Episode 125 Think Like a Hacker

Episode 125: Critical SQL Injection Vulnerability Patched in WooCommerce

A critical SQL injection vulnerability was discovered in WooCommerce, the most popular e-Commerce plugin used by over 5 million WordPress sites. The WordPress.org team pushed a forced security update ensuring that over 90 versions of WooCommerce were patched. The REvil ransomware gang targeted a zero-day vulnerability in Kaseya, used by many in the banking industry, before going dark. A new SolarWinds zero-day was found in their Serv-U FTP platform. WordPress 5.8 will be released next week with many new features, as well as removing support for Internet Explorer 11. Microsoft released a number of patches, including those patching 3 zero-day vulnerabilities.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:14 Critical SQL Injection Vulnerability Patched in WooCommerce, WooCommerce announcement
5:50 Kaseya Patches Zero-Days Used in REvil Attacks
9:14 SolarWinds patches critical Serv-U vulnerability exploited in the wild
10:33 WordPress 5.8 release next week
12:22 Microsoft Crushed 116 Bugs
15:00 Defiant is hiring

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 125 Transcript

Ram:
Welcome to Think Like A Hacker, the podcast about WordPress, security, and innovation. I’m Ram Gall, Threat Analyst at Wordfence. And with me is Director of Marketing, Kathy Zant. How are you, Kathy?

Kathy:
I am doing very well, Ram. We’ve had a busy couple of days, hey?

Ram:
Why, yes we have. So the first thing on our list is a critical unauthenticated SQL injection vulnerability in WooCommerce, which you actually tipped me off to, because you apparently monitor the secret, dark hacking web of scum and villainy known as Twitter.

Kathy:
That’s it. Exactly. Hey hackers, black-hat hackers, any hackers, I’m watching you. If you have the intel on all of the vulnerabilities in WordPress, and you’re talking about it, I’m on it. And I’m alerting Ram and Chloe, and we are right behind you.

Ram:
The guy who actually found it was not a black-hat hacker in this case. He responsibly disclosed it to Automattic, but Kathy caught wind of it a few hours ahead of time. So I started looking through our logs and through the WooCommerce code base. WooCommerce is kind of enormous, but-

Kathy:
It is enormous. Well, it’s doing a lot, right?

Ram:
Yeah. Well, I didn’t find it until the patch dropped, but hey, all that time pouring over WooCommerce made it a lot faster for me to actually figure out a proof of concept once the patch dropped. So…

Kathy:
Excellent. Great. So tell me about what vulnerability was actually found. This was unauthenticated SQL injection vulnerability, which means unauthenticated means anyone could exploit this on a vulnerable site and SQL injection has to do with the database. So what exactly did you find once we identified this vulnerability?

Ram:
Well, I found a time-based blind and a Boolean based blind SQL injection. At least that’s what I was able to make proofs of concept for. The bad news is that you can use this to extract anything you want from a site’s database, even if you’re not logged in, even if you’re just a visitor.

Kathy:
Okay. Okay. Okay. So in the database includes any user password, correct? So it’s obviously salted, but you can get usernames, you could get personally identifiable information about the customers that are buying things off of that WooCommerce storefront. You could get user passwords, all sorts of fun things, couldn’t you?

Ram:
Oh yes. Yes. There’s a lot of sensitive information and personally identifiable information in a website database, especially if it’s an e-commerce storefront. So yeah, this could have been really bad, but we did manage to get a firewall rule deployed to our customers within a few hours. We also figured out that there is more than one way to do this. So we actually had to make a new firewall rule the next day, which is today, the day we’re recording. Push that out as well.

Ram:
And it looks like WooCommerce also took some drastic action. We’ve discussed how, in the past WordPress can force auto updates. In this case, I think it was completely warranted. I think it was the right decision. WooCommerce is installed on more than 5 million sites, and they basically backed ported this one patch that wouldn’t really break anything to all the minor versions so that you auto update just to the next minor version up. So if you were on 5.3, you’d get updated to 5.3.1. If you were on like 4.3, you get updated to 4.3.1. The reason for that is that way that you could get patched without breaking compatibility, which is really cool.

