Ubiquiti Payment Gateway

We believe that WISPs serve a crucial role in these difficult times by providing Internet connectivity to all our communities. Our goal with UNMS Cloud and CRM is to empower WISPs with world-class tools and services so that they can focus on connecting the world.

That’s why we are proud to introduce the Ubiquiti Payment Gateway.

Easy and Affordable Payment Processing

We know that fees can add up. That’s why Ubiquiti Payment Gateway is offering an industry-leading processing fee of 1.9%+30c per transaction for the first year.

Better yet, the UPG is simple to use! No need to set up accounts with other payment gateways or use a separate site to manage your subscriptions – simply activate the UPG with a few clicks, go through our quick onboarding process, and you will be using the UPG in no time.

If you are currently using other payment options for your subscriptions, you can easily switch to the UPG from the billing settings. We will continue to support other payment options, if you prefer to keep your existing payment processors.

For now, Ubiquiti Payment Gateway is only available in the United States, but we are working to bring it to other countries. Stay tuned.

Automatic Payments

The UPG isn’t the only thing we’ve been working on. We know that managing monthly payments can be time-consuming. That’s why we have built autopayments into the latest release of CRM. You can activate it in the billing settings:

Autopayments can be set to trigger at invoice creation date or at the due date. No more need to keep track of due dates!

Source :

IoT Security How bad is it?

IoT Explained

An IoT device is simply any physical device with a defined purpose that has an operating system and can communicate through the internet with other things. Projections show that by 2021, about 25 billion IoT devices will be in operation, and 75 billion by the year 2025.

The support of so many connected devices used to be impossible. Now, advances in technology such as IPv6—the communications protocol that provides an identification and location system for computers on networks and routes traffic across the Internet—and 5G is enabling the IoT revolution.

Benefits of IoT

The benefits of IoT span across all industries, including agriculture and healthcare, but personal lives are enhanced by IoT as well. For example, IoT thermostats monitor and control temperature, which is both convenient and cost saving. Smart watches and Fitbits monitor health stats such as pulse and steps, going so far as to send this information to a doctor or sounding an alert if a risk is detected. Smart cities, homes, and cars are other large-scale examples of IoT. While the ultimate realization of these technologies is a long way off and involves the use of imagination, advancements in IoT aren’t slowing down.

In fact, wearables are a perfect example of this. What was once a clunky step-tracking device is now a fashion statement that serves multiple purposes. In addition, designers and engineers are playing with fabrics that can be interwoven with IoT components so a sport shoe can measure speed, heartbeat, and sweat output or a jacket can charge phones.

Cyber Security With Wearables

However, wearables are prone to cyber attacks. While not a wearable but similar, a connected pacemaker was compromised in 2018, which opened the eyes to the industry of the associated risks that come along with IoT devices. As Dr. Antoniou explains, “The pacemaker was compromised through a remote execution of the code into the person who was having the pacemaker.”

Manufacturers of connected wearables must practice their due diligence to ensure that the security of devices is done correctly. Dr Antoniou emphasizes that the onus lays on the manufacturer.

Smart Cities and IoT

When people think of smart cities, they often envision traffic signals that change according to the current traffic pattern, tickets handed out automatically after cameras catch illegal incidents, or tolls automatically deducted from checking accounts when a sensor deems it appropriate. Smart cities are so much more than that, however.

Dr. Antoniou explains that a smart city exists as an ecosystem of those sensor components plus the services the city is providing. That includes public lighting, smart roads and parks, and free Wi-Fi across the city. Services include DMV renewal and efficiency measures that help keep costs and resource draining low through the use of a connected device or app.

Enterprise IoT

Enterprise IoT, also called Industry 4.0 consists of IoT devices that are designed to operate within a business to drive efficiency, effectiveness, and cost savings. Examples include voiceover IP phones, smart lighting within the building, and smart TVs and vending machines located in an enterprise building. With these tools, internet connection enables TVs with internet access and vending machines can take debit cards. Security features like cameras and intrusion detection also fall into the realm of Enterprise IoT.

There is some concern that Industry 4.0 will eliminate jobs, but Dr. Antoniou believes the contrary. “I think we will see some reduction in certain jobs, but then we will see more demand in other jobs. As we know, cyber security is a very hot field nowadays, and if you go to the Department of Labor, you can see millions of openings especially in cyber security.” He goes on to explain that what IT administration and project management jobs are lost to IoT, cyber security jobs will fill—and then some. He also believes any collateral damage will be worth one other key benefit: sustainability.

“Sustainability is a big, big issue and a trending around the globe. So these devices, they will be helping us to accomplish [the things that make] a better planet: reduce waste [and] make more effective use of resources and consumption.”

On-Prem IoT Security

Many at-home IoT devices run on Wi-Fi connected to home modems. Dr. Antoniou encourages everyone who purchases a new IoT device to always read the manufacturer instructions in order to understand what kind of security parameters and configurations need to be put in place for that device. He also talks about Rule Zero, or his firewall rule. “I explicitly deny everything inbound to my home… That would protect your IoT, but also your other devices that are connected to your home network.”

Dr. Antoniou stresses the fact that IoT technology is still in its infancy. There are a lot of security and connectivity kinks to be worked out. Too many manufacturers are rolling out new, snazzy devices without actively imagining all the future security risks the device may enable. Cyber security needs to be an active part of the manufacturing supply chain.

