting that these guys would know how to store crypto assets. I would assume, I mean that’s what their deal is.

Ram:
Never assume that hackers aren’t sloppy.

Kathy:
Sure, sure.

Ram:
And I mean this both in the pejorative sense of the word hacker and in the interesting sense of the word hacker, because either way there’s so much going on and so many plates spinning that you might lose track of some important things like your $5 million in Bitcoin.

Kathy:
Yeah. That’s just mind boggling to me. Although crypto crashed earlier this week and it’s not worth five million anymore. Or maybe it will be again soon. I don’t know. It’s so volatile. So volatile. It’s crazy. I don’t even look anymore.

Ram:
I’m so glad I divested all my crypto right before that. Right before that got really bad.

Kathy:
Oh, smart man, smart man. Did you also see that this famous Russian-language hacker forum called XSS banned the… Right after all of this Colonial Pipeline stuff happened, they banned the mention of ransomware in the forums. They said that they were seeing all of these newbies coming in wanting to learn how to make crazy virtual millions from ransomware, and they decided that they wanted to be super altruistic and only talk about hacking in very educational terms and not terms that would make tons of money.

Ram:
Those script kiddies always ruining our reputation.

Kathy:
Yeah. It always comes down to…

Ram:
It really does.

Kathy:
The script kiddies.

Ram:
It really does.

Kathy:
Too funny, but I kind of find this interesting as well, because this was a Russian language hacker forum, and we’re seeing just another geopolitical situation happening here with cybersecurity.

Ram:
I have a conjecture, and this is very much a conjecture, so take it with an entire shaker of salt. But I suspect that these things are not necessarily unrelated, all of these factors. I suspect that possibly a lot of these ransomware gangs have been operating at the sufferance of Russian state security services and that the Colonial Pipeline is now getting into amateurs treading on their toes, so to speak, to the sort of things that could have geopolitical repercussions that if anyone’s going to do this kind of thing, it needs to be this state security apparatus and not some group of randos trying to make a buck.

Kathy:
Yeah, that makes a lot of sense. I’m going to guess that there’s going to be… Obviously with any kind of hacking event, the news that the hack happened comes out and then over the course of months, and sometimes years, we find out more and more about what actually happened, what was actually involved, and that’s happening here right now with this story. And I suspect that will continue to happen. We’ll find out more about what took place with the Colonial Pipeline incident, and it will be… This episode should be titled “cautionary tales.”

Ram:
This is going to be fascinating going forwards. I don’t know if my conjecture is correct, but I guarantee you whatever it turns out to be, it’s going to be fascinating.

Kathy:
Yes, definitely, definitely. So it looks like Apple is involved with a lawsuit with Epic, the makers of Fortnite, who are trying to get on iOS devices and there’s a lawsuit taking place. And one of the interesting things that came out of this lawsuit is that an executive stated that the level of Mac malware is “unacceptable.” There’s just so much malware out there. We must have this closed system in order to protect all of our users from malware just at the walls of our garden, trying to get in. What do you think about this, Ram?

Ram:
Ooh boy. Background or the stories that Fortnite brings in billions of dollars a year. Apple wants a 30% cut of literally any transaction that happens on any iOS device, which seems excessive, and their defense of that is that they deserve to have that cut because they keep iOS devices secure by vetting every single app that gets installed on an iOS device through the app store. So here’s the thing. It seems like a bad faith argument that a lot of that seems to be a case… I mean, yes, we have seen sort of the opposite problem with Android devices where it’s a lot easier to get malicious apps into the app store. But the thing is a lot of this seems to be a case of an argument for a security through obscurity, the sort of, “Trust us, we’ll handle all the security and also take a cut of everything, but we’ll handle all the security. Don’t worry about it.” Which maybe isn’t necessarily trustworthy considering the number of iOS patches that have happened in the last year.

Ram:
As for the Macs having malware. MacOS does have some pretty excellent security protections, but Apple malware is fairly fast growing and a big part of that is just the belief that Macs don’t get viruses that leads a lot of people to be maybe a little less cautious on their Macs than they might need to be to override or be socially engineered into overriding some of the protections on Macs. And Apple has been going in the direction of making it harder to override those things, but that also takes away a lot of agency from the users. I work on a Mac. I find it harder and harder to use the Mac for my job with every new update because I am having that agency slowly eroded by bits and pieces.

Ram:
But that’s sort of the opposite philosophy from how WordPress and its plugin ecosystem works, where everything is open and anyone can contribute, and I really like the WordPress ecosystem because even though, yes, it does have vulnerabilities and yes, that… I mean, yes, I earn a living partially due to that, but it also means that stuff gets found and fixed. It means that there’s an app for everything, that it gives users a lot more control just by learning how to work with the ecosystem.

Kathy:
Right, right. That walled garden analogy is interesting because it gives people that false sense of security, of nothing bad can ever happen to my Mac. Well, I’m going to bet that if you’re using a Mac, you probably have Google Chrome installed on your Mac. And there’s been some vulnerabilities over the past weeks with Google Chrome that have been under active attack. You had vulnerabilities if you’re using Google Chrome on your Macintosh, but you have this mental state. And so much of security is about the psychology of the user thinking that they’re their apparatus, their device, their computer is completely safe. So if you tell somebody that your computer is safe, it’s behind this Mac walled garden and it doesn’t get any malware, it doesn’t have any vulnerabilities, that’s completely and totally false. And to use that as an argument in this lawsuit is just kind of…

Ram:
Yeah, it’s unacceptable that it has malware. All systems are going to have malware. It’s impossible for that to not happen. User education is really the way to deal with that. Best practices.

