Category: Godaddy

You can secure your WordPress sites with CrowdSec using our latest application bouncer, available on the WordPress marketplace. This new plugin is compatible with versions 1.0.x and beyond. Given that the vast majority of websites in the world are hosted on WordPress, this plugin improves our defense arsenal in our mission to defend the greatest number.

Step one: Install CrowdSec agent

This bouncer has been designed to protect WordPress-hosted websites from all kinds of attacks. To be able to use this blocker, the first step is to install the CrowdSec agent.

Then, both installation and configuration of the plugin can be done in a few clicks from the WordPress marketplace.

Please note that first and foremost CrowdSec must be installed on a server that is accessible via the WordPress site.  Remember: CrowdSec detects, bouncers deter.

Both pieces of software don’t have to be installed on the same server, although that would be easiest. To protect your server in the best possible way, the CrowdSec agent needs to be able to read relevant logs – either via file, syslog or whatever works best in your environment.

Step two: Install WordPress plugin

Installing the CrowdSec WordPress plugin is as easy as installing any other WordPress plugin:

• Click ‘Plugins’ in the left navigation on your site’s dashboard. 
• Type ‘CrowdSec’ in the text field to the right. Hit enter. 
• In the CrowdSec plugin click ‘Install Now’

Once installed click ‘activate’ as illustrated below.

Now configure the plugin by clicking CrowdSec in the left navigation as shown below.

Set LAPI URL to the location of your CrowdSec agent. Is it installed on the same server, fill it out as shown above.

‘Bouncer API’ is created in cscli. Just follow the instructions. 

For details on how to configure the CrowdSec WordPress bouncer, go to the official documentation or read on. Pay special attention to the option ‘Public website only’. This must be disabled if you wish to protect wp-admin (which you most likely would want to).

The “Flex mode” – a bulwark agains false positives

Thanks to the “Flex mode”, it is impossible to accidentally block access to your site to people who don’t deserve it. This mode makes it possible to never ban an IP but only to offer a Captcha, in the worst-case scenario.

CrowdSec blends into your design

When a user is suspected to be malevolent, CrowdSec will either send them her a Captcha to resolve or simply a page notifying that access is denied. Please note that it is possible to customize all the colors of these pages in a few clicks so that they integrate best with your design. On the other hand, all texts are also fully customizable. This will allow you, for example, to present translated pages in your users’ language.

The right balance between performance and security

By default, the “live mode” is enabled. The first time a stranger connects to your website, this mode means that the IP will be checked directly by the CrowdSec API. The rest of your user’s browsing will be even more transparent thanks to the fully customizable cache system.

But you can also activate the “Stream mode.” This mode allows you to constantly feed the bouncer with the malicious IP list via a background task (CRON), making it even faster when checking the IP of your visitors. Besides, if your site has a lot of unique visitors at the same time, this will not influence the traffic to the API of your CrowdSec instance.

If you’ve ever been confronted with high traffic, you are probably familiar with Redis or Memcached technologies. You have the capability to activate these caching technologies in the CrowdSec bouncer settings to guarantee invisible IP control on your site. For further explanation on stream vs live mode, check the official documentation.

CDN-friendly without forgetting other load balancers

If you use a CDN, a reverse proxy, or a load balancer, it is now possible to indicate in the bouncer settings the IP ranges of these devices to check the IP of your users. For other IPs, the bouncer will not trust the X-Forwarded-For header.

Coming up next

Soon, the plugin will have a dashboard allowing you to visualize the activity of your bouncer in live. It will also be possible to connect directly to CrowdSec’s global reputation database, without having to install an agent on your machine if you don’t wish to.

Widely tested, 100% open source

This plugin has been tested on the vast majority of WordPress versions installed in the world (90%+), according to WordPress real-time statistics. It has also been tested on a very wide range of PHP versions (7.2, 7.3, 7.4 and 8), the language in which WordPress is coded.

This plugin is released under MIT license, the most permissive and free license in the world. Its source code is fully available on GitHub. You can discover the entire collection of CrowdSec bouncers at our Hub. Beyond this one, you will find there more freshly released additions.