Digital Identities

Finally, each device must have its own digital identity, or an identity that the device can assume for the entirety of its life. “So the digital identities on the IoTs, it is similar to what we call the identity access management, and it's important to have them. And today, we don't have a centralized digital identity management for IoTs.” Dr. Antoniou is an expert in the future of digital identity evolution: “if you get that digital ID and marry it with a microchip that is embedded to this device and it creates a strong encryption algorithm and somehow creates a digital ID in a centralized identity and access management database that is utilizing blockchain for verification, authentication, and authorization, that device now has a digital ID. It has a body of existence.”

Humans are defined with a social security number which enable transactions like home loans or tax payments. Digital identities for IoT devices identify them within their ecosystem. From there, authorization is granted only to the IDs of the devices we want active on our home or enterprise network. This system is not currently in place. For example, a rogue employee could potentially go to work, pair their smart witch with a Bluetooth device, piggyback into the work network, and steal data. If that smart watch had a digital ID, the network would know instantly that it doesn’t belong.

Currently, Dr. Antoniou explains that the best defense to IoT threats is enterprise education and policy. By running a risk analysis, companies start to think about connectivity as a whole. From there, they can create policies and train employees on those policies.

When asked about current IoT regulations, Dr. Antoniou exhaustedly explains that there aren’t any. Some countries are farther ahead than others, however, and most countries are working on them. Also, there are commonly-accepted preliminary guidelines. “NIST the National Institute of Standards and Technology, run by United States government, has some preliminary frameworks for IoT, but it has not been come to a fruition as a standard yet.”

Source :

What is the difference between authoritative and recursive DNS nameservers?

In today’s blog post, we’ll talk about the difference between authoritative and recursive domain name system (DNS) servers. We’ll explain how these two types of DNS servers form the foundation of the internet and help the world stay connected.

What is the domain name system?

Every computer on the Internet identifies itself with an “Internet Protocol” or “IP” address, which is a series of numbers — just like a phone number. That means you can contact any of those computers by typing in the website name, or you can type the IP address into your browser address bar. Either method will get you to the same destination. All servers that host websites and apps on the internet have IP addresses, too.

Give it a try: the IP address of the Cisco Umbrella website is

The domain name system (DNS) is sometimes referred to as the “phone book” of the Internet.  You can connect to our website by typing in the IP address in the address bar of your browser, but it’s much easier to type in umbrella.cisco.com. DNS was invented so that people didn’t need to remember long IP address numbers (like phone numbers) and could look up websites by human-friendly names like umbrella.cisco.com instead.

There are too many sites on the Internet for your personal computer to keep a complete list. DNS servers power a website directory service to make things easier for humans. Like phone books, you won’t find one big book that contains every listing for everyone in the world (how many pages would that require? That’s a question for a different blog post.)

There are two types of DNS servers: authoritative and recursive. Authoritative nameservers are like the phone book company that publishes multiple phone books, one per region. Recursive DNS servers are like someone who uses a phone book to look up the number to contact a person or company. Keep in mind, these companies don’t actually decide what number belongs to which person or company — that’s the responsibility of domain name registrars.

Let’s talk about the two different types in more detail.

What is a recursive DNS server?

When you type a website address into your browser address bar, it might seem like magic happens. In reality, the DNS system makes effortless internet browsing possible. First, your browser connects to a recursive DNS server. There are many thousands of recursive DNS servers in the world.  Many people use the recursive DNS servers managed by their Internet Service Provider (ISP) and never change them. If you’re a Cisco Umbrella customer, you’re using our recursive DNS servers instead.

Once your computer connects to its assigned recursive DNS server, it asks the question “what’s the IP address assigned to that website name?” The recursive DNS server doesn’t have a copy of the phone book, but it does know where to find one. So it connects to another type of DNS server to continue the search.

What is an authoritative DNS nameserver?

The second type of DNS server holds a copy of the regional phone book that matches IP addresses with domain names. These are called authoritative DNS servers. Authoritative DNS nameservers are responsible for providing answers to recursive DNS nameservers about where specific websites can be found. These answers contain important information for each domain, like IP addresses.

Like phone books, there are different authoritative DNS servers that cover different regions (a company, the local area, your country, etc.)  No matter what region it covers, an authoritative DNS server performs two important tasks. First, it stores lists of domain names and their associated IP addresses. Second, it responds to requests from a recursive DNS server (the person who needs to look up a number) about the correct IP address assigned to a domain name. After getting the answer, the recursive DNS server sends that information back to the computer (and browser) that requested it. The computer connects to the IP address, and the website loads, leading to a happy user who can go on with their day.

Putting it all together

This process happens so quickly that you don’t even notice it happening — unless, of course, something is broken.

Let’s use a real world example. Imagine that you are sitting at your computer and you want to search for pictures of cats wearing bow ties (hey, we don’t judge). So you decide to visit Google to do a web search.

First, you type www.google.com into your web browser. However, your computer doesn’t know the IP address of the server for www.google.com. So your computer starts by sending a query to its assigned recursive DNS nameserver. For this example, we’ll assume you’re one of our customers., So it’s a Cisco Umbrella server. Your computer asks the recursive DNS server to locate the IP address of www.google.com. The Cisco Umbrella recursive DNS nameserver is now assigned the task of finding the IP address of the website. Google is a popular website, so its result will probably be cached. But if the recursive DNS nameserver did not already have a DNS record for www.google.com cached in its system, it will need to ask for help from the authoritative DNS hierarchy to get the answer. This is more likely if you are going to a website that is newer or less popular.

Each part of a domain like www.google.com has a specific authoritative DNS nameserver (or group of redundant authoritative nameservers).

