A Walk Through a Year of Website Safety: Part II

Part I of our 2021 Security Walkthrough shows the first 5 posts of our top 10.

6 – Vulnerable plugin exploited in spam redirection campaign

FinConDX 2021

It has come to the attention of our malware research team that a vulnerability has been discovered in older, unpatched versions of the wp-user-avatar connect. The type of vulnerability found is known as escalation of privileges, which essentially allows a user to gain high access by exploiting a bug, and may allow file downloads.

In the case of this plugin, the vulnerability allows an attacker to create an administrator account without any authentication, which gives more access to the website. The download feature was used and they proceeded to download several backdoors.

Additionally, we discovered that the file uploaded to the sites was a bogus plugin called “Zend Fonts”, which included a function to hide it in wp-admin. The malware also creates a database table that dumps the user agent and the IP address of administrator users, which it then uses to prevent malicious redirects from occurring for those same administrator users. The redirect only sends visitors to spam sites where they are asked to install Trojans or get phished for sensitive information.

seven – Review of Magento’s Unique Backdoors

This post dives into a compromised Magento environment and uncovers several backdoors. Often times, these backdoors can originate from file download vulnerabilities that lead to remote code execution capabilities. Ultimately, this can lead an attacker to obtain connection details to the database, via the site configuration file. Once this information is obtained, the attacker can add further injections to the database, capturing credit card numbers and administrator credentials.

By implementing many backdoors, an attacker can also prevent attempts to scan for an infection. The variety of functions evoked ultimately all have the same priority in mind, avoiding detection for as long as possible.

8 – Stylish Magento Card Stealer loads without script tags

When it comes to e-commerce websites, theft of credit card information can be a very common type of hack. Some may refer to this type of malware as “CC Skimmer”.

Usually, attackers will need to start and end an injection with script tags to load JavaScript into a visitor’s browser, but in this case, we didn’t find anything malicious when sending a request to the database with string

Ultimately, this malware had a smart approach to using CSS styles and an event handler. This allowed the attacker to avoid the beacons

9 – WPScan Intro: How to Install the WordPress Vulnerability Scanner

This article is in addition to our previous one that reviews the capabilities and features of WPScan, and why we recommend it as a useful addition to your security toolkit. Since it is mostly free (depending on how many sites it is needed for), we guide you on how to install and update it properly. We also provide instructions on how to use the API here.

ten – Website owners scared of fake ransomware infection

We recently discovered degradations on a number of sites where the malware masquerades as a ransomware attack. The files are said to be “encrypted” and the attacker demands a ransom payment of 0.1 bitcoin, which is currently several thousand USD (considering volatility). Since ransomware has grown exponentially in recent years, understandably any business would be in immediate panic mode here.

Upon closer inspection, we found that the files were not encrypted at all. Upon querying the file structure for the given Bitcoin account number, we were able to determine that this “ransomware” was in fact generated by a bogus plugin. What we found in the plugin file instead was just plain HTML to generate the ransomware message, and basic PHP to generate a sense of urgency with a countdown timer.

Despite the easy cleanup of just removing the plugin from the wp-content / plugins directory, all pages and posts subsequently resulted in 404 Not Found responses. This was due to a general SQL command that finds all posts and pages with the status “publish” and changes them to “null” instead, which we were able to revert.

Eventually, we were able to determine the source of this infection by checking the access logs and found a foreign IP address interacting with the directorist plugin, using the plugin editor function for wp-admin. This indicated that a legitimate plugin had been installed, but later tampered with by attackers. We also discovered that the initial request for the attacker’s IP address was from the wp-admin panel, meaning the attacker had already gained administrator access either through Brute Force or by acquiring the compromised login credentials. on the black market.

In conclusion

Overall, this year has provided us with an array of smart infections, handy tools, and questionable safety practices. We remain committed to researching and resolving new vulnerabilities and exploits so that we can adapt our products as they arise.

Most of these articles will list our recommendations on how to protect sites from attacks using standard security practices such as updating outdated software, reviewing logs, updating passwords, and review of account privileges.

In addition to these practices, we always recommend using a scanner (like our free Sucuri WordPress plugin), storage backups, and the deployment of a firewall. If you are suffering from an infection, please do not hesitate to contact us. Our sanitation the team is here to help.

Read our top 5 website safety lessons for the year in Part 1 of this article.

About Sandra A. Powell

Check Also

Top 7 WordPress plugins to make your website run smoothly

Are you looking for the best WordPress plugins to help you grow your business? Did …