What is the minimum recommended length of twisted pair copper cable that I should use with my SonicWall firewalls’ HA ports for high availability?
Resolution
Question:
What is the minimum recommended length of twisted pair copper cable that I should use with my SonicWall firewalls’ HA ports for high availability?
Answer:
At present, there is no officially published minimum length for a twisted pair cable from IEEE or ANSI, though there is information about maximum lengths for twisted pair cable.
However, sometimes customers want to use a cable that is only several inches in length for this. The reason why is because it looks neat and tidy, and it’s one less cable that has to be strung through a rackmount cable channel. However, using such a small cable often causes problems. Customers have reported issues where the firewalls appear to lock up, and they can neither be managed, nor can they pass traffic.
The reason why this occurs, is because the extremely short HA cable causes problems with the transmissions of the HA heartbeats. In an HA pair, when the idle unit does not receive heartbeats for the configured interval and time threshold, it will go active. However, if the other unit in the HA pair is still active, both units’ interfaces will be competing for the addressing, which means there is an IP conflict between all of each firewall’s interfaces. This will prevent the devices from being managed, and it will also prevent them from passing traffic.
With regards to cable length, the following needs to be considered: — 1.) Crosstalk
Crosstalk is when a signal sent on one circuit interferes with another signal sent on a separate but adjacent circuit. This is usually caused by circuits being close together. With ethernet cabling, this effect is reduced by twisting the circuit pairs. This reduces the circuits’ ability to interfere with one another while traveling the length of the copper media. With an extremely short cable, there is usually not enough twisted pair to prevent crosstalk interference.
2.) Return Loss
Return loss is essentially the loss of a signal’s power which is returned or reflected by a discontinuity in the cabling (ie: a point in the transmission line where the signal cannot conduct fully to the next leg of the pathway). It is desirable to have a high level of return loss (ie: the loss of reflectivity). Low return loss can be caused by problems at the termination point of the cable, or by a device which is in line with the transmission pathway. A shorter cable presents a potential for lower return loss, because there is less wire to degrade the reflection of signals.
3.) Cable Quality
The quality of cabling will vary from vendor to vendor, depending upon how accurate the equipment is which is used in the manufacturing process. Some vendors do not twist their cabling as effeciently as others do, and some have lower-quality crimps than others. Cables which are crimped by individuals often suffer greatly by comparison to manufactured cables, as one can only be so precise with a hand-crimping tool. The most common problem with custom cables is a loss of twisting near the termination point of the cable. Most vendors who make cables less than half of 1 meter in length do not have those cables certified by any standards body.
For high availability, SonicWall support recommends using a patch or crossover (NSA units have MDIx autosensing capabilities on their interfaces) cable which is no shorter than 1 meter in length (about three feet). There are many posted discussions on this topic available to read online, however, this post from a Fluke Networks employee at forucms.bicsi.org sums up these discussions very well.
http://forums.bicsi.org/Topic2210-4-1.aspx#bm2215 —- “If you are talking specifically about patch cords, then 0.5 m is the implied minimum length in ANSI/TIA/EIA-568-B.2-1 for a certified patch cord. That’s because the math for the limit lines really does not work below this. Infact, getting a certified patch cord of 0.5 is going to be tricky. Many vendors only offer a certified patch cord of 1.0 m or longer.”
By: Shinji Robert Arasawa, Joshua Aquino, Charles Steven Derion, Juhn Emmanuel Atanque, Francisrey Joshua Castillo, John Carlo Marquez, Henry Salcedo, John Rainier Navato, Arianne Dela Cruz, Raymart Yambot, Ian Kenefick January 09, 2024 Read time: 8 min (2105 words)
A threat actor we track under the Intrusion set Water Curupira (known to employ the Black Basta ransomware) has been actively using Pikabot. a loader malware with similarities to Qakbot, in spam campaigns throughout 2023.
Pikabot is a type of loader malware that was actively used in spam campaigns by a threat actor we track under the Intrusion set Water Curupira in the first quarter of 2023, followed by a break at the end of June that lasted until the start of September 2023. Other researchers have previously noted its strong similarities to Qakbot, the latter of which was taken down by law enforcement in August 2023. An increase in the number of phishing campaigns related to Pikabot was recorded in the last quarter of 2023, coinciding with the takedown of Qakbot — hinting at the possibility that Pikabot might be a replacement for the latter (with DarkGate being another temporary replacement in the wake of the takedown).