At the top of the server tree are the root domain nameservers. Every website address has an implied “.” at the end, even if we don’t type it in. This “.” designates the DNS root nameservers at the top of the DNS hierarchy. The root domain nameservers will know the IP addresses of the authoritative nameservers that handle DNS queries for the Top Level Domains (TLD) like “.com”, “.edu”, or “.gov”. The Umbrella recursive DNS server first asks the root domain nameserver for the IP address of the .com TLD server, since www.google.com is within the .com TLD.

The root domain nameserver responds with the address of the TLD server. Next, the Umbrella recursive DNS server asks the TLD authoritative server where it can find the authoritative DNS server for www.google.com. The TLD authoritative server responds, and the process continues. The authoritative server for www.google.com is asked where to find www.google.com and the server responds with the answer. Once the Cisco Umbrella recursive DNS server knows the IP address for the website, it responds to your computer with the appropriate IP address. Your browser loads Google, and you can get started with more important business: finding pictures of cats in bow ties.

Example graphic showing how a recursive DNS server works - Cisco Umbrella Blog

Without DNS, the internet stops working

The DNS system is so important to the modern world that we often refer to it as the foundation of the internet. If your recursive DNS service breaks for some reason, you won’t be able to connect to websites unless you type in the IP addresses directly — and who keeps an emergency list of IP addresses in their desk? If the recursive DNS service you use is working, but has been slowed down for some reason (like a cyberattack), then your connection to websites will be slowed down, too.

Cisco Umbrella launched its recursive DNS service in 2006 (as OpenDNS) to provide everyone with reliable, safe, smart, and fast Internet connectivity. Umbrella has a highly resilient recursive DNS network. We’ve had 100% uptime with no DNS outages in our history. Our 30-plus worldwide data centers use anycast routing to send requests transparently to the fastest available data center with automatic failover.

By configuring your network to use Umbrella’s recursive DNS service, you’ll get the fastest and most reliable connectivity you can imagine. But Umbrella provides much more than just plain old internet browsing. Learn more about how we make the internet a safer place for cats in bow ties in our post about DNS-layer security.

Source :

VirusTotal Adds Cynet’s Artificial Intelligence-Based Malware Detection

VirusTotal, the famous multi-antivirus scanning service owned by Google, recently announced new threat detection capabilities it added with the help of an Israeli cybersecurity firm.

VirusTotal provides a free online service that analyzes suspicious files and URLs to detect malware and automatically shares them with the security community. With the onslaught of new malware types and samples, researchers rely on the rapid discovery and sharing provided by VirusTotal to keep their companies safe from attacks.

VirusTotal relies on a continuous stream of new malware discoveries to protect its members from significant damage.

Cynet, the creator of the autonomous breach protection platform, has now integrated its Cynet Detection Engine into VirusTotal.

The benefits of this partnership are twofold. First, Cynet provides the VirusTotal partner network cutting-edge threat intelligence from its ML-based detection engine (CyAI) that actively protects the company's clients around the globe.

CyAI is a continuously learning and evolving detection model that routinely contributes information about new threats that are not available in VirusTotal. Although many vendors are using AI/ML models, the ability of the models to detect new threats vary greatly.

Cynet routinely outperforms third party and open source detection platforms and is frequently relied upon in incident response cases when underlying threats remain hidden from other solutions.

For example, Cynet recently conducted an Incident Response engagement for a large telecom provider. Cynet discovered several malicious files that did not appear in the VirusTotal database.

Contributing information on these newly discovered files helps our entire industry perform better and protect businesses against cyber-attacks.

Second, Cynet will leverage intelligence in VirusTotal to inform its CyAI model in order to continuously improve its detection capabilities and accuracy.

Cynet AI is continually evolving, constantly learning new datasets in order to improve its accuracy and decrease its already-low false positive ratio. Comparing files found to be malicious by CyAI against files also found to be malicious by other providers helps to quickly validate Cynet's findings.

Source :

Docker Images Containing Cryptojacking Malware Distributed via Docker Hub

With Docker gaining popularity as a service to package and deploy software applications, malicious actors are taking advantage of the opportunity to target exposed API endpoints and craft malware-infested images to facilitate distributed denial-of-service (DDoS) attacks and mine cryptocurrencies.

According to a report published by Palo Alto Networks' Unit 42 threat intelligence team, the purpose of these Docker images is to generate funds by deploying a cryptocurrency miner using Docker containers and leveraging the Docker Hub repository to distribute these images.

"Docker containers provide a convenient way for packaging software, which is evident by its increasing adoption rate," Unit 42 researchers said. "This, combined with coin mining, makes it easy for a malicious actor to distribute their images to any machine that supports Docker and instantly starts using its compute resources towards cryptojacking."

Docker is a well-known platform-as-a-service (PaaS) solution for Linux and Windows that allows developers to deploy, test, and package their applications in a contained virtual environment — in a way that isolates the service from the host system they run on.

The now taken down Docker Hub account, named "azurenql," consisted of eight repositories hosting six malicious images capable of mining Monero, a privacy-focused cryptocurrency.

The malware author behind the images used a Python script to trigger the cryptojacking operation and took advantage of network anonymizing tools such as ProxyChains and Tor to evade network detection.

The coin mining code within the image then exploited the processing power of the infected systems to mine the blocks.

The images hosted on this account have been collectively pulled over ​two million times​ since the start of the campaign in October 2019, with one of the wallet IDs used to earn more than 525.38 XMR ($36,000).

Exposed Docker Servers Targeted With DDoS Malware

That's not all. In a new mass-scanning operation spotted by Trend Micro researchers, unprotected Docker servers are being targeted with at least two different kinds of malware — XOR DDoS and Kaiji — to collect system information and carry out DDoS attacks.