We would love to hear your feedback about this WordPress plugin. If you are interested in testing the bouncer to protect your sites or would like to get in touch with the team, give us a shout!

Source :
https://www.crowdsec.net/blog/wordpress-bouncer

Today we’re thrilled to announce our new partnership with CrowdSec.

This is easily one of the most exciting developments in WordPress security for a long time, and it aligns with our goals to make Shield Security the best WordPress security solution, for everyone.

Our #1 mission with Shield is to deliver the most powerful security for WordPress sites. We’re not out to make millions in sales and scare you into upgrading to ShieldPRO because we have KPI targets.

We’re here simply to protect people and their businesses.

Our partnership with CrowdSec helps us fulfill that aspiration as we’re convinced it’ll deliver major security enhancements for every WordPress site running on Shield Security.

We hope you’ll be as excited as we are, after you learn about this collaboration!

In this article you’ll discover:

• What CrowdSec is.
• Why we decided to partner with CrowdSec.
• How your WordPress security is enhanced with this integration.
• How the CrowdSec integration differs between ShieldPRO and ShieldFREE

What Is CrowdSec?

CrowdSec is a global, open-sourced, crowd–sourcing initiative launched in an effort to combat the threat of malicious machines and bots that attack our websites and apps.

By gathering threat data about bots from millions of different sources, Crowdsec can build and share reliable intelligence about malicious bots (their IP addresses).

As a subscriber to CrowdSec, they’ll notify you about bad IP addresses, so that when those IPs send requests to your site/app, you can take action to block them immediately.

The reason this is so powerful is that when you block an IP address that you know is “bad”, you block all security threats from that IP completely. So the more quickly you can know about those bad IPs, the safer your sites will be.

Summary: Crowdsec offers you faster identification of bad IP addresses based on information gathered from other sites/servers across the globe.

So Why Partner With CrowdSec?

We’ve wanted to build this type of intelligence network for Shield, for a long time.

It’s a complex system and we were working our way through it when we stumbled upon CrowdSec. It immediately piqued our interest since their focus is somewhat similar to our own.

We figured that if we could get their knowledge fed into Shield, then our customers could indentify bad bots more quickly and thereby instantly increase their protection.

We reached out to them to discuss whether there was scope for collaboration and they could immediately see, in-principle, that there was potential for mutual benefit.

Afterall, if Shield can give them access to data points about bad IPs from across 60,000+ WordPress websites, it’d be a huge addition to their network.

And conversely, if WordPress sites running Shield can access shared intelligence from all those sites and other websites/apps/platforms, our customers will also benefit.

What’s not to like about this idea?

They agreed that a collaboration between was definitely beneficial, and so here we are today!

How Does the CrowdSec Partnership Enhance Your WordPress Security?

We briefly touched upon this topic already, but we’ll go into a bit more below.

On any given WordPress site, Shield’s Automatic IP blocking system gathers intelligence about IP addresses that send requests to the site. It keeps track of bad IPs using a counter of “offenses” and when that IP has exceeded the allowed limit, it’s blocked from further access.

Basically a bad bot has 10 chances before it’s completely blocked. (10 is configurable)

This means there’s a small “window” open to any IP address to probe, attack or exploit your site, before Shield can be sure that they’re malicious.

With the CrowdSec integration, your WordPress sites will have access to intelligence about malicious IP addresses before they’ve ever accessed your website. (This intelligence will have already been gathered for you by other websites.)

This reduces that “window” available to malicious bots to zero.

Reducing the time window to zero means a malicious bot can’t:

• probe your site
• exploit known/unknown vulnerabilities
• inject malware and/or exploit malware previously injected
• register users
• create fake WooCommerce orders
• steal your data or customers’ data
• consume your server/hosting resources
• etc. etc.

Of course, this IP intelligence is formed through the activity of IP addresses on other websites, and sometimes your own.

With CrowdSec’s integration switched on, Shield will share its internal offenses-tracking with CrowdSec, which ultimately then shares the data with other WordPress sites.

This all happens seamlessly with zero effort or configuration needed by the security admin.

So in a nutshell, CrowdSec gives us a head-start against malicious bots and lets us block IPs before your Shield plugin needs to perform any assessments, relying on tracking already done by other Shield plugins, elsewhere on the Internet.