Pikabot’s operators ran phishing campaigns, targeting victims via its two components — a loader and a core module — which enabled unauthorized remote access and allowed the execution of arbitrary commands through an established connection with their command-and-control (C&C) server. Pikabot is a sophisticated piece of multi-stage malware with a loader and core module within the same file, as well as a decrypted shellcode that decrypts another DLL file from its resources (the actual payload).
In general, Water Curupira conducts campaigns for the purpose of dropping backdoors such as Cobalt Strike, leading to Black Basta ransomware attacks (coincidentally, Black Basta also returned to operations in September 2023). The threat actor conducted several DarkGate spam campaigns and a small number of IcedID campaigns in the early weeks of the third quarter of 2023, but has since pivoted exclusively to Pikabot.
Pikabot, which gains initial access to its victim’s machine through spam emails containing an archive or a PDF attachment, exhibits the same behavior and campaign identifiers as Qakbot.
Figure 1. Our observations from the infection chain based on Trend’s investigation
Initial access via email
The malicious actors who send these emails employ thread-hijacking, a technique where malicious actors use existing email threads (possibly stolen from previous victims) and create emails that look like they were meant to be part of the thread to trick recipients into believing that they are legitimate. Using this technique increases the chances that potential victims would select malicious links or attachments. Malicious actors send these emails using addresses (created either through new domains or free email services) with names that can be found in original email threads hijacked by the malicious actor. The email contains most of the content of the original thread, including the email subject, but adds a short message on top directing the recipient to open the email attachment.
This attachment is either a password-protected archive ZIP file containing an IMG file or a PDF file. The malicious actor includes the password in the email message. Note that the name of the file attachment and its password vary for each email.
Figure 2. Sample email with a malicious ZIP attachmentFigure 3. Sample email with a malicious PDF attachment
The emails containing PDF files have a shorter message telling the recipient to check or view the email attachment.
The first stage of the attack
The attached archive contains a heavily obfuscated JavaScript (JS) with a file size amounting to more than 100 KB. Once executed by the victim, the script will attempt to execute a series of commands using conditional execution.
Figure 4. Files extracted to the attached archive (.zip or .img)Figure 5. Deobfuscated JS command
The script attempts command execution using cmd.exe. If this initial attempt is unsuccessful, the script proceeds with the following steps: It echoes a designated string to the console and tries to ping a specified target using the same string. In case the ping operation fails, the script employs Curl.exe to download the Pikabot payload from an external server, saving the file in the system’s temporary directory.
Subsequently, the script will retry the ping operation. If the retry is also unsuccessful, it uses rundll32.exe to execute the downloaded Pikabot payload (now identified as a .dll file) with “Crash” as the export parameter. The sequence of commands concludes by exiting the script with the specified exit code, ciCf51U2FbrvK.
We were able to observe another attack chain where the malicious actors implemented a more straightforward attempt to deliver the payload. As before, similar phishing techniques were performed to trick victims into downloading and executing malicious attachments. In this case, password-protected archive attachments were deployed, with the password contained in the body of the email.
However, instead of a malicious script, an IMG file was extracted from the attachment. This file contained two additional files — an LNK file posing as a Word document and a DLL file, which turned out to be the Pikabot payload extracted straight from the email attachment:
Figure 6. The content of the IMG file
Contrary to the JS file observed earlier, this chain maintained its straightforward approach even during the execution of the payload.
Once the victim is lured into executing the LNK file, rundll32.exe will be used to run the Pikabot DLL payload using an export parameter, “Limit”.
The content of the PDF file is disguised to look like a file hosted on Microsoft OneDrive to convince the recipient that the attachment is legitimate. Its primary purpose is to trick victims into accessing the PDF file content, which is a link to download malware.
Figure 7. Malicious PDF file disguised to look like a OneDrive attachment; note the misspelling of the word “Download”
When the user selects the download button, it will attempt to access a malicious URL, then proceed to download a malicious JS file (possibly similar to the previously mentioned JS file).
The delivery of the Pikabot payload via PDF attachment is a more recent development, emerging only in the fourth quarter of 2023.