"Attackers usually used botnets to perform brute-force attacks after scanning for open Secure Shell (SSH) and Telnet ports," the researchers said. "Now, they are also searching for Docker servers with exposed ports (2375)."

It's worth noting that both XOR DDoS and Kaiji are Linux trojans known for their ability to conduct DDoS attacks, with the latter written entirely from scratch using Go programming language to target IoT devices via SSH brute-forcing.

The XOR DDoS malware strain works by searching for hosts with exposed Docker API ports, followed by sending a command to list all the containers hosted on the target server, and subsequently compromising them with the XORDDoS malware.

Likewise, the Kaiji malware scans the internet for hosts with exposed port 2375 to deploy a rogue ARM container ("linux_arm") that executes the Kaiji binary.

"While the XOR DDoS attack infiltrated the Docker server to infect all the containers hosted on it, the Kaiji attack deploys its own container that will house its DDoS malware," the researchers said, noting the difference between the two malware variants.

In addition, both the two pieces of malware gather details such as domain names, network speeds, process identifiers of running processes, and CPU and network information that are needed to mount a DDoS attack.

"Threat actors behind malware variants constantly upgrade their creations with new capabilities so that they can deploy their attacks against other entry points," the researchers concluded.

"As they are relatively convenient to deploy in the cloud, Docker servers are becoming an increasingly popular option for companies. However, these also make them an attractive target for cybercriminals who are on the constant lookout for systems that they can exploit."

It's advised that users and organizations who run Docker instances immediately check if they expose API endpoints on the Internet, close the ports, and adhere to recommended best practices.

Source :

SonicWall’s New SD-Branch Solution, Multi-gigabit Switch Line Secure Dispersed Businesses, Branch Locations

There’s nothing normal about the “new business normal.” The past few months have represented a complete shift in the way we think of work  — and with vastly more employees working remotely than ever before, bringing with them an unprecedented quantity of exposure points and risk, the traditional cybersecurity model is proving woefully inadequate.

As cybercriminals ramp up attacks on anyone they perceive to be vulnerable, it isn’t enough to simply enable working from home. To truly ensure business continuity, you must secure and rearchitect these massively distributed networks with a platform capable of stopping the ever-increasing number of threats — both known and unknown.

To help your organization meet the challenges brought by this new cybersecurity reality, SonicWall is introducing three new solutions: SonicWall SD-Branch, SonicWall Switch and SonicWall Capture Client 3.0.

SonicWall SD-Branch

Many businesses need to secure remote branch offices and retail stores, but it often isn’t possible — or practical — to have dedicated IT staff at each of these locations. SonicWall SD-Branch enables your organization to provide seamless connectivity that keeps pace with escalating bandwidth demands, and allows you to quickly and cost-effectively upgrade the network security at your remote locations.

Secure SD-Branch is a comprehensive solution that combines the power of secure SD-WANsecure wireless and wired LAN technology with zero-touch deployment. Through the power of Capture Security Center — SonicWall’s cloud-based, single-pane-of-glass management console — the management, reporting and analytics for all locations is centralized and accessible from any web-enabled device.

SonicWall Switches

The shift to remote work has resulted in a sudden rise in the use of high-bandwidth applications — something that can easily overwhelm branch networks. At the same time, monitoring, managing and continually refreshing a growing number of network devices across multiple branches has grown exponentially more difficult, especially since many branch locations don’t have trained IT staff.

SonicWall Switches offer multi-gigabit wired performance that lets you rapidly scale your branch networks through remote installation. Available in seven models — ranging from eight to 48 ports, with gigabit and 10 gigabit ethernet ports — SonicWall Switches deliver network switching that accommodates the growing number of mobile and IoT devices in branch locations and provides the network performance needed to support cloud-delivered applications. SonicWall Switches also fit seamlessly into your existing SonicWall ecosystem, helping you to unify your network security posture. They’re SD-Branch-ready and managed via firewalls — either locally or through SonicWall’s cloud-based Capture Security Center — for unified, single-pane-of-glass management of your entire SonicWall infrastructure.

SonicWall Capture Client 3.0

SonicWall Capture Client 3.0 allows employees to operate remotely without having to worry to about advanced threats, all while giving administrators comprehensive visibility and the ability to extend standard protections to remote endpoints. SonicWall Capture Client 3.0 is the latest iteration of our lightweight, unified endpoint protection platform, and features a number of new and upgraded features.

Capture Client 3.0’s comprehensive, client-based content filtering allows you to easily extend network-based content filtering to off-network users. It provides HTTP and HTTPS traffic inspection capabilities, along with the ability to assign exclusions for trusted applications or blacklist untrusted applications. Capture Client also offers real-time visibility of applications and identifies vulnerabilities.

Starting with Capture Client 3.0, administrators can leverage Azure active directory properties for granular policy assignment based on categories such as group membership — regardless of whether the directory is hosted on-prem or in the cloud.

Capture Client 3.0 also brings in support for the SentinelOne Linux agent, enabling you to extend next-generation antimalware capabilities to Linux servers. This feature will allow customers to safeguard Linux-based workloads irrespective of their location — on-prem or in the cloud.

Source :

High Severity Vulnerabilities in PageLayer Plugin Affect Over 200,000 WordPress Sites

A few weeks ago, our Threat Intelligence team discovered several vulnerabilities present in Page Builder: PageLayer – Drag and Drop website builder, a WordPress plugin actively installed on over 200,000 sites. The plugin is from the same creators as wpCentral, a plugin within which we recently discovered a privilege escalation vulnerability.

