Think Like a Hacker Episode 117

Podcast 117: Cyber Attack on Colonial Pipeline Affects Fuel Availability in 17 States

A ransomware attack on Colonial Pipeline affected fuel availability in 17 southeastern US states, and Bloomberg reported that Colonial Pipeline paid $5 million to DarkSide, a Russian ransomware service provider. The Biden Administration issued an executive order to increase US cybersecurity defenses. WordPress 5.7.2 was released to patch a critical object injection vulnerability in PHPMailer. A critical vulnerability was patched in the External Media plugin, used by over 8K sites. Vulnerabilities were discovered in all WiFi devices, and patch is available for a zero-day RCE under active attack in Acrobat Reader.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:21 Cyber Attack on Colonial Pipeline leads to executive order on cybersecurity
9:55 WordPress 5.7.2 Security Release
12:36 Critical Vulnerability Patched in External Media Plugin
14:29 All Wi-Fi devices impacted by new FragAttacks vulnerabilities
17:11 Zero-day patched in Acrobat Reader
17:57 Defiant is hiring
18:39 Wordfence K-12 Site Security Audit and Site Cleaning Program

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 117 Transcript

Ram Gall:
Welcome to Think Like a Hacker, the podcast about WordPress security and innovation. I am Ram Gall, threat analyst at Wordfence, and with me is Director of Marketing, Kathy Zant. It’s another busy week. Are we still screaming?

Kathy Zant:
I haven’t stopped screaming. I think I’ve been screaming for about three weeks. This has been a crazy year with cybersecurity events. What’s going on, Ram?

Ram Gall:
Well, we’ve all heard about the cyber attack on the Colonial Pipeline that delivers oil and gas to most of the East Coast.

Kathy Zant:
It’s crazy, yeah. There was a cyber attack. I heard about it over the weekend. 17 states have declared states of emergency because this pipeline delivers fuel.

Ram Gall:
Things that make your car go.

Kathy Zant:
Exactly. You want to go to the grocery-

Ram Gall:
Car go juice.

Kathy Zant:
Car-go juice, yes. You want to go to the grocery store? You need the Colonial Pipeline to be delivering gas to your region.

Ram Gall:
You want trucks to drive stuff to your region, they need the gas too.

Kathy Zant:
Yes, perishable …. Florida is in the region that’s affected here. Florida is a major place where strawberries, oranges, perishable goods are being grown that need to be put on trucks and shipped around the country in order to feed people. So this has wide ranging effects across the entire Southeast. Gas prices in my region of the country are going up, even though we’re not directly affected, so this is definitely taking a toll. It looks like a Russian cyber crime group called DarkSide were behind the attack. Ram, you did some research on them. What do you know?

Ram Gall:
I guess they’ve been a little bit more low profile until now, though since the Colonial Pipeline, they’ve already attacked four more organizations or at least claimed credit for four more attacks. They do say they’re going to be a little bit more careful in picking their targets going forward.

Kathy Zant:
Oh, how nice of them.

Ram Gall:
They say that their goal is … I know, right? Their goal is to make money and not to create problems for society. “From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”

Kathy Zant:
Oh, thanks DarkSide.

Ram Gall:
Thanks DarkSide. So it looks like Colonial Pipeline did actually pay them $5 million, and they provided Colonial with a decrypting tool to restore its computer system. But I guess it was so slow that the company continued using its own backups to help restore that system. This is why you should have a warm site instead of a cold site for your backups. I know it’s a little bit pricier, but if you’re doing something that’s critical to the entire Southeastern United States, then maybe you should have a warm site backup.

Kathy Zant:
Yeah. Explain the difference between a cold site backup and a warm site backup for the uninitiated.

Ram Gall:
Okay. So there’s basically three kinds of backups. There’s hot sites, which are very expensive, but generally let you more or less seamlessly switch over after an incident or disaster. There’s warm sites, which are usually more practical and most larger companies at least have a warm site backup, something where you can restore full or really close to full functionality within 24 hours or less. Then there’s cold site, which is where yeah, you have all the old stuff, but it might take a few days for the truck to come by and drop off your old hard drives.