We discovered an additional variant of the malicious downloader that employed obfuscation methods involving array usage and manipulation:
Figure 8. Elements of array “_0x40ee” containing download URLs and JS methods used for further execution
Nested functions employed array manipulation methods using “push” and “shift,” introducing complexity to the code’s structure and concealing its flow to hinder analysis. The presence of multiple download URLs, the dynamic creation of random directories using the mkdir command, and the use of Curl.exe, as observed in the preceding script, are encapsulated within yet another array. The JavaScript will run multiple commands in an attempt to retrieve the malicious payload from different external websites using Curl.exe, subsequently storing it in a random directory created using mkdir.
Figure 9. Payload retrieval commands using curl.exe
The rundll32.exe file will continue to serve as the execution mechanism for the payload, incorporating its export parameter.
Figure 10. Payload execution using rundll32.exe
The Pikabot payload
We analyzed the DLL file extracted from the archive shown in Figure 6 and found it to be a sample of a 32-bit DLL file with 1515 exports. Calling its export function “Limit”, the file will decrypt and execute a shellcode that identifies if the process is being debugged by calling the Windows API NtQueryInformationProcess twice with the flag 0x7 (ProcessDebugPort) on the first call and 0x1F ProcessDebugFlags on the second call. This shellcode also decrypts another DLL file that it loads into memory and then eventually executes.
Figure 11. The shellcode calling the entry point of the decrypted DLL file
The decrypted DLL file will execute another anti-analysis routine by loading incorrect libraries and other junk to detect sandboxes. This routine seems to be copied from a certain GitHub article.
Security/Virtual Machine/Sandbox DLL files
Real DLL files
Fake DLL files
cmdvrt.32.dll
kernel32.dll
NetProjW.dll
cmdvrt.64.dll
networkexplorer.dll
Ghofr.dll
cuckoomon.dll
NlsData0000.dll
fg122.dll
pstorec.dll
avghookx.dll
avghooka.dll
snxhk.dll
api_log.dll
dir_watch.dll
wpespy.dll
Table 1. The DLL files loaded to detect sandboxes
After performing the anti-analysis routine, the malware loads a set of PNG images from its resources section which contains an encrypted chunk of the core module and then decrypts them. Once the core payload has been decrypted, the Pikabot injector creates a suspended process (%System%\SearchProtocolHost) and injects the core module into it. The injector uses indirect system calls to hide its injection.
Figure 12. Loading the PNG images to build the core module
Resolving the necessary APIs is among the malware’s initial actions. Using a hash of each API (0xF4ACDD8, 0x03A5AF65E, and 0xB1D50DE4), Pikabot uses two functions to obtain the addresses of the three necessary APIs, GetProcAddress, LoadLibraryA, and HeapFree. This process is done by looking through kernel32.dll exports. The rest of the used APIs are resolved using GetProcAddress with decrypted strings. Other pertinent strings are also decrypted during runtime before they are used.
Figure 13. Harvesting the GetProcAddress and LoadLibrary API
The Pikabot core module checks the system’s languages and stops its execution if the language is any of the following:
Russian (Russia)
Ukrainian (Ukraine)
It will then ensure that only one instance of itself is running by creating a hard-coded mutex, {A77FC435-31B6-4687-902D-24153579C738}.
The next stage of the core module involves obtaining details about the victim’s system and forwarding them to a C&C server. The collected data uses a JSON format, with every data item using the wsprintfW function to fill its position. The stolen data will look like the image in Figure 13 but with the collected information before encryption:
Figure 14. Stolen information in JSON format before encryption
Pikabot seems to have a binary version and a campaign ID. The keys 0fwlm4g and v2HLF5WIO are present in the JSON data, with the latter seemingly being a campaign ID.
The malware creates a named pipe and uses it to temporarily store the additional information gathered by creating the following processes:
whoami.exe /all
ipconfig.exe /all
netstat.exe -aon
Each piece of information returned will be encrypted before the execution of the process.
A list of running processes on the system will also be gathered and encrypted by calling CreateToolHelp32Snapshot and listing processes through Process32First and Process32Next.