One flaw allowed any authenticated user with subscriber-level and above permissions the ability to update and modify posts with malicious content, amongst many other things. A second flaw allowed attackers to forge a request on behalf of a site’s administrator to modify the settings of the plugin which could allow for malicious Javascript injection.

We initially reached out to the plugin’s developer on April 30, 2020 and after establishing an appropriate communication channel, we provided the full disclosure on May 1, 2020. They responded quickly on May 2, 2020 letting us know that they were beginning to work on fixes. An initial patch was released on May 2, 2020 and an optimal patch was released on May 6, 2020.

These are considered high-level security issues that could potentially lead to attackers wiping your site’s content or taking over your site. We highly recommend an immediate update to the latest version available at the time of this publication, which is version 1.1.4.

Wordfence Premium customers received a new firewall rule on April 30, 2020, to protect against exploits targeting this vulnerability. Free Wordfence users will receive this rule after thirty days, on May 30, 2020.

Description: Unprotected AJAX and Nonce Disclosure to Stored Cross-Site Scripting and Malicious Modification
Affected PluginPage Builder: PageLayer – Drag and Drop website builder
Plugin Slug: pagelayer
Affected Versions: <= 1.1.1
CVE ID: Will be updated once identifier is supplied.
CVSS Score: 7.4 (High)
Fully Patched Version: 1.1.2

PageLayer is a very easy to use WordPress page builder plugin that claims to work with nearly all themes on the market and in the WordPress repository. It provides extended customization of pages through the use of widgets that can add page elements like buttons, tables, excerpts, products and more.

We discovered that nearly all of the AJAX action endpoints in this plugin failed to include permission checks. This meant that these actions could be executed by anyone authenticated on the site, including subscriber-level users. As standard, these AJAX endpoints only checked to see if a request was coming from /wp-admin through an authenticated session and did not check the capabilities of the user sending the request.

There were nonce checks in use in all of these functions, but nonces can be easily compromised if incorrectly implemented – for example, if a usable nonce is displayed within the source code of the site’s output. Unfortunately for the PageLayer plugin, this is precisely what happened. A usable nonce was visible in the header section of the source code of any page that had previously been edited using the PageLayer plugin. Any site visitor could find this nonce, whether they were logged in or not, allowing any unauthenticated user the ability to obtain a legitimate nonce for the plugin’s AJAX actions.

PageLayer nonce obtainable from page source.

Using a single nonce as the mechanism for authorization control caused various security issues in the functionalities of the page builder due to this nonce being so easily obtainable.

WordPress nonces should never be used as a means of authorization as they can easily be compromised if implemented improperly or if a loophole is found. WordPress nonces are designed to be used for CSRF protection, not authorization control. Implementing capability checks in conjunction with CSRF protection on sensitive functions for full verification provides protection to ensure a request is coming from an authorized user.

The Impact

As previously mentioned, several AJAX functions were affected, causing a large variety of potential impacts. A few of the most impactful actions were wp_ajax_pagelayer_save_contentwp_ajax_pagelayer_update_site_title, and wp_ajax_pagelayer_save_template.

add_action('wp_ajax_pagelayer_save_content', 'pagelayer_save_content');
add_action('wp_ajax_pagelayer_update_site_title', 'pagelayer_update_site_title');
add_action('wp_ajax_pagelayer_save_template', 'pagelayer_save_template');

The pagelayer_save_content function is used to save a page’s data through the page builder. The lack of permission checks on this function allowed authenticated users, regardless of permissions, the ability to change any data on a page edited with PageLayer.

function pagelayer_save_content(){
    // Some AJAX security
    check_ajax_referer('pagelayer_ajax', 'pagelayer_nonce');
    $content = $_POST['pagelayer_update_content'];
    $postID = (int) $_GET['postID'];
        $msg['error'] =  __pl('invalid_post_id');

An attacker could wipe the pages completely or inject any content they would like on the site’s pages and posts. In addition, a few widgets allowed Javascript to be injected, including the “Button” widget. There is no sanitization on the “Button” widget’s text, which allows for malicious Javascript to be used as a text. This Javascript would execute once any user browsed to a page containing that button.

PageLayer button with alert JS injected.

The pagelayer_update_site_title function is used to update a site’s title. The lack of permission checks on this function allowed authenticated users the ability to change a site title to any title of their choosing. Though less detrimental, this could still affect your sites search engine ranking if unnoticed for an extended period of time.

function pagelayer_update_site_title(){
    global $wpdb;
    // Some AJAX security
    check_ajax_referer('pagelayer_ajax', 'pagelayer_nonce');
    $site_title = $_POST['site_title'];
    update_option('blogname', $site_title);
    $wpdb->query("UPDATE `sm_sitemeta`
                SET meta_value = '".$site_title."'
                WHERE meta_key = 'site_name'");

The pagelayer_save_template function is used to save PageLayer templates for the PageLayer Theme Builder. The lack of permission checks on this function allowed authenticated users the ability to create new PageLayer templates that were saved as new posts.

function pagelayer_save_template() {
    // Some AJAX security
    check_ajax_referer('pagelayer_ajax', 'pagelayer_nonce');
    $done = [];
    $post_id = (int) $_GET['postID'];
    // We need to create the post
        // Get the template type
            $done['error'] = __pl('temp_error_type');
        $ret = wp_insert_post([
            'post_title' => $_POST['pagelayer_lib_title'],
            'post_type' => 'pagelayer-template',
            'post_status' => 'publish',
            'comment_status' => 'closed',
            'ping_status' => 'closed'

Though this function was intended to be used in the PRO version of the plugin, the function could still be executed in the free version, affecting all 200,000+ users of the PageLayer plugin. An attacker could create a new template, which created a new page on the site, and inject malicious Javascript in the same way they could with the pagelayer_save_content function.