How Does The CrowdSec Integration Differ Between ShieldPRO and ShieldFREE?

ShieldPRO is designed to protect businesses and mission critical WordPress sites. If your WordPress site plays a critical role in your business, or even your personal endeavours, then ShieldPRO is definitely something you should consider.

If, however, your website isn’t so important, or you’re comfortable with restoring a website quickly from a backup after a hack, or you have other security systems in-place and feel you don’t need the extra protection that ShieldPRO offers, then ShieldFREE will go a long way to protecting your sites and users and offering useful extra features like Two-Factor Authentication.

The CrowdSec integration with Shield reflects this. When you’re running ShieldPRO you’ll get access to much more IP intelligence data, and also IP data from sources that reflect business or mission-critical websites, such as e-commerce stores etc.

As well receiving more relevant IP data, and at higher volumes, ShieldPRO installations will receive IP data more frequently. The current implementation is “every 2 hours” for ShieldPRO and “every week” for ShieldFREE.

This simply means that if you’re running ShieldFREE, your IP intelligence data will become increasingly stale, but you’ll be refreshed with the latest data each week.

We may adjust these settings over time.

If you need or desire greater protection based on the nature and purpose of the WordPress sites you’re operating, then we strongly urge you to move to the extra protection afforded to you by ShieldPRO.

CrowdSec and GDPR Compliance

Like ourselves, CrowdSec is commited to full compliance with privacy regulations, such as GDPR.

You can see more details on their GDPR compliance here.

Please note, also, that CrowdSec integration is completely voluntary – you can switch it off on your Shield website at any time with no impact on your performance or security. Shield will continue to protect your site as it’s always done.

Future Plans For Our Partnership

You can already create a free account with CrowdSec over on their homepage. And once our Shield integration has been released, you’ll able to link your WordPress sites into your CrowdSec App account and view the data being sent to the network from all your sites.

We have a few further things under consideration to deepen our integration with CrowdSec, but we’ll annouce these as the integration progresses.

When Can You Get ShieldPRO + CrowdSec?

We’re getting set to release v16 of Shield Security in the coming weeks. Stay tuned to the newsletter or the changelog to get further details as they are published.

Thoughts, Suggestions and Feedback?

As always, we encourge our clients to share their thoughts with us when at any time, and in particular when we release a new feature such as this. Please feel free to leave your comments in the section below.

Source :
https://getshieldsecurity.com/blog/crowdsec-partnership/

Scanning your WordPress sites for Malware is the most important thing you can do to protect your site.

This approach is common and is actually the USP (Unique Selling Point) of several popular WordPress security plugins and services.

Conventional wisdom and marketing emphasises to us all that scanning for malware is pinnacle of WordPress security greatness.

In this article I’ll argue that incessent Malware scanning isn’t going to keep your WordPress site secured.

I want to challenge your approach to WordPress site security and hope that by the end of the article your focus will have shifted a little.

Instead of endless “scanning for malware” treadmill, along with the anxiety that this produces in us, I want to show you there’s an alternative. And it’s a hugely effective way to keep your WordPress sites secure, and your data (and your customers’ data) safe.

Malware Scanning Is Super Important If You’re Already Hacked!

So yes, malware scanning is hugely important when you’re already compromised. You gotta find and eliminate the infection!

But let’s be absolutely clear here, statistically speaking, your site probably isn’t hacked. Yet.

Give me any random WordPress site and I’ll bet that “no”, it hasn’t been hacked. Afterall there are more non-hacked websites than hacked sites, so we’ve got better than a 50:50 chance.

So why on earth do we need powerful security plugins like ShieldPRO? What’s all that malware scanning for then?

Firstly, it’s important to realise that “under attack” and “hacked” are 2 different things. While you may not be compromised, if you’re not already under attack, I’d be very, very suprised.

So while I’d bet that you’re probably not hacked yet, the odds are good that if your site isn’t hacked today, it’ll be hacked eventually without robust security practices and defenses in-place.

The strategies and tools we need to handle both these scenarios (hacked and under attack) are different. ShieldPRO comes with all the powerful tools that work for both, but we’ll get to that a little later.