Once all the information is gathered, it will be sent to one of the following IP addresses appended with the specific URL, cervicobrachial/oIP7xH86DZ6hb?vermixUnintermixed=beatersVerdigrisy&backoff=9zFPSr:
70[.]34[.]209[.]101:13720
137[.]220[.]55[.]190:2223
139[.]180[.]216[.]25:2967
154[.]61[.]75[.]156:2078
154[.]92[.]19[.]139:2222
158[.]247[.]253[.]155:2225
172[.]233[.]156[.]100:13721
However, as of writing, these sites are inaccessible.
C&C servers and impact
As previously mentioned, Water Curupira conducts campaigns to drop backdoors such as Cobalt Strike, which leads to Black Basta ransomware attacks.It is this potential association with a sophisticated type of ransomware such as Black Basta that makes Pikabot campaigns particularly dangerous.
The threat actor also conducted several DarkGate spam campaigns and a small number of IcedID campaigns during the early weeks of the third quarter of 2023, but has since pivoted exclusively to Pikabot.
Lastly, we have observed distinct clusters of Cobalt Strike beacons with over 70 C&C domains leading to Black Basta, and which have been dropped via campaigns conducted by this threat actor.
Security recommendations
To avoid falling victim to various online threats such as phishing, malware, and scams, users should stay vigilant when it comes to emails they receive. The following are some best practices in user email security:
Always hover over embedded links with the pointer to learn where the link leads.
Check the sender’s identity. Unfamiliar email addresses, mismatched email and sender names, and spoofed company emails are signs that the sender has malicious intent.
If the email claims to come from a legitimate company, verify both the sender and the email content before downloading attachments or selecting embedded links.
Keep operating systems and all pieces of software updated with the latest patches.
Regularly back up important data to an external and secure location. This ensures that even if you fall victim to a phishing attack, you can restore your information.
A multilayered approach can help organizations guard possible entry points into their system (endpoint, email, web, and network). Security solutions can detect malicious components and suspicious behavior, which can help protect enterprises.
Trend Vision One™ provides multilayered protection and behavior detection, which helps block questionable behavior and tools before ransomware can do any damage.
Trend Cloud One™ – Workload Security protects systems against both known and unknown threats that exploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine learning.
Trend Micro™ Deep Discovery™ Email Inspector employs custom sandboxing and advanced analysis techniques to effectively block malicious emails, including phishing emails that can serve as entry points for ransomware.
Trend Micro Apex One™ offers next-level automated threat detection and response against advanced concerns such as fileless threats and ransomware, ensuring the protection of endpoints.
Indicators of Compromise (IOCs)
The indicators of compromise for this blog entry can be found here.
By: Jon Clay January 11, 2024 Read time: 4 min (970 words)
Trend Micro collaborates with INTERPOL to defend FIFA World Cup by preventing attacks & mitigating risks to fight against the rising threat of cybercrime.
The prominent sporting event, FIFA World Cup, concluded in December 2022, and it generated a lot of online engagements from millions of fans around the world. The remarkable penalty-shootout in the finals was hailed the champion of the event and it was a trending topic in social media and headline news. Before and during this event, the online users were rejoicing and betting their favorite teams at the same time cybercriminals were taking advantage of the event to deploy spam and scams. With this, law enforcement, and in particular, INTERPOL, had to step up and tapped its gateway partners to be on the lookout and report to them the cyberthreats surrounding the 2022 FIFA World Cup. Trend Micro helped by proactively monitoring our global threat intelligence that revealed many malicious websites and scams before and during the event. For example, we saw websites disguised as ticketing systems of the 2022 FIFA World Cup and many survey scams. We shared this information to INTERPOL, helping in their goal of preventing attacks and mitigating the risk posed by the fraudsters of this event. Furthermore, through our global threat intelligence, we monitored the detections of malicious websites and files from the country of Qatar as INTERPOL worked closely with them to prevent cybercriminals and malicious actors in disrupting the sporting event.
Let’s look a bit deeper into the different cyber threats we discovered and shared with INTERPOL, besides blocking them for our customers.
Malicious Websites found throughout 2022
Figure 1: Trend Micro detections of malicious sites bearing keywords of “FIFA” and “World Cup”Figure 2: Top affected countries of malicious sites related to FIFA World CupFigure 3: Timeline of FIFA World Cup Cyberthreats
Fake Ticketing System
It is no wonder due to the millions of potential victims that cybercriminals created dubious sites for selling tickets to the 2022 FIFA World Cup and trick users into inputting their personal information and credit card details in phishing attempts. We observed a few sites such as fifa-ticketssales[.]com and prime-ticketssales[.]com, both imitating the FIFA World Cup ticketing page and one showing an unbelievable number of sold tickets and remaining number of seats. We also identified contact details of scammers such as phone numbers and email addresses, some of these phone numbers were linked to other scam sites which is typical for scammers to reuse phone numbers.