Kathy:
Right. That was great that they did that. It looked like from their announcement that there were 90 vulnerable versions of WooCommerce that they patched. And it was great to see. I’m always a little concerned with auto updating and pushing out auto updates, but with a vulnerability of this level, and given the types of transactions that are taking place on WooCommerce sites, completely and totally warranted to push out a fix in order to ensure everybody is protected as soon as possible. But of course, our Wordfence Premium customers get some additional protection with the firewall rules that we put together. You said that we’re already starting to see some malicious actors poking around, looking for vulnerable sites?

Ram:
Yes. It’s not a lot of actors yet. Just a few IP’s so far, but we are actually seeing functional attacks, attacks that would, at the very least, count as a valid proof of concept from these attackers. So someone’s at least figured out the basics of how to do this.

Kathy:
Okay. Okay. And we’ll probably start seeing a lot of copycat attacks in the days to come?

Ram:
Yes. Yes. I would expect that. I don’t expect it to be exploited on a large scale for a while just because it’s not a super complicated vulnerability, but it’s a little bit tricky to take it from patch to proof of concept. And again, it’s also a little tricky to take it from proof of concept to automated attack.

Kathy:
Okay. Understood. All right. So no matter when you’re listening, you might be listening to this and it’s a couple of days after we’ve recorded. This means you have some time to make sure that your site is updated. We’ll have a link to WooCommerce’s security advisory that they put out. And on that list, they actually detail out every single version of WooCommerce that was updated. It would make sense, if you haven’t logged into your WooCommerce site recently, it’s time to log in and make sure that you’re updated. It’s just something to double check. If you do think that your site has been compromised, say you’re listening to this a few months in the future, we do have some indications of compromise on that blog post that we pulled together that might be helpful for you to look for in your log files. So definitely take a look at both WooCommerce’s security advisory, as well as the post our threat intel team led by Ram on this particular case, that they put together in order to basically get the word out about what could possibly happen going forward. What do we have up next?

Ram:
He actually missed this last week because we didn’t run a podcast for the holiday, so we didn’t end up covering the massive REvil attack on Kaseya.

Kathy:
Right. That was crazy. It hit right before the 4th of July holiday weekend. REvil, who we’ve talked about a number of times on this podcast, a Russian based ransomware gang… Should we call them a gang?

Ram:
They are a gang. If this is not the first time they’ve pulled off something like this, hitting a big target right before a holiday. Yeah.

Kathy:
One of their favorite timeframes, I guess. And so now what exactly is Kaseya and how prevalent is it used by enterprises?

Ram:
So Kaseya is a managed service provider and they offer a virtual system or a virtual server administrator platform, actually a lot like SolarWinds. They use it to monitor network traffic, configure and lockdown systems. So there’s a little bit more emphasis on the configuration and locking down, though it does also do network monitoring and it’s used by a lot of banks and credit unions. So this has a lot of supply chain attack potential. There’s a lot of potential downstream consequences for this.

Kathy:
I see. Interesting. Now, since this attack started, some odd things have happened with REvil?

Ram:
Their site went down not only their public website, but their onion site on the dark web also went down where they actually collect ransoms and do business with other malicious operators. This might or might not be related to the Biden administration’s rewards of up to $10 million for information leading to the identification of malicious cyber activity. So they might’ve just done a rebrand or they might’ve been hacked back. Either is basically a speculation at this point.

Kathy:
Sure, sure. That’s understood. But yeah, it looks like the Biden administration is getting serious about ransomware and some of these large scale attacks, I think just because of the dollar values that are being bandied about. Millions and millions of dollars are being requested by these ransomware gangs. And it’s having definite effects on life as we know it in the United States, gas stations being closed because there’s no gasoline to put into the pumps, tons of effects here. So it should be interesting. Obviously, we’re in a state where we have malicious actors who are making money at ransomware. And so law enforcement and government officials are stepping up their defenses. So this will definitely be interesting to continue watching. Do you have any bets on what REvil might rebrand to?