So What Is The Most Important Aspect Of WordPress Security Protection?

The clue is in the question – “PROTECTION“.

You’ll have heard the phrase that “prevention is better than cure”. This is a real thing.

It’s not a marketing ploy or persuasion tactic. It’s one of the rare times you can say ‘true fact‘ without sounding a little silly.

It is why, for example, Smallpox has been eradicated from planet earth, and why vaccines are the fastest way out of a global pandemic. <insert conspiracy theory counterargument here>

So it is, too, for WordPress site security.

It’s much easier and far cheaper to prevent a WordPress site from getting hacked and keep it clean, than it is to clean up after a site has been compromised.

If you’ve ever had to clean up a hacked site, you’ll know this to be true.

So Is Malware Scanning Important?

Of course, malware scanning is important. And ShieldPRO has strong malware scanning capabilities.

But it is depends on what you’re using you malware scanner for.

Malware scanning has 2 primary purposes:

1. To quickly detect hidden malware scripts, allowing you to eliminate infection more easily.
2. To let you know your website is vulnerable.

You see, many of us get it backwards. We think our website is vulnerable because we have malware.

But it’s the other way around: we have a malware infection because our website is vulnerable!

So if your favourite WordPress security plugin touts their primary feature is that they’re the #1 malware detector for WordPress, then you should also double-check with them that they actually prevent infection in the first place.

Sure you can detect and remove malware, but if you haven’t eliminated the root cause, you’re playing whack-a-mole with malware scripts.

Life’s too short for that.

I would never say, and certainly don’t imply, that malware scanning isn’t necessary as part of a holistic WordPress security strategy. We’ve made huge investments into our malware detection and repair engine within ShieldPRO because we know it’s important.

Being able to detect malware reliably, and eliminate it quickly, is critical in our efforts to secure WordPress sites after they’ve been compromised, and Shield fulfills this role for us.

But once malware has been discovered and cleaned, your work is only beginning. You’ll need to plug the hole that allowed the malware to get in there in the first place.

So, rather than set your primary goal to be detecting and eliminating malware, you’ll want to shift your focus a little and ask yourself…

What’s the Best Way To Stop Hacking in WordPress?

We said this earlier – good prevention is the path to robust WordPress security.

To prevent WordPress malware infections, we must understand how it happens in the first place.

There are a couple of angles to answering this. The most common answer you’ll hear is that vulnerable plugins and themes are single biggest vector for WordPress compromise.

This is true. But it’s not the whole story.

Let’s Play: Hacker Role Play

So let’s pretend you’re a WordPress website hacker and your stated goal is:

hack as many WordPress sites as you can all day, every day, and infect them with your malware scripts.

Here are some of your likely thoughts:

• Firstly, you’d have a think about your target market – i.e. there are millions and millions of WordPress websites. Win!
• Next, in order to hack 30,000+ websites every day you will need either:
  • a whole lot people to do a lot of manual work, or
  • automated bots and scripts to do all the hard work for you quickly
• Since you don’t have the resources to hire people, you decide to build automated bots and scripts.

At this point you’ve decided to create automated bots to do your hacking for you. But there are a few things you must take into consideration when you design these bots:

• You must “discover” the WordPress sites. Not all sites are WordPress, so you have to first find potential targets. So you’ll have your bots probe the websites to determine if they’re actually WordPress sites.
• You have a library of publicly known (and maybe even non-public) WordPress plugin and theme vulnerabilities you’re going to exploit to gain access. So you narrow down your list of WordPress sites based on which sites have these vulnerable plugins/themes installed. This involves a lot more probing on the site.
• You’ve now got a good list of sites to attack.
• Attack!

Of course this layout is for illustrative purposes. But the principle of what’s happens in the real world is no different.

Some bots may not probe for discovery first, and instead go straight for the vulnerability itself, only to find it’s not present. But this can be considered a probing/exploit attempt, too.

In the end you’ll have lots of bots probing lots of websites.

Back To Preventing Malware and Hacking…

The first stage in hacking at scale is probing, with the use of bots/scripts, by either checking what the site has, or by directly targeting known vulnerabilities and hoping to get a hit.