Figure 4: Fake selling tickets of FIFA World CupFigure 5: Questionable number of tickets sold and used as lure to users
Fake Live Streaming
Cybercriminals created several fake streaming sites to lure victims to click on it. We identified around 40 unique domains that hosted fake streaming of FIFA World Cup. Example sites are watchvsportstv[.]com/2022-FIFA-WORLD-CUP-FINAL, sportshdlivetv[.]com/FIFA-WORLD-CUP-FINAL and istream2watch[.]stream/video/fifa-world-cup. From our analysis of these fake live streaming pages, the user will be redirected to websites with subscription forms or premium access requests and lure these users to subscribe and pay. Among the top countries detected were Brazil, Philippines, and Malaysia.
Survey Scams
Survey scams are relentless and scammers have been using them for a long time now. One we reported for example was https://www.theregister.com/2012/03/23/pinterest_attracts_scammers/. While the FIFA World Cup 2022 was ongoing, especially as we approached the semi-finals and final game, we observed malicious sites hosting survey scams that offered free 50GB mobile data. We identified more than 40 IP addresses or servers hosting the scam sites. Mostly were registered by Chinese names and hosted under Google LLC. Survey scams aim to trick users into obtaining free mobile data 50GB for a faster streaming of video or a free mobile network. It tricks users into inputting phone number and personal information thus in the end it will incur charges to the victims not knowing that it is a scam and may use their personal information for future spam or scams. Additionally, mostly it will redirect to fake dating sites and would require and harvest email address which can allow spammers to include them in their next wave of spam.
Figure 6: FIFA World Cup Survey scam that offers free mobile dataFigure 7: It requests for phone number which may lead to unwanted charges.Figure 8: Displays the offer is successful, however, it requires the user to share it in WhatsApp, thus propagating this survey scamFigure 9: Survey scam common web page title
Crypto scamming and malicious app
Based on external reports there were crypto scammers that leveraged the sporting event. We observed some scam sites such as cristiano-binance[.]xyz, binance[.]supply, football-blnance[.]com, football-binance[.]com, birance[.]online and birance[.]site that lure users to click on the button “Connect wallet” and will compromise the account. We also observed malicious app or Android RAT which was reported from https://twitter.com/ESETresearch/status/1596222440996311040https://blog.cyble.com/2022/12/09/threat-actors-targeting-fans-amid-fifa-world-cup-fever/ and it was called “ Kora 442” with malicious site kora442[.]com. It lured users to download the app “kora442.apk” and promised live and exclusive broadcasts of the 2022 FIFA World Cup. Example of hashes are 2299d4e4ba3e9c2643ee876bb45d6a976362ce3c, c66564b7f66f22ac9dd2e7a874c6874a5bb43a26, 9c904c821edaff095e833ee342aedfcaac337e04 and 60b1da6905857073c4c46e7e964699d9c7a74ec7. The package name is com.app.projectappkora and we detect it as AndroidOS_DummyColl.HRX. It steals information from the infected device and sends it to the Command &Control (C&C) server.
Figure 10: Fraudulent site potential hijacking of Crypto accountFigure 11: Malicious mobile app site with download request
Trend Micro’s mission has always been making the world safe for exchanging digital information and our support of INTERPOL and the 2022 FIFA World Cup gave us an opportunity to do exactly this. We’re proud of our continued support of INTERPOL, whether it is helping them with investigations of cybercriminals, or helping with a major worldwide sporting event. Our 34 years of experience in proactively identifying new threats and attacks and protecting users against them will continue in the future and we look forward to more engagements with law enforcement and organizations managing these events.
By: Trend Micro December 06, 2023 Read time: 4 min (971 words)
In this blog entry, we discuss predictions from Trend Micro’s team of security experts about the drivers of change that will figure prominently in 2024.