Kathy Zant:
We were talking earlier about just basically this year, we’re already at middle of May, and it was around Christmas time when we heard about SolarWinds for the first time. It seems like this year is the year of cyber attacks and cyber incidents, supply chain attacks. Every week, we’re coming on this podcast and it’s like, oh my gosh, where do we start? It seems like we’re in this situation where it’s like that frog in the boiling pot. We’re in the state of all of these different cyber attacks happening, and it just keeps happening.

Kathy Zant:
It’s almost like we were talking earlier in a different podcast about breach fatigue. It’s not even affecting the stock prices of organizations anymore, and it just seems like this is just part of our life now. I feel like it shouldn’t be, and that there should be lessons like in this particular case with the Colonial Pipeline. We don’t know how the original intrusion happened, but we do know that DarkSide is a paid ransomware service. Can you explain a little bit how that works?

Ram Gall:
Well, basically what it means is that someone else would have gained access to Colonial’s network, and they wanted to monetize that access. So they hire DarkSide to basically ransom based on the access that they were able to gain.

Kathy Zant:
Okay, so somebody gained access. It could have been a very low privileged user that just escalated out of something. Could have been an unpatched Windows server that was attached to a network. It could have been bad passwords, shared passwords, no multi-factor authentication. It could have been anything that’s really like low key, right?

Ram Gall:
I do remember that someone who had performed an audit of their systems fairly recently, not even a security focused audit, disclosed that they’d seen some major security issues. I don’t want to say that you can stop all of these things just by doing the basics, but it looks like in this case, these guys may not have done all the basics. But I mean, it’s important to just do things like patch all systems, do strong authentication, especially multi-factor authentication, segment the network. You don’t always need to air gap. A lot of the time, just having, making sure that whatever sensitive systems are in a different VLAN, or even a physically separate network is useful, and conduct … do things like conduct tabletop exercises. Having a disaster recovery plan is really the most important thing. It’s just like, assume that something like this is going to happen and know what you’re going to do when it does.

Kathy Zant:
Right, and just have plans in place so that you have some business continuity. Just planning for an attack, expect that an attack is going to happen. It’s happening all over the place. We’ve got SolarWinds, we’ve got Codecov. We’ve got all kinds of situations happening that are trickling down into organizations. Maybe this is related to SolarWinds or Codecov. We don’t know that, but it’s just showing us … all of these incidents are showing us how important it is to have some kind of disaster recovery plans in place. It looks like our government is planning on pushing the envelope on that a little bit. What are they doing?

Ram Gall:
The White House has issued an executive order, more or less a plan for modernizing the government’s cyber security response. I actually checked the details and there is some decent stuff in there. It’s fairly detailed. A lot of it is already covered in existing NIST standards, but maybe isn’t implemented across the board, especially not by state and local governments. But what’s more interesting about this is the idea that they’re going to create a review board to conduct postmortems across agencies and also a rating system like ENERGY STAR or Underwriters Laboratories for judging software security and grading how secure software is.

Ram Gall:
I do think that that’s something that I don’t necessarily think has to be applied to all software, otherwise, no software would … Candy Crush probably doesn’t need to have a UL rating, but maybe it does, depending on how much data it collects. Anyways, but I do think that for mission critical stuff or things that impact infrastructure, yeah, it’s maybe not a bad thing that the software will take longer to write and be a little bit more expensive. If you can actually assure that it’s going to be done right is really the thing.

Kathy Zant:
Well, the thing that needs to get thrown in the balance is what’s the impact of the systems that are at play here? We’ve got this pipeline, dramatic impact throughout 17 States. The airline industry that you were talking about earlier, dramatic impacts if there’s a security issue there. So there’s definitely standards. I mean, I remember back in the 1970s, you remember the movie Airplane, a great comedy piece, one of my all-time favorites, but it was based on the fact that there was so much … so many scares that happened in the 1970s with plane crashes and things like that. These days, we don’t hear about that because there’s certain standards in place in order for safety and security in the airline industry. It almost seems that we’re in the … it’s like the 1970s of cyber attacks and cyber incidents now. We need that same standard to be applied across the board for software so that these kinds of impacts don’t happen.

Ram Gall:
From everything I understand, most agencies already follow these standards. I think it’s largely a case of how they’re implemented. I think that a lot of them are implemented in ways that maybe involved checking the box, but actually make it harder to actually get anything done. I think that some sort of review of these standards to figure out which things are actually super important and implement them, things like multi-factor authentication, isn’t a bad idea. So we’ll see where it goes with this. This could go horribly wrong as with anything involving implementing more standards. It could also really improve the security of a lot of systems. So I guess we’ll see.