If you track 404 errors on your own WordPress sites, you’ll see for example, there are often many requests to URLs that simply don’t exist. You’re being probed.

If we can detect these probing bots, determine that they’re sending requests for nefarious purposes, then we can completely block them from accessing our sites altogether.

This is true prevention and it works far better, and much more efficiently than repeatedly cleaning-up our sites after they’ve been compromised.

And this holds true not only for malware infections, but any possible compromise to your WordPress sites.

So your #1 goal shouldn’t be “find the best malware cleaner” – it should be: “find the best prevention against WordPress site hacking and compromise”.

How Does ShieldPRO Prevent WordPress Site Hacking?

The main area of focus of Shield Security for WordPress is in prevention.

We believe strongly that if we can prevent problems in the first place, we free ourselves and our WordPress sites to focus on the work that’s most important.

ShieldPRO achieves this by doing its utmost to detect bad bots and block them.

• We use our exclusive, custom built AntiBot Detection Engine to detect bad bots. Detecting bad bots isn’t simple, because they do everything they can to hide their malicious intent. Shield builds up a profile for each IP address based on their activities and depending on their reputation, blocks certain requests.
• Use our exclusive “NotBot” javascript snippet to quickly and reliably identify bots vs humans.
• Gathers 25+ distinct “bot signals” to monitor, track and score visitors to build a unique “bot” profile.

Once we’ve accessed a visitor and determined it to be a bot, and more specifically, a bad bot, we prevent that visitor from performing certain requests against the site. And, depending on the Shield configuration, we can block that bot from sending any requests to the site entirely.

ShieldPRO prevents 10,000s of WordPress sites from being hacking every single day by standing in the way of malicious bots.

Of course, Shield will also scan for malware and filesystem modifications, vulnerable plugins and all the other usual suspects, but this “after-the-fact” scanning is no match for preventing such things in the first place.

Is Your WordPress Protection Focused On Prevention, or Cure?

If you ask yourself nothing else after reading this article, it should be whether your existing WordPress Security strategy is focused on prevention, or focused on cure.

We’ve argued that the biggest positive impact on your security lies in preventing the problems in the first place, and that ShieldPRO is built with this strategy in-mind.

While you might have the best or most expensive malware scanning engine on the market, if it’s consistently picking up threats, then you may not have the best WordPress protection available.

Source :
https://getshieldsecurity.com/blog/malware-hype/

On August 30, 2022, the WordPress core team released WordPress version 6.0.2, which contains patches for 3 vulnerabilities, including a High Severity SQLi vulnerability in the Links functionality as well as two Medium Severity Cross-Site Scripting vulnerabilities.

These patches have been backported to every version of WordPress since 3.7. WordPress has supported automatic core updates for security releases since WordPress 3.7, and the vast majority of WordPress sites should receive a patch for their major version of WordPress automatically over the next 24 hours. We recommend verifying that your site has been automatically updated to one of the patched versions. Patched versions are available for every major version of WordPress since 3.7, so you can update without risking compatibility issues. If your site has not been updated automatically we recommend updating manually.

Vulnerability Analysis

As with every WordPress core release containing security fixes, the Wordfence Threat Intelligence team analyzed the code changes in detail to evaluate the impact of these vulnerabilities on our customers, and to ensure our customers remain protected.

We have determined that these vulnerabilities are unlikely to be targeted for exploitation due to the special cases needed to exploit. In most circumstances these vulnerabilities require either elevated privileges, such as those of an administrator, or the presence of a separate vulnerable or malicious plugin. Nonetheless, the Wordfence firewall should protect against any exploits that do not require administrative privileges. In nearly all cases administrators already have the maximum level of access and attackers with that level of access are unlikely to use convoluted and difficult exploits when simpler paths to making configuration changes or obtaining sensitive information are readily available.

---

Description: SQL Injection via Links LIMIT clause
Affected Versions: WordPress Core < 6.0.2
Researcher: FVD
CVE ID: Pending
CVSS Score: 8.0 (High)
CVSS Vector:CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Fully Patched Version: 6.0.2

The WordPress Link functionality, previously known as “Bookmarks”, is no longer enabled by default on new WordPress installations. Older sites may still have the functionality enabled, which means that millions of legacy sites are potentially vulnerable, even if they are running newer versions of WordPress. Fortunately, we found that the vulnerability requires administrative privileges and is difficult to exploit in a default configuration. It is possible that 3rd party plugins or themes might allow this vulnerability to be used by editor-level users or below, and in these cases the Wordfence firewall will block any such exploit attempts.