Digital transformations in the year ahead will be led by organizations pursuing a pioneering edge from the integration of emergent technologies. Advances in cloud technology, artificial intelligence and machine learning (AI/ML), and Web3 are poised to reshape the threat landscape, giving it new frontiers outside the purview of traditional defenses. However, these technological developments are only as efficient as the IT structures that support them. In 2024, business leaders will have to take measures to ensure that their organization’s systems and processes are equipped to stay in step with these modern solutions — not to mention the newfound security challenges that come with implementing and securing them.
As the new year draws closer, decision-makers will need to stay on top of key trends and priority areas in enterprise cybersecurity if they are to make room for growth and fend off any upcoming threats along their innovation journey. In this blog entry, we discuss predictions from Trend Micro’s team of security experts about the drivers of change that will figure prominently next year.
Misconfigurations will allow cybercriminals to scale up their attacks using cloud-native worms
Enterprises should come into 2024 prepared to ensure that their cloud resources can’t be turned against them in “living-off-the-cloud” attacks. Security teams need to closely monitor cloud environments in anticipation of cyberattacks that, tailored with worming capabilities, can also abuse cloud misconfigurations to gain a foothold in their targets and use rootkits for persistence. Cloud technologies like containerized applications are especially at risk as once infected, these can serve as a launchpad from which attackers can spread malicious payloads to other accounts and services. Given their ability to infect multiple containers at once, leverage vulnerabilities at scale, and automate various tasks like reconnaissance, exploitation, and achieving persistence, worms will endure as a prominent tactic among cybercriminals next year.
AI-generated media will give rise to more sophisticated social engineering scams
The gamut of use cases for generative AI will be a boon not only for enterprises but also for fraudsters seeking new ways of profiteering in 2024. Though they’re often behind the curve when it comes to new technologies, expect cybercriminals — swayed by the potential of lucrative pay — to incorporate AI-generated lures as part of their upgraded social engineering attacks. Notably, despite the shutdown of malicious large language model (LLM) tool WormGPT, similar tools could still emerge from the dark web. In the interim, cybercriminals will also continue to find other ways to circumvent the limitations of legitimate AI tools available online. In addition to their use of digital impostors that combine various AI-powered tools in emerging threats like virtual kidnapping, we predict that malicious actors will resort specifically to voice cloning in more targeted attacks.
The rising tide of data poisoning will be a scourge on ML models under training
Integrating machine-learning (ML) models into their operations promises to be a real game changer for businesses that are banking on the potential of these models to supercharge innovation and productivity. As we step into 2024, attempts to corrupt the training data of these models will start gaining ground. Threat actors will likely carry out these attacks by taking advantage of a model’s data-collection phase or by compromising its data storage or data pipeline infrastructure. Specialized models using focused datasets will also be more vulnerable to data poisoning than LLMs and generative AI models trained on extensive datasets, which will prompt security practitioners to pay closer attention to the risks associated with tapping into external resources for ML training data.
Attackers will take aim at software supply chains through their CI/CD pipelines
Software supply chains will have a target on their back in 2024, as cybercriminals will aim to infiltrate them through their continuous integration and delivery (CI/CD) systems. For example, despite their use in expediting software development, components and code sourced from third-party libraries and containers are not without security risks, such as lacking thorough security audits, containing malicious or outdated components, or harboring overlooked vulnerabilities that could open the door to code-injection attacks. The call for developers to be wary of anything sourced from third parties will therefore remain relevant next year. Similarly, to safeguard the resilience of critical software development pipelines and weed out bugs in the coming year, DevOps practitioners should exercise caution and conduct routine scans of any external code they plan to use.
New extortion schemes and criminal gangs will be built around the blockchain
Whereas public blockchains are hardened by continuous cyberattacks, the same can’t be said of their permissioned counterparts because of the latter’s centralized nature. This lack of hard-won resilience will drive malicious actors to develop new extortion business models specific to private blockchains next year. In such extortion operations, criminals could use stolen keys to insert malicious data or modify existing records on the blockchain and then demand a payoff to stay mum on the attack. Threat actors can also strong-arm their victims into paying the ransom by wresting control of enough nodes to encrypt an entire private blockchain. As for criminal groups, we predict that 2024 will see the debut of the first criminal organizations running entirely on blockchains with smart contract or decentralized autonomous organizations (DAOs).