Malicious Javascript can be used to inject new administrative users, redirect site visitors, and even exploit a site’s user’s browser to compromise their computer.

The Patch

In the latest version of the plugin, the developers implemented permissions checks on all of the sensitive functions that could make changes to a site, and reconfigured the plugin to create separate nonces for the public and administrative areas of a WordPress site.

// Are you allowed to edit ?
    $msg['error'][] =  __pl('no_permission');
Description: Cross-Site Request Forgery to Stored Cross-Site Scripting
Affected PluginPage Builder: PageLayer – Drag and Drop website builder
Plugin Slug: pagelayer
Affected Versions: <= 1.1.1
CVE ID: Will be updated once identifier is supplied.
CVSS Score: 8.8 (High)
Fully Patched Version: 1.1.2

The PageLayer plugin registers a settings area where configuration changes can be made. This includes functionality such as where the editor is enabled, basic content settings, basic information configurations, and more.

PageLayer settings area.

The settings update function used a capability check to verify that a user attempting to make any changes had the appropriate permissions. However, there was no CSRF protection to verify the legitimacy of any request attempting to update a site’s settings. This made it possible for attackers to trick an administrator into sending a request to update any of the PageLayer settings.

function pagelayer_settings_page(){
    $option_name = 'pl_gen_setting' ;
    $new_value = '';
        $new_value = $_REQUEST['pl_gen_setting'];
        if ( get_option( $option_name ) !== false ) {
            // The option already exists, so we just update it.
            update_option( $option_name, $new_value );

The “Information” tab in the settings area provides site owners with a way to set a default address, telephone number, and contact email address that are displayed whenever the corresponding widgets were used on a page. There was no sanitization on the address or telephone number settings, and due to the administrator’s capability to use unfiltered_html, Javascript could be injected into these settings.

PageLayer Address updated with alert JS.

The Impact

This allowed attackers the ability to inject malicious scripts while exploiting the CSRF vulnerability in the settings. If the widget was already enabled, any injected malicious scripts would execute whenever someone browsed to a page containing that widget. If the widget was not yet enabled, the malicious scripts could be executed once an administrator started editing and inserting the widget into a page. As always, these scripts can do things like create a new administrative account and redirect users to malicious sites.

The Patch

In the patched version of the plugin, the developers implemented CSRF protection consisting of a WordPress nonce and verification of that nonce when updating settings.


PoC Walkthrough: pagelayer_save_content

Disclosure Timeline

April 24, 2020 to April 30, 2020 – Initial discovery of minor security flaw and deeper security analysis of plugin.
April 30, 2020 – Firewall rule was released for Wordfence Premium customers. We made our initial contact attempt with the plugin’s development team.
May 1, 2020 – The plugin’s development team confirms appropriate inbox for handling discussion. We provide full disclosure.
May 2, 2020 – Developer acknowledges receipt and confirms that they are beginning to work on fixes. An update is released the same day.
May 4, 2020 – We analyze the fixes and discover a few security issues left unpatched and responsibly disclose these issues to the developer.
May 6, 2020 – Developer releases the final sufficient patch.
May 30, 2020 – Free Wordfence users receive firewall rule.


In today’s post, we detailed several flaws related to unprotected AJAX actions and nonce disclosure that allowed for attackers to make several malicious modifications to a site’s pages and posts in addition to providing attackers with the ability to inject malicious Javascript. These flaws have been fully patched in version 1.1.2. We recommend that users immediately update to the latest version available, which is version 1.1.4 at the time of this publication.

Sites running Wordfence Premium have been protected from attacks against this vulnerability since April 30, 2020. Sites running the free version of Wordfence will recieve this firewall rule update on May 30, 2020. If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected.

Source :

Large Scale Attack Campaign Targets Database Credentials

Between May 29 and May 31, 2020, the Wordfence Firewall blocked over 130 million attacks intended to harvest database credentials from 1.3 million sites by downloading their configuration files.

The peak of this attack campaign occurred on May 30, 2020. At this point, attacks from this campaign accounted for 75% of all attempted exploits of plugin and theme vulnerabilities across the WordPress ecosystem.

A graph showing the spike in attacks
We were able to link these attacks to the same threat actor previously targeting XSS vulnerabilities at a similar scale. All Wordfence users, including Wordfence Premium and those still using the free version of Wordfence, are protected by our firewall’s built-in directory traversal protection.

Different vulnerabilities, same IPs

The previously reported XSS campaigns sent attacks from over 20,000 different IP addresses. The new campaign is using the same IP addresses, which accounted for the majority of the attacks and sites targeted. This campaign is also attacking nearly a million new sites that weren’t included in the previous XSS campaigns.

As with the XSS campaigns, almost all of the attacks are targeted at older vulnerabilities in outdated plugins or themes that allow files to be downloaded or exported. In this case the attackers are attempting to download wp-config.php, a file critical to all WordPress installations which contains database credentials and connection information, in addition to authentication unique keys and salts. An attacker with access to this file could gain access to the site’s database, where site content and users are stored.

Indicators of Compromise

Attacks by this campaign should be visible in your server logs. Look for any log entries containing wp-config.php in the query string that returned a 200 response code.

The top 10 attacking IP addresses in this campaign are listed below.

What should I do?

Sites running Wordfence are protected against this campaign. If your site is not running Wordfence, and you believe you have been compromised, change your database password and authentication unique keys and salts immediately.

