Blog

Latest News From Blog

Image Web Application Security

Experts warn of attacks exploiting zero-day in WordPress BackupBuddy plugin

Threat actors are exploiting a zero-day vulnerability in a WordPress plugin called BackupBuddy, Wordfence researchers warned.On September 6, 2022, the Wordfence Threat Intelligence team was informed of a vulnerability being actively exploited in the BackupBuddy WordPress plugin. This plugin allows users to back up an entire WordPress installation, including theme files, pages, posts, widgets, users, and media files.The vulnerability, tracked as CVE-2022-31474 (CVSS score: 7.5), can be exploited by an unauthenticated user to download arbitrary files from the affected site. It has been estimated that the plugin has around 140,000 active installations.Wordfence researchers determined that threat actors started exploiting this vulnerability in the wild on August 26, 2022. The security firm also added to have blocked 4,948,926 attacks exploiting this vulnerability since that time.The attackers were attempting to retrieve sensitive files such as the /wp-config.php and /etc/passwd.The vulnerability affects versions 8.5.8.0 to 8.7.4.1 and was fixed with the release of version 8.7.5 on September 2, 2022.The plugin allows storing backup files in multiple locations (Destinations) including Google Drive, OneDrive, and AWS. The plugin also allows storing backups via the ‘Local Directory Copy’ option, but experts discovered that this feature isn’t secure and allows unauthenticated users to download any file stored on the server.“More specifically the plugin registers an admin_init hook for the function intended to download local back-up files and the function itself did not have any capability checks nor any nonce validation. This means that the function could be triggered via any administrative page, including those that can be called without authentication (admin-post.php), making it possible for unauthenticated users to call the function.” reads the report. “The back-up path is not validated and therefore an arbitrary file could be supplied and subsequently downloaded.”Due to this vulnerability being actively exploited, and its ease of exploitation, we are sharing minimal details about this vulnerability.Wordfence did not share additional details about the flaw because it is easy to exploit

Read More
Image Network Security

Ransom Ops vs. Extended Detection and Response

With nearly four out of ten global organizations admitting to being victims of a ransomware attack in 2021 alone, it’s apparent that complex ransomware operations–or RansomOps–are only going to become a bigger part of the cybersecurity dialogue than they already are. Gartner noted that the threat of new ransomware models was a top concern among executives last year, and when you look at the stakes, the evolving landscape, and the publicized RansomOps attacks this far, you can see why.RansomOps describes the entire multi-stage ransomware operation with an ensemble of players who contribute to these highly targeted attacks from initial ingress to lateral movement in the network to delivery of the final encryption payload. RansomOps take a “low and slow” approach, infiltrating the network and often remaining undetected for weeks as the attackers pivot through the targeted ecosystem, often exfiltrating sensitive data that is leveraged in double extortion schemes to assure payment of the ransom, even if the victim is able to regain access to their systems and data.Understanding how RansomOps attacks work is the first step in knowing how to defend against them.UNDERSTANDING THE RANSOMS ATTACK CHAINAccording to NIST, ransomware “is a type of malicious attack where attackers encrypt an organization’s data and demand payment to restore access,” and it is a multi-phase process. Rodney Joffe, Forbes Councils Member, explains, “Security teams need to be able to recognize the initial attack long before any information is stolen and encrypted.” This means early detection, so understanding the RansomOps attack chain is necessary. While once the domain of simple “spray and pray” email spam campaigns, ransomware operations today are “much more sophisticated and are more akin to stealthy APT-like operations,” which means that every stage must be understood in order to defend against them. To do so requires an understanding of the MalOp, or the entirety of the process malicious actors take “from the minute of network penetration until achieving their operational goals.” Once you understand that, you can spot opportunities to intercept a ransomware attack at initial ingress, lateral movement, command, and control, etc. so you can automate response actions earlier in the kill chain as opposed to focusing solely on the ransomware payload, the tail-end of a RansomOps attack.ISACA lists the ransomware kill chain steps as infection/ingress, privilege escalation and persistence, credential abuse, and eventually data encryption. Using these as a general guide, we’ll explore what security measures can be implemented at each stage to secure at the speed of attack – and hopefully faster. 

Read More