Countering future cyberthreats
Truly transformative technologies inevitably cross the threshold into standard business operations. But as they make that transition from novel to industry norm, newly adopted tools and solutions require additional layers of protection if they are to contribute to an enterprise’s expansion. So long as their security stance is anchored on preparedness and due diligence, organizations stand to reap the benefits from a growing IT stack without exposing themselves to unnecessary risks. To learn more about the key security considerations and challenges that lie ahead for organizations and end users, read our report, “Critical Scalability: Trend Micro Security Predictions for 2024.”
When you picture your website visitors, you most likely picture a person sitting at a desk, or perhaps scrolling on their phone. However, not all your site’s visitors are flesh and bone; many are in fact bots, running automated tasks.
Although some of these bots are legitimate, others can put your site at risk, so it’s important to take appropriate security measures. This article will take you through the ways bots interact with your site, give you some insights on the risks of leaving bad bots unchecked, and take you through how Shield Security PRO can help protect your site.
What are WordPress bots?
Before we dive into how to protect your WordPress site from bad bots, let’s take a step back and talk about bots in general. Put simply, a bot is software that runs an automated task.
Many of the bots that visit your website are perfectly fine – and, indeed, there are many good bots that you want to visit your site. For example, search engine crawlers automatically evaluate the value of your site’s content to determine its rank in search results.
However, there are also bots out there designed with nefarious purposes in mind. In the next section, we will look at good vs. bad bots in more detail so you know which ones you need to look out for.
It’s worth remembering: One of the key challenges in cybersecurity is giving both good bots and human users a positive experience on your site, without enabling malicious bots to wreak havoc and compromise your security.
Good bots vs. bad bots
You may be surprised to learn that there are several kinds of good bots out there that should be perfectly welcome on your website. We mentioned search engine crawlers earlier, but they’re just one form of friendly bot that could visit your site. Others include:
Uptime monitoring bots: These collect performance data so you can see how well your site is doing
SEO tracking bots: Many sites looking to improve their search engine ranks use analytics software to evaluate results. Tracking bots collect the data reflected in your key performance indicators.
Translation bots: These assist with language translation by automatically translating content to another language, helping viewers understand what your web pages are about.
AI Bots: AI companies use site crawlers to train their AI systems, particularly in terms of language learning.
Some types of bad bots include:
Comment spam bots: These are bots that automatically leave irrelevant comments on your site, often advertising another product or service, and generating links to that site.
Brute force bots: Some cybercriminals use bots to perform brute force attacks in order to guess login credentials and gain access to restricted information.
Probing bots: These are bots that simply probe your site for vulnerabilities – you can think of them as casing the joint. If they find any, they make a note so attackers can come back and exploit those vulnerabilities later.
All of these can sap your resources and make you more vulnerable to major cyber security threats. The right cyber security approach will allow good bots to do their thing without leaving the door open to the baddies.
Real-world Examples: How bad bots put your website at risk
Left unchecked, bad bots can damage your business in both the short and long term. They can drain your resources and increase your vulnerability to hacking attempts. Bots may flood your contact forms and comment sections with spam, which clutters your site and damages your credibility.
One example of enabling bots to run wild on your site is the Dunkin Donuts attack in 2015. The Dunkin Donuts brute force attack happened when hackers began using a type of attack called “credential stuffing” to gain access to and steal money from customer accounts. This is when bots use compromised passwords obtained from previous breaches to log in to their accounts and steal their data and card details.
According to a lawsuit filed against Dunkin, the coffee shop’s parent company failed to address the attacks, despite warnings from developers to do so. While they never denied or accepted responsibility for the hacks, the company agreed to a $650,000 settlement.
This illustrates that the stakes can get very high, especially when you’re handling sensitive information. Blocking bad bots from your website protects your business, your customers and your reputation, by restricting access to your site and data.
Bots are a drain on your site’s resources
Even if bots don’t put you in direct financial harm, they will still consume your site’s resources.
An example of this is the case of Geeks2you, where bots were used to attempt to gain access to their servers. Monitoring software discovered over 8,000+ failed login attempts, and at least another 5,000 each hour after the attack was discovered.
While it was extremely hard for them to actually get into the server (thanks to the company’s excellent password policy), with at least two attempts to hack every second, the attack ate into resources and rapidly degraded the site’s responsiveness to legitimate visitors.