Vulnerable versions of WordPress failed to successfully sanitize the limit argument of the link retrieval query in the get_bookmarks function, used to ensure that only a certain number of links were returned. In a default configuration, only the Links legacy widget calls the get_bookmarks function in a way that allows this argument to be set by a user. Legacy widgets involve additional safeguards, and the injection point of the query itself poses additional difficulties, making this vulnerability nontrivial to exploit.

---

Description: Contributor+ Stored Cross-Site Scripting via use of the_meta function
Affected Versions: WordPress Core < 6.0.2
Researcher: John Blackbourn
CVE ID: Pending
CVSS Score: 4.9 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
Fully Patched Version: 6.0.2

WordPress content creators, such as Contributors, Editors, Authors, and Administrators, have the ability to add custom fields to any page and post created. The purpose of this is to make it possible for site content creators to add and associate additional data to posts and pages.

WordPress has several functions available to site owners to display custom fields created and associated with posts and pages. One of these functions is the the_meta function which retrieves the supplied post’s or page’s custom field data, which is stored as post meta data, through the get_post_custom_keys and get_post_custom_values functions. Once the custom fields for a post/page are retrieved, the function outputs the post meta keys and values data as a list. Unfortunately, in versions older than 6.0.2 this data was unescaped on output making it possible for any injected scripts in post meta keys and values to be executed.

Due to the fact that any user with access to the post editor can add custom meta fields, users with access to the editor such as contributors could inject malicious JavaScript that executes on any page or post where this function is called.

WordPress core does not call the_meta anywhere in its codebase by default. As such this vulnerability does require a plugin or theme that calls the the_meta function, or for this function to have been programmatically added to a PHP file for execution, so the vast majority of site owners are not vulnerable to this issue. The the_meta function is considered deprecated as of 6.0.2 and get_post_meta is the recommended alternative.

The Wordfence Threat Intelligence Team deployed a firewall rule to help protect Wordfence Premium, Care & Response customers today. Wordfence Free users will receive the same protection in 30 days on September 29, 2022.

---

Description: Stored Cross-Site Scripting via Plugin Deactivation and Deletion errors
Affected Versions: WordPress Core < 6.0.2
Researcher: ​​Khalilov Moe
CVE ID: Pending
CVSS Score: 4.7 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Fully Patched Version: 6.0.2

The final vulnerability involves the error messages displayed when a plugin has been deactivated due to an error, or when a plugin can not be deleted due to an error. As these error messages were not escaped, any JavaScript present in these error messages would execute in the browser session of an administrator visiting the plugins page. This vulnerability would require a separate malicious or vulnerable plugin or other code to be installed on the site, which would typically require an administrator to install it themselves. In almost all cases where this vulnerability might be exploitable an attacker would already have a firm foothold on the vulnerable site.

Our built-in XSS rule should block any attempts to generate crafted error messages based on user input to a vulnerable plugin, and the Wordfence scanner will detect any malicious plugins uploaded by an administrator.

Conclusion

In today’s article, we covered three vulnerabilities patched in the WordPress 6.0.2 Security and Maintenance Release. Most actively used WordPress sites should be patched via automatic updates within the next 24 hours, and any sites that remain vulnerable would only be exploitable under very specific circumstances.

We have released a firewall rule to Wordfence Premium, Care, and Response users to protect against any exploits targeting the the_meta function and this rule should become available to Wordfence free users after 30 days, on on September 29, 2022.

As always, we strongly recommend updating your site to a patched version of WordPress if it hasn’t been updated automatically. As long as you are running a version of WordPress greater than 3.7, an update is available to patch these vulnerabilities while keeping you on the same major version, so you will not need to worry about compatibility issues.

Props to Khalilov Moe, John Blackbourn, & FVD for discovering and responsibly disclosing these vulnerabilities. Special thanks to Wordfence Threat Intelligence Lead Chloe Chamberland for collaborating on this post.