Ram:
Not really, but I really hope that it’s less confusing to pronounce. I’m still not sure if it’s REvil or R-evil, but if two months down the line that some new ransomware game called Weevil comes out, I’ll be like, “I know who you are.”

Kathy:
Exactly. Exactly. Okay. Well, we’ll keep you posted if we figure out what the rebrand is. Maybe we’ll do like a brand evaluation, see how well they’re doing on to stay on brand.

Ram:
Yeah. Exactly. We don’t want brand dilution. There’ll be like a bunch of REvil knockoffs. There’ll be Weevil and BEvil and…

Kathy:
Exactly. Well, hackers are definitely creative, even if they are on the malicious side of things. So it looks like SolarWinds has a zero-day that has just been patched, right?

Ram:
A new zero-day in a SolarWinds product. This time, the Serv-U FTP, which is basically just an FTP server that’s a specialized for securely transferring larger files, since FTP can totally do that. But it’s not necessarily set up for that. It looks like a single threat actor was exploiting this. And according to Microsoft, who’s been researching this, it was a Chinese APT or advanced persistent threat.

Kathy:
Oh, interesting.

Ram:
Don’t have that much more info about it, but it looks like this was only vulnerable if the SSH service was enabled on the Serv-U FTP server. So…

Kathy:
Got you. Okay.

Ram:
Yeah.

Kathy:
Well still, I mean, these are kind of scary vulnerabilities to have an FTP service that is vulnerable because once somebody has access to FTP, you can put any file on a server. You can put malware, you can put backdoors, all sorts of things. You basically get control of that server, at least for that particular user on that server, correct?

Ram:
Yeah. And it looks like they were able to actually execute code on the server so that would have likely allowed them to completely take it over. Actually it does look like that was the case. So, yeah.

Kathy:
Interesting. Okay, cool. Well, in better news, it looks like next week, we’re going to get a new version of WordPress. What’s happening?

Ram:
Well, I’m actually kind of excited about this. For one thing, there are media library changes, template editor changes. Gutenberg is continuing to get better, or less bad. Actually. I think at this point it actually counts as getting better. I think we reached the less bad point a little while back and now it’s actually pretty cool. I like it. But there’s something that I’m actually pretty excited about and that’s no more support for Internet Explorer 11.

Kathy:
Oh my gosh. The angels sing.

Ram:
And there’s going to be a bunch of quality of life tweaks. Oh, there’s also going to be some things that will improve core web vitals.

Kathy:
Oh, excellent.

Ram:
It looks like it’s automatically doing source set for images, so that should improve your cumulative layout shifts.

Kathy:
Nice.

Ram:
And you can also sepia tone or do some other kind of duotone for your cat photos, which I will potentially be demonstrating in a future Wordfence Live episode.

Kathy:
Exciting. Does it only work for cat photos or could I do it for my dog?

Ram:
You could do it for your dog. You’re not allowed to use sepia tone though.

Kathy:
Oh. Oh, well sad. Well, he’s a golden retriever. He’s already kind of in that realm anyway.

Ram:
Exactly. If you use sepia tone on him, he’d basically just disappear into the background.

Kathy:
Yes, exactly. Awesome. Well, it looks like this is going to be a great update for WordPress 5.8. It’s definitely leading us further along that path of full-site editing, which core team has dedicated this year to making happen. And I’m very excited about that. I think this is going to really solidify WordPress as the platform of choice for websites, and that’s a good thing. I’m excited about it. It looks like Microsoft is crushing bugs left and right. What do we see with this?