If your server is configured to allow remote database access, an attacker with your database credentials could easily add an administrative user, exfiltrate sensitive data, or delete your site altogether. Even if your site does not allow remote database access, an attacker who knows your site’s authentication keys and salts may be able to use them to more easily bypass other security mechanisms.

If you’re not comfortable making the changes above, please contact your host, since changing your database password without updating the wp-config.php file can temporarily take down your site.


In today’s post, we covered another large-scale attack campaign against WordPress sites by a threat actor we have been tracking since February. All Wordfence users, including sites running the free version of Wordfence, and Wordfence Premium, are protected against these attacks. Nonetheless, we urge you to make sure that all plugins and themes are kept up to date, and to share this information with any other site owners or administrators you know. Attacks by this threat actor are evolving and we will continue to share additional information as it becomes available.

Source :

WordPress 5.4.2 Patches Multiple XSS Vulnerabilities

WordPress Core version 5.4.2 has just been released. Since this release is marked as a combined security and bug fix update, we recommend updating as soon as possible. With that said, most of the security fixes themselves are for vulnerabilities that would require specific circumstances to exploit. All in all this release contains 6 security fixes, 3 of which are for XSS (Cross-Site Scripting) vulnerabilities. Both the free and Premium versions of Wordence have robust built-in XSS protection which will protect against potential exploitation of these vulnerabilities.

A Breakdown of each security issue

An XSS issue where authenticated users with low privileges are able to add JavaScript to posts in the block editor

This flaw would have made it possible for an attacker to inject JavaScript into a post by manipulating the attributes of Embedded iFrames. This would be exploitable by users with the edit_posts capability, meaning users with the Contributor role or higher in most configurations.

The changeset in question is:

This issue was discovered and reported by Sam Thomas (jazzy2fives)

An XSS issue where authenticated users with upload permissions are able to add JavaScript to media files

This flaw would have made it possible for an attacker to inject JavaScript into the “Description” field of an uploaded media file. This would be exploitable by users with the upload_files capability, meaning users with the Author role or higher in most configurations.

The changeset in question is:

This issue was discovered and reported by Luigi – (gubello.me)

An open redirect issue in wp_validate_redirect()

For this flaw, the wp_validate_redirect function failed to sufficiently sanitize URLs supplied to it. As such it would have been possible under certain circumstances for an attacker to craft a link to an impacted site that would redirect visitors to a malicious external site. This would not require specific capabilities, but it would typically require either social engineering or a separate vulnerability in a plugin or theme to exploit.

The changeset in question is:

This issue was discovered and reported by Ben Bidner of the WordPress Security Team.

An authenticated XSS issue via theme uploads

This flaw would have made it possible for an attacker to inject JavaScript into the stylesheet name of a broken theme, which would then be executed if another user visited the Appearance->Themes page on the site. This would be exploitable by users with the install_themes or edit_themes capabilities, which are only available to administrators in most configurations.

The changeset in question is:

This issue was discovered and reported by Nrimo Ing Pandum

An issue where set-screen-option can be misused by plugins leading to privilege escalation

For this flaw, a plugin incorrectly using the set-screen-option filter to save arbitrary or sensitive options could potentially be used by an attacker to gain administrative access. We are not currently aware of any plugins that are vulnerable to this issue.

The changeset in question is:

This issue was discovered and reported by Simon Scannell of RIPS Technologies

An issue where comments from password-protected posts and pages could be displayed under certain conditions

For this flaw, comment excerpts on password-protected posts could have been visible on sites displaying the “Recent Comments” widget or using a plugin or theme with similar functionality.

The changeset in question is:

This issue was discovered and reported by Carolina Nymark

Note: This is unrelated to an issue where unmoderated spam comments were briefly visible and indexable by search engines.

What should I do?

Most of these vulnerabilities appear to be exploitable only under limited circumstances or by trusted users, but we recommend updating as soon as possible. Attackers may find ways to exploit them more easily, or the researchers who discovered these vulnerabilities may publish Proof of Concept code that allows simpler exploitation. This is a minor WordPress release, so most sites will automatically update to the new version.


We’d like to thank the WordPress core team and the researchers who discovered and responsibly reported these vulnerabilities for making WordPress safer for everyone.

You can find the official announcement of the WP 5.4.2 release on this page. If you have any questions or comments, please don’t hesitate to post them below and we’ll do our best to answer them in a timely manner. If you are one of the researchers whose work is included above and would like to provide additional detail or corrections, we welcome your comments.

Source :

Inadequate security makes WordPress sites a land of opportunity for hackers

The famous American robber Willie Sutton was asked once why he robbed banks. His answer was humorous, direct, and revealing: “Because that’s where the money is.

For hackers, WordPress sites represent a similar rich vein of opportunity. WordPress is one of the world’s most popular web publishing platforms. Its ease of publishing is popular with smaller businesses and organizations looking to establish a quick and easy presence on the internet.

Unfortunately, that same ease lends itself to insecure web practices, such as web platforms that aren’t properly protected, weak passwords, and lack of administrative controls. The latter can also make it easy for increased lateral movement once an initial web server is compromised. This can greatly increase the scale of damage, making WordPress infrastructure very lucrative for hackers.

Cisco Umbrella threat researchers have been analyzing attacks on various WordPress sites recently. We found some interesting examples of how attackers are compromising WordPress sites. Let’s look into it.

How do attackers compromise a WordPress site?

Generally, what we’ve seen are variations of land-and-expand techniques. Hackers seek opportunities to infiltrate weakly protected WordPress sites, identify associated assets through phishing and other subterfuge, and expand their network of compromised assets for further expansion of opportunities to monetize their activities.