Source :
https://www.wordfence.com/blog/2022/08/wordpress-core-6-0-2-security-maintenance-release-what-you-need-to-know/

A newly discovered phishing kit targeting PayPal users is trying to steal a large set of personal information from victims that includes government identification documents and photos.

Over 400 million individuals and companies are using PayPal as an online payment solution.

The kit is hosted on legitimate WordPress websites that have been hacked, which allows it to evade detection to a certain degree.

Breaching websites with weak login

Researchers at internet technology company Akamai found the phishing kit after the threat actor planted it on their WordPress honeypot.

The threat actor targets poorly secured websites and brute-forces their log in using a list of common credential pairs found online. They use this access to install a file management plugin that allows uploading the phishing kit to the breached site.

Akamai discovered that one method the phishing kit uses to avoid detection is to cross-reference IP addresses to domains belonging to a specific set of companies, including some orgs in the cybersecurity industry.

Legit-looking page

The researchers noticed that the author of the phishing kit made an effort to make the fraudulent page look professional and mimic the original PayPal site as much as possible.

One aspect they observed was that the author uses htaccess to rewrite the URL so that it does not end with the extension of the PHP file. This adds to a cleaner, more polished appearance that lends legitimacy.

Also, all graphical interface elements in the forms are styled after PayPal’s theme, so the phishing pages have a seemingly authentic appearance.

Data stealing process

Stealing a victim’s personal data starts with presenting them a CAPTCHA challenge, a step that creates a false sense of legitimacy.

After this stage, the victim is asked to log into their PayPal account using their email address and password, which are automatically delivered to the threat actor.

This is not all, though. Under the pretense of “unusual activity” associated with the victim’s account, the threat actor asks for more verification information.

In a subsequent page, the victim is asked to provide a host of personal and financial details that include payment card data along with the card verification code, physical address, social security number, mother’s maiden name.

It appears that the phishing kit was built to squeeze all the personal information from the victim. Apart from the card data typically collected in phishing scams, this one also demands the social security number, mother’s maiden name, and even the card’s PIN number for transactions at ATM machines.

Collecting this much information is not typical to phishing kits. However, this one goes even further and asks victims to link their email account to PayPal. This would give the attacker a token that could be used to access the contents of the provided email address.  

Despite having collected a massive amount of personal information, the threat actor is not finished. In the next step, they ask the victim to upload their official identification documents to confirm their identity.

The accepted documents are passport, national ID, or a driver’s license and the upload procedure comes with specific instructions, just as PayPal or a legitimate service would ask from their users.

Cybercriminals could use all this information for a variety of illegal activities ranging from anything related to identity theft to launder money (e.g. creating cryptocurrency trading accounts, registering companies) and maintaining anonymity when purchasing services to taking over banking accounts or cloning payment cards.

Uploading government documents and taking a selfie to verify them is a bigger ballgame for a victim than just losing credit card information — it could be used to create cryptocurrency trading accounts under the victim’s name. These could then be used to launder money, evade taxes, or provide anonymity for other cybercrimes. – Akamai

Although the phishing kit appears sophisticated, the researchers discovered that its file upload feature comes with a vulnerability that could be exploited to upload a web shell and take control of the compromised website.

Provided the huge amount of information requested, the scam may appear obvious to some users. However, Akamai researchers believe that this specific social engineering element is what makes the kit successful.

They explain that identity verification is normal these days and this can be done in multiple ways. “People judge brands and companies on their security measures these days,” the researchers say.

The use of the captcha challenge signals from the beginning that additional verification may be expected. By using the same methods as legitimate services, the threat actor solidifies the victim’s trust.

Users are advised to check the domain name of a page asking for sensitive information. They can also go to the official page of the service, by typing it manually in the browser, to check if identity verification is in order.