Kathy:
Exactly. So this is obviously an interesting development. There’s a lot of moving pieces going on with this lawsuit. I just wanted to call attention to the fact that the level of Mac malware is unacceptable. The level of malware anywhere is unacceptable for anybody to have malware on their devices, on their computers.

Ram:
It’s not an excuse to take away user agency. It’s one of those trading trading freedom for security things, only you don’t actually get as much security as you think you do.

Kathy:
Right. Exactly. Interesting. I like where you’re going there. And I love the way you talked about the WordPress ecosystem because that open source nature of things opens up the code to security researchers like Ram and Chloe and our threat intelligence team who are constantly looking at possible threats to the WordPress users that we protect. And sometimes malware happens, and there are vulnerabilities out there.

Ram:
And we have people that are really good at cleaning that up. You used to do that, right? You used to be really good at cleaning it up, didn’t you?

Kathy:
I did. I’m not just the crazy marketing lady here at Wordfence. I started out actually as the crazy site cleaning lady. I was just kind of doing it part-time because I found it incredibly fascinating. And our site cleaning team is still… even though I’m not looking at malware as much anymore, I still kind of peak every once in a while. Our site cleaning team is incredibly efficient and very dedicated at what they do. And I wanted to talk a little bit about what that team does. So if we have someone who comes to us and they have malware detected on their site, they’re probably installing Wordfence for the first time, they’re running a scan, they see files, they’re not quite sure what’s going on, but there’s a lot of red in those scan results, and it looks like they’re probably hacked. So they’ll initiate a site cleaning with us.

Kathy:
And I wanted to talk a little bit about what happens there. So our site cleaning team will make a backup of everything that’s there, just preserve what they’re finding at the start of the investigation. It’s kind of almost a forensic investigation. So they make a backup, they preserve everything. And then they take all of the code from your server, the database from your server, and pull it over to our servers to do a deep analysis and look at what’s going on there. So they are actually manually looking at every single file. Now they have some proprietary tools that look at malware in a much deeper way than we could ever offer in the Wordfence scanner, because they have the knowledge and the experience to look at what those tools are saying and make a judgment call on whether or not something is malware or legitimate code.

Kathy:
So they clean all of that up. Then they swap that out on your live server, put the live clean server, or the clean site live and test everything, make sure Wordfence is installed, configured. Any kind of malware in the database, they’re looking at that as well, any kind of administrative users that shouldn’t be there. They’re looking at everything. And this is a trained security analyst who’s looking at everything.

Ram:
And it’s hard to clean manner malware from the database, just because it takes a lot of judgment and it takes human expertise to do that. It’s already hard enough cleaning up malware files, but database malware is one of those things where it’s really easy to just completely break a site if you don’t do it right.

Kathy:
Right, right. There’s a lot of serialized data that’s stored in a WordPress database and you really have to know what you are doing, and that’s why we have such seasoned analysts who work on that team in order to look at everything. So they’ll also create a report. They’ll not only tell you… They’ll look at your log files and tell you how that intrusion happened, as long as there are log files. A lot of times there’s hacked sites and the log files do not go back far enough. We’ll have a site come in that has been hacked for three months. And we only have 30 days of log files, so there’s really no determination what exactly happened three months ago. But we can tell you this is what we think happened based on the evidence that we have. They will go over every blacklist.

Kathy:
So if the red screen of death that Google Chrome is saying, “This is a dangerous site.” We’ll help you get that cleared. We’ll clear all the blacklisting done by places Norton, McAfee, all of the other blacklisting services. We will clear those. We’ll look at your search console, if your search results, on Google search engine result pages, if that is showing any kind of spam pages that might not even actually be on your site, but it’s cached within Google search results. We’ll help clear that as well. And all of this comes with Wordfence Premium, to protect your site going forward. Wordfence Premium Support in case you have any questions about what might have happened, and a one-year guarantee.

Kathy:
So as long as you follow all of our recommendations that are going to be in that report, if anything happens to your site over the course of the year, we will clean your site for free. So Wordfence site cleaning is a wonderful service. It gives you that peace of mind that if anything did happen to your site, we are there to help you get back up on your feet and make sure that your site is fully functional again. So we will have a link to that in our show notes as well. And we’re also hiring, aren’t we, Ram?

Ram:
Yes, it’s your weekly reminder that we are hiring for a security operations role, PHP developer roles. We’ve got a new QA role coming up. So especially if you’ve done web application QA, then that would be awesome. If you like breaking stuff and figuring out why it’s broken, come apply here. And we’re also looking for a senior researcher for website performance. So if you know what cumulative layout shift actually means, then we might want to talk to you. The position is fully remote and will always be fully remote because that’s just how we roll.

Kathy:
That’s how we roll.

Ram:
Yeah. Our benefits are pretty awesome. We keep on talking about the coffee machine, but health, vision, all that stuff is generally quite good as well.

Kathy:
Definitely, definitely. So we’ll have a link to all of that in the show notes, if you want to take a look. If you are interested in working at Defiant and helping to secure WordPress, we are here, and we would love to talk to you. That’s all I got for this week. How about you, Ram?

Ram:
It’s always fun.

Kathy:
It is.

Ram:
I will talk to you next week.

Kathy:
Yeah. Talk to you later. Bye-bye.

Ram:
Bye.

You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

Did you enjoy this post? Share it!

Comments

No Comments