Kathy Zant:
Yeah, it is the year of the cybersecurity wake up call, if you haven’t gotten it yet.

Ram Gall:
Speaking of such things and supply chain … potential supply chain issues, WordPress 5.7.2 just came out. It’s a emergency security release for all WordPress versions between 3.7 and 5.7.

Kathy Zant:
Right, and this was for a very specific vulnerability and PHPMailer. You took a deeper look at this. What do you know?

Ram Gall:
PHPMailer is what WordPress uses by default to send email. On its own, the vulnerability in the actual PHPMailer library itself is considered critical because you can use it for object injection, which is, as we’ve maybe discussed in previous episodes and certainly had some posts about, can be super dangerous and super critical. It basically it was via the way that it processed UNC path names, the paths that Windows networks use to refer to network resources. So it’s the kind of thing that the way that WordPress actually uses PHPMailer and the way that most plugins use PHPMailer, this isn’t really going to be exploitable unless the stars align just right, because WordPress doesn’t really allow unrestricted access to the mailing system. Anything that does grant that would be considered a separate vulnerability on its own. So it looks like this would be fairly difficult to exploit for most attackers, unless they were already in your network and using your WordPress site that has been hardened, but that they somehow gained admin access to as a pivot point. Something like that, but still I understand why they released it.

Kathy Zant:
Yeah.

Ram Gall:
It could be super bad.

Kathy Zant:
Okay, could be super bad, but has a lot of different stars aligning that need to happen in order for it to be super bad. But this really does underscore the fact that the WordPress core team is taking security incredibly seriously. If any libraries do have critical vulnerabilities, even in a WordPress situation would not necessarily be, oh my gosh, all the sites are hacked, this is still something that they’re taking seriously and ensuring that all of the sites that are using WordPress are receiving an update to patch this.

Ram Gall:
Exactly. I don’t honestly expect any of our users are going to be impacted by this. I don’t expect to see this as an intrusion vector. I don’t know if it’s ever going to be exploited in the wild, but still good that they patch it just because there’s so many WordPress installations that someone’s maybe using WordPress for their intranet site, and they’ve got just the setup that an attacker could exploit to pivot or escalate their privileges or something like that, so

Kathy Zant:
Someone somewhere is vulnerable. Now we have a plugin that Chloe examined called External Media, and it looks like this is installed on about 8,000 sites. It had a critical vulnerability that was recently patched that could have been used by subscribers, even a site that had subscriber … anybody can subscribe, anyone can register for the site if that was open. This could be used to fully take over a site.

Ram Gall:
Yeah. I mean, the plugin is basically just designed to allow authors or anyone who’s writing posts on the site to add external media, external images, stuff like that. But didn’t really do any access controls to make sure that the people who are adding stuff were actually allowed to add stuff. That’s not necessarily the worst part of it. It also didn’t run checks on what files were being added. So you could add executable PHP files, which means you have to mix-

Kathy Zant:
With back doors?

Ram Gall:
Yes, with back doors, which means you get remote code execution, which means that your subscriber now owns your site.

Kathy Zant:
Got you, okay. Chloe, one of our threat analysts here at Wordfence, she’s taking a look at plugins, themes, all sorts of things out in the WordPress space and thanks to our premium subscribers who make that research possible so that we can find these types of vulnerabilities, make sure that firewall rules are written. Both premium and free subscribers to Wordfence are protected at the current moment of recording this podcast. I just want to say thank you to premium users for that research that you guys make possible to keep all of WordPress safer.

Ram Gall:
Definitely. I would not be able to find stuff or be on this podcast without you.

Kathy Zant:
Me neither. So it’s always good to thank them. Thank you guys for listening as well. So wifi devices, I love wifi. Wifi makes my phone work everywhere in my house, right?

Ram Gall:
Yeah.

Kathy Zant:
But what’s going on? This was a scary story. It looks like all wifi devices have some vulnerabilities.