Source :
https://www.bleepingcomputer.com/news/security/paypal-phishing-kit-added-to-hacked-wordpress-sites-for-full-id-theft/

The Wordfence Threat Intelligence team has been monitoring a sudden increase in attack attempts targeting Kaswara Modern WPBakery Page Builder Addons. This ongoing campaign is attempting to take advantage of an arbitrary file upload vulnerability, tracked as CVE-2021-24284, which has been previously disclosed and has not been patched on the now closed plugin. As the plugin was closed without a patch, all versions of the plugin are impacted by this vulnerability. The vulnerability can be used to upload malicious PHP files to an affected website, leading to code execution and complete site takeover. Once they’ve established a foothold, attackers can also inject malicious JavaScript into files on the site, among other malicious actions.

All Wordfence customers have been protected from this attack campaign by the Wordfence Firewall since May 21, 2021, with Wordfence Premium, Care, and Response customers having received the firewall rule 30 days earlier on April 21, 2021. Even though Wordfence provides protection against this vulnerability, we strongly recommend completely removing Kaswara Modern WPBakery Page Builder Addons as soon as possible and finding an alternative as it is unlikely the plugin will ever receive a patch for this critical vulnerability. We are currently protecting over 1,000 websites that still have the plugin installed, and we estimate that between 4,000 and 8,000 websites in total still have the plugin installed.

We have blocked an average of 443,868 attack attempts per day against the network of sites that we protect during the course of this campaign. Please be aware that while 1,599,852 unique sites were targeted, a majority of those sites were not running the vulnerable plugin.

---

Description: Arbitrary File Upload/Deletion and Other
Affected Plugin: Kaswara Modern WPBakery Page Builder Addons
Plugin Slug: kaswara
Affected Versions: <= 3.0.1
CVE ID:CVE-2021-24284
CVSS Score: 10.0 (Critical)
CVSS Vector:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Fully Patched Version: NO AVAILABLE PATCH.

Indicators of Attack

The majority of the attacks we have seen are sending a POST request to /wp-admin/admin-ajax.php using the uploadFontIcon AJAX action found in the plugin to upload a file to the impacted website. Your logs may show the following query string on these events:

/wp-admin/admin-ajax.php?action=uploadFontIcon HTTP/1.1

We have observed 10,215 attacking IP addresses, with the vast majority of exploit attempts coming from these top ten IPs:

• 217.160.48.108 with 1,591,765 exploit attempts blocked
• 5.9.9.29 with 898,248 exploit attempts blocked
• 2.58.149.35 with 390,815 exploit attempts blocked
• 20.94.76.10 with 276,006 exploit attempts blocked
• 20.206.76.37 with 212,766 exploit attempts blocked
• 20.219.35.125 with 187,470 exploit attempts blocked
• 20.223.152.221 with 102,658 exploit attempts blocked
• 5.39.15.163 with 62,376 exploit attempts blocked
• 194.87.84.195 with 32,890 exploit attempts blocked
• 194.87.84.193 with 31,329 exploit attempts blocked

Indicators of Compromise

Based on our analysis of the attack data, a majority of attackers are attempting to upload a zip file named a57bze8931.zip. When attackers are successful at uploading the zip file, a single file named a57bze8931.php will be extracted into the /wp-content/uploads/kaswara/icons/ directory. The malicious file has an MD5 hash of d03c3095e33c7fe75acb8cddca230650. This file is an uploader under the control of the attacker. With this file, a malicious actor has the ability to continue uploading files to the compromised website.

The indicators observed in these attacks also include signs of the NDSW trojan, which injects code into otherwise legitimate JavaScript files and redirects site visitors to malicious websites. The presence of  this string in your JavaScript files is a strong indication that your site has been infected with NDSW:

;if(ndsw==

Some additional filenames that attackers are attempting to upload includes:

• [xxx]_young.zip where [xxx] varies and typically consists of 3 characters like ‘svv_young’
• inject.zip
• king_zip.zip
• null.zip
• plugin.zip

What Should I Do If I Use This Plugin?

All Wordfence users, including Free, Premium, Care, and Response, are protected from exploits targeting this vulnerability. However, at this time the plugin has been closed, and the developer has not been responsive regarding a patch. The best option is to fully remove the Kaswara Modern WPBakery Page Builder Addons plugin from your WordPress website.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected, as this is a serious vulnerability that can lead to complete site takeover.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance.

Source :
https://www.wordfence.com/blog/2022/07/attacks-on-modern-wpbakery-page-builder-addons-vulnerability/