Ram:
Microsoft smash! So I guess there were three zero-days in Windows that they just patched on patch Tuesday, including it looks like an extra patch for that PrintNightmare vulnerability, which I guess took a few patches to really completely tank. So yeah, it’s not your imagination. There have been a lot of zero-days this year or a lot of impactful zero-days this year. Google’s project zero, which tracks… Well, they’re not really tracking WordPress zero-days, but they’re tracking impactful zero-days in browsers and Android and Windows and OSX. They found that there’s been 33 0days exploited in the wild just so far this year. And there were only 22 exploited in the wild for all of 2020. So yeah. It’s not your imagination that whole thing we were joking about how there’s a Chrome zero-day every other week, yeah, it’s kind of-

Kathy:
There really is. Yeah. Yeah. So I think there’s a lot of security research that’s happening. There’s a lot of, obviously, malicious attacks that are happening. But I think the great thing is that more and more people, not just in the WordPress community, but the world as a whole, is becoming much more aware of what is happening with security online. And people are taking it to heart. I’m having more and more people ask me the question. Obviously this is very anecdotal and I didn’t really research this, but more and more people are asking me questions about what do I need to do about my own personal security? Because they’re seeing the ransomware, they’re seeing all of these attacks that are happening. They’re hearing about Chrome zero-days. So security education is becoming forefront for a lot of people. And I’m actually excited about what’s happening in the security landscape. What about you?

Ram:
I mean, I definitely am. I feel like awareness is definitely at an all time high. My mom texts me security articles now, and I don’t think she’s quite gets what’s going on for a lot of them, but yeah, it’s pretty cool. There’s more people interested and more people aware than there ever have been.

Kathy:
You’re actually becoming a hero instead of the security nerd, right? But we’re still security nerds.

Ram:
We are always going to be security nerds.

Kathy:
Always, always, always going to have a little bit of tinfoil hat going on, especially after some of the things we’ve seen. But we’re heartened to have more and more people who are elevating their security knowledge. It’s really great to see.

Kathy:
I’d like to talk a little bit about some of the open positions that we have here at Defiant. We’re hiring for a number of positions, including Senior Researcher for Website Performance related to our FastOrSlow website performance profiler, QA Engineer. We have a Senior Operations and Security Engineer position open, and we’re looking for a number of Senior PHP developers. And that particular role has some additional benefits to it in terms of a signing bonus. We’ll have a link to our appointment page in our show notes. On that employment page, our CEO, Mark Maunder, actually wrote up a little piece that I’d recommend that you read as well. He kind of wrote up a document that basically talks about what makes Defiant different. What makes Defiant work, what makes Defiant a great place to work. And he goes over all of the things that make this remote-first organization really do what we do and do what we do best.

Kathy:
And I really recommend reading it because it’s not just about “you get to work from home.” It’s about sort of this corporate culture that we have, where everyone in this organization is working together, actualizing their own potential towards a greater good and towards a greater mission of helping secure WordPress and serving our customers. So, anyway, I’m not going to put words into Mark’s mouth. He’s got enough words on that page that you can read, and it’s really a good read. So definitely take a look at that. And if any of these positions look interesting to you, we would love to talk to you. And send us your resume.

Ram:
Yeah. I will say that you get to work with some really amazing people here. So that’s one of the things that is best about working here is the people I get to work with every day.

Kathy:
Yeah. The people here are one of a kind and it is a great place to work. So definitely take a look at that. We’d love to invite you into the fold, into the team. Anyway, that’s all I’ve got this week. Ram?

Ram:
That’s all I’ve got. Thanks for listening.

Kathy:
Thanks for listening. And we’d love to hear from you. Hey, go follow Ram on Twitter and say thanks to him for his hard work on this WooCommerce post because-

Ram:
And send me cat pictures.

Kathy:
Cat pictures.

Ram:
And then I will sepia tone them on WordPress.

Kathy:
Excellent. Perfect. We’ll leave it there. Thanks for listening.

Ram:
Bye.

Kathy:
Bye.

You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

Did you enjoy this post? Share it!

Comments

No Comments