Ram Gall:
Yeah, this is called the Frag Attacks. It’s by the guy who discovered the KRACK attacks a few years back, but this is basically a bunch of issues with how a wifi devices reassemble fragmented data. The wifi signal might bounce around a little bit or lose a little bit of information, so they have to reassemble data from the pieces. It turns out that you can use that capability to … Even if you’re not on an encrypted network, you can still inject packets from pieces into an encrypted connection. It looks like the main way this would be weaponized would be to get a victim to use a malicious DNS server, so that you type in your bank’s domain and the malicious DNS server tells your computer, “Hey, here’s where your bank’s domain points to,” but it’s actually an evil site.

Kathy Zant:
Got you. Okay, is this something I need to worry about on my home network, or is this something I just need to worry about like at Starbucks?

Ram Gall:
Realistically, this … I mean, yes, an attacker could potentially drive by your house and tell your smart fridge to turn on. That’s another one of the things, by the way, is you can send commands to IOT devices, which is also scary depending on what they do and how hackable they are. So I could see that being a problem, but I think that this is more likely to impact enterprises. I think that this is more likely to impact being out and about. The same advice applies. If you’re just a normal user, it applies as if you’re using open networks. Only now, it also applies to secured networks, which is use a VPN, make sure that there’s a TLS certificate matching the site you’re visiting, that kind of thing.

Kathy Zant:
Okay, awesome. This is something that is going to keep people busy writing papers for DEF CON?

Ram Gall:
I think this is going to be yet another reason to not bring or to keep your phone turned off at DEF CON, or at least to not allow wifi to stay on. Which, I mean, you probably shouldn’t have your wifi or your Bluetooth on at DEF CON anyways, so. You should probably be running a VPN for your mobile data connection at DEF CON anyways, because people have spoofed towers in the past and yeah.

Kathy Zant:
Boy, DEF CON is just a whole other level of protecting you-

Ram Gall:
This is terrifying.

Kathy Zant:
Yeah, definitely.

Ram Gall:
Speaking of our final, this is terrifying, this week, it wouldn’t be a Think Like a Hacker podcast without a zero day, but hey, this time it’s not on Chrome, it’s on Acrobat Reader, which I’m pretty sure I have it installed on every computer I have. I’m pretty sure you do too.

Kathy Zant:
Yeah.

Ram Gall:
Update it because it’s a zero day that’s under active attack, at least limited amounts of active attacks in the wild. It’s a remote code execution, which means that they could possibly own your computer.

Kathy Zant:
Yikes.

Ram Gall:
Yeah, update Acrobat Reader. I’m not going to talk to you much more about it because there’s rarely any details about zero days other than that they’re happening, so.

Kathy Zant:
Yeah, but good for us to let everybody know. I will be updating my Acrobat immediately after recording this podcast. Thanks for joining me again, Ram.

Kathy Zant:
Hey, we’ve got some jobs that we’re hiring for. Still looking for someone to do security operations, the perfect person. We have very high standards there. Some PHP developers, QA role, helping us to ensure that all of the software that we write is meeting those very high standards. We’re still looking for someone to do some website performance research, and we still have our instructional designer role open. So if you like to develop courses, and you’re really into security, and you like managing that entire process, we’d love to talk to you. We’ll have links to those in our show notes, as well as links to all of our immense benefits here at Defiant.

Kathy Zant:
We’d also like to mention that we are still offering K through 12 site cleaning and site auditing for schools that are using WordPress. If you know of a school that’s using WordPress, they are government funded anywhere in the world, we would love to provide security services for them, make sure that they are secure as they are educating the next generation of WordPress users out there. So we’ll have links to that in our show notes as well. Anything else I’m missing?

Ram Gall:
I just want to say that when we say we have high standards, we really mean that we want people who have high standards for themselves. We’re not like certain FAANG companies where you must have graduated from Harvard. No, it’s more we want people who really want … expect the best of themselves.

Kathy Zant:
Yes, like us.

Ram Gall:
Like us.

Kathy Zant:
Very high standards. I have high standards for lots of things like comedy, and having a good time, and also be passionate about what we’re doing. I’m very passionate about WordPress and security and helping WordPress users get the most out of WordPress. That’s my standard, for myself.

Ram Gall:
Exactly.

Kathy Zant:
Thanks for joining us.

Ram Gall:
Talk to you next week.

You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

Did you enjoy this post? Share it!

Comments

1 Comment
  • What needs to happen is that management always need to to put IT security at the top of the budget. Most of the time IT budget is last on the list for budget.