There are several ways to infiltrate WordPress infrastructure. But, generally, we’ve seen attackers progress by these sorts of actions:

  1. Take control of the WordPress site through brute force attacks, trojans inside themes and plug-ins, and exploitation of poorly protected admin controls
  2. Host malware
  3. Host phishing pages that mimic popular brands to collect more information
  4. Host spam pages to create more intelligence-gathering opportunities
  5. Most importantly, use the compromised site to attack other WordPress sites

How does an attacker find and select a site to attack?

An attacker can use systems that are designed to scan the internet for vulnerable WordPress sites and then notify the attacker’s command-and-control server.

Another method to discover vulnerable sites for attack is open source domain intelligence. For example, an attacker could find a domain by using Google Dorks.

When our researchers examined the compromised machines, they found a lot of malicious PHP scripts and malware.

First, an attacker would append the malicious code in the index page. So when a customer visits the WordPress site, it redirects to spam pages — or it may trigger the server to do something else.

 An example of such spam page redirection follows:

Example of spam page redirection - Cisco Umbrella Blog

This attack type is not new — we have been seeing attacks like this for a while.

We also observed cases where malware was hosted on the website. In one case, we found a trojan that made contact with the domain detroidcliper[.]at.

example of a command-and-control server whose domain has very high query volume - Cisco Umbrella Blog

This particular domain is a command-and-control server. It receives a lot of queries, with high query volumes reaching a max of 94k queries. We also observed a login panel hosted at this domain, that matches the login panel of Sarwent.

Example of a login panel that matches the login panel of sarwent, which is implicated in prior attacks - Cisco Umbrella Blog

Let’s take a closer look at malicious scripts that were hosted on a compromised WordPress site. Most of them are PHP scripts which are obfuscated heavily. The most commonly used obfuscation method is eval(gzuncompress(base64_decode(Endoded_content)));

Example of the most commonly used obfuscation method - Cisco Umbrella Blog

After decoding, we found the following script.

Example of obfuscated PHP script found after decoding - Cisco Umbrella Blog

This PHP code contains an executable file delivered via Base64 encoding. When the PHP code runs, the executable file executes directly in the memory.

Example of WordPress site with PHP code containing an executable file delivered via Base64 encoding - Cisco Umbrella Blog

Another function in the PHP code also searches for an exploit in order to perform privilege escalation.

Example of a function in the PHP code searching for an exploit to escalate the privilege in WordPress - Cisco Umbrella Blog

The remainder of the malicious scripts perform various tasks. Some of these redirect to spam sites, give shell access to attackers, and others are used to attempt to compromise other WordPress sites. Generally, the objectives are to collect more intelligence in search of further opportunities to exploit, and compromise more sites to continue the cycle.

A brute force WordPress attack is an ongoing process. On average, a single compromised WordPress site tries to brute force about 2,000 other domains per day. Not every WordPress site will be compromised, but enough WordPress sites have easy-to-guess common passwords to make this type of attack worthwhile. Usually, attackers keep a list of simple passwords and use them to launch a brute force attack on a site.

During an analysis of network traffic, we noticed that one of the compromised sites was contacting another domain continuously.

The domain was styleofphucet[.]at. Surprisingly, this one also has high query volume.

Example showing that the higher the query volume of the command-and-control server, the more the sites have been compromised - Cisco Umbrella Blog

This domain was repeatedly contacted during the same compromise that included network callouts to detroidcliper[.]at.

While we were researching more about this attack, we found a domain that was embedded in pages of many compromised domains. We found that it hosted an open directory that was very revealing. Inside the directory, we found almost all of the WordPress domains related to the attacks.

Example of a WordPress directory where we found almost all the domains involved in the attacks - Cisco Umbrella Blog
Example of a massive amount of random text that may be browser history of victims - Cisco Umbrella Blog

We observed that a massive amount of random text was collected and stored by the attacker. After closer analysis, we realized that it may be browser history of victims.

Why would an attacker store a random massive list of browser history? Isn’t this strange?

We believe that attackers use this browser history to search in various search engines for vulnerable domains using a bot. Any of those domains may become the target.

Also, the attackers use the sitemap for the pages they have hosted and let the bots crawl them. This way, when a user searches for a website, they get the pages that are hosted by the attackers instead of what they intended to visit.

How can WordPress administrators protect themselves from these kinds of exploits? Whenever a WordPress site is being hosted, the administrator has to make sure that all security requirements are met. So many attacks that are happening today are because of a lack of security controls, use of weak passwords, and because of vulnerable themes and plugins.

Here are some best practices to protect WordPress sites:

  1. Use a strong password and change it regularly
  2. Use adequate access controls
  3. Update plugins and themes

By taking these types of measures, you can reduce the attack surface so that your site is less likely to be compromised.

With Cisco Umbrella, you get instant access to interactive threat intelligence that lets you conduct investigations and uncover attacks before they start. Our recursive DNS servers resolve more than 200 billion requests per day, so we can see the relationships between malware, domains, IPs, and networks across the internet. Our threat analysis learns from internet activity patterns to automatically identify attacker infrastructure being staged for the next threat.

Learn more about how predictive intelligence can make a difference in your ability to stop threats by reading our technical paper, The Role of Predictive Intelligence in the Fight Against Cyber Attacks.

Check out our recent article on threat intelligence to dive into pandemic-themed phishing attacks and uncover how attackers orchestrate sophisticated campaigns to take advantage of the current pandemic.


Possible Compromised sites:



Source :