This demonstrates the harmful impact bots can have, even just for failed attempts to hack a site. Users can be robbed of a pleasant experience, sites can load slowly, images may not look right, and on-page features may fail. This can damage your reputation and cause you to lose valuable traffic.
Bottom line: At a minimum, bad bots hog your resources and drag down your site’s performance.
Your Solution: The AntiBot Detection Engine
When it comes to stopping bot traffic, you need to find a technological solution that can filter out the bad and leave you with the good. This is where Shield Security PRO comes in.
The AntiBot Detection Engine, or ADE, works to distinguish between good bots, bad bots, and human users based on the behaviour of each visitor on the site. It can also distinguish fake web crawlers from true web crawlers.
The way the technology does this is with “bot signals” it watches for when visitors interact with the site. (We’ll take a closer look at how the ADE does this in the next section.)
When a user crosses the threshold of acceptable suspicious activity, Shield Security PRO automatically blocks their IP address and stops them from being able to access your site.
Spotting bot behaviour: login attempts
One example of bad bot behaviour the ADE is designed to spot is excessive login attempts. Shield Security PRO can detect and capture login bots that can slow down your site and cause harm going forward. It does this by penalising visitors who use a valid username but the wrong password, as well as trying to log in without a username or with a username that doesn’t exist.
Legitimate users might get their username and password wrong once in a while, but their behaviour is still going to be easy to distinguish from bots, especially when you look at their actions across the site as a whole.
“Bots are just computer programs,” said Paul Goodchild, creator of Shield Security PRO, “They perform a limited number of tasks, such as login attempts, comment SPAM, and probing to trigger 404 errors.
“When you look at all these actions collectively,” Goodchild continued, “it looks nothing like normal human activity. The ADE acts as a ‘bot watcher’, looking at all requests collectively to sort the bots from the people.”
All-sides defence with Shield Security PRO
ADE and bad bot blocking are core features of Shield Security PRO, but they’re also just a couple of the plugin’s features designed to keep your site safe and secure. For example, the security plugin has a comprehensive dashboard that allows you to see the current state of your website at a glance.
Other functionalities that help Shield Security PRO protect your site include:
DoS protection with traffic rate limiting: This essentially limits the rate at which traffic can access a network or web service, stopping it from being overwhelmed. DoS attacks aim to overwhelm a system’s resources, ultimately slowing or shutting down the site.
Malware detection and vulnerability scanning: These are essential to your website’s safety, and identify and mitigate potential threats to your system. Our technology offers real-time protection and firewalls, scans for patterns or signs of existing malware, and identifies flaws and weak points in your defence.
Login protection for WooCommerce and other WordPress plugins: Shield Security PRO allows you to set up strong password requirements and two-factor authentication, keeping site access secure. You can also set customizable login attempt limits to further protect your site from malicious access attempts.
Cybersecurity is most effective when you tackle it from all sides. The Shield Security PRO plugin kicks bad bots and suspicious visitors off your site and helps you detect any threats that do manage to sneak through.
Banish bots from your site with Shield Security PRO
If you let bad bots have unlimited access to your site, you’re taking a serious risk. Bad bots can increase your chances of hacking and data loss, as well as hog server resources and slow your site down. Both of these can damage your reputation as well as your bottom line.
Site owners can take action and protect their websites with a bad-bot blocking plugin like Shield Security PRO. The ADE efficiently identifies bad bots and blocks their IP addresses so they can’t bring their nefarious plans to fruition.
If you’re curious about ShieldPRO and would like to explore the powerful features for protecting your WordPress sites, click here to get started today. (14-day satisfaction guarantee!)
You’ll get all PRO features, including AI Malware Scanning, WP Config File Protection, Plugin and Theme File Guard, import/export, exclusive customer support, and so much more.
On August 14, 2023, the Wordfence Threat Intelligence team began a research project to find Stored Cross-Site Scripting (XSS) via Shortcode vulnerabilities in WordPress repository plugins. This type of vulnerability enables threat actors with contributor-level permissions or higher to inject malicious web scripts into pages using plugin shortcodes, which will execute whenever a victim accesses the injected page. We found over 100 vulnerabilities across 100 plugins which affect over 6 million sites. You can find the complete chart of affected plugins below.
All Wordfence Premium, Wordfence Care, and Wordfence Response customers, as well as those still using the free version of our plugin, are protected by the Wordfence firewall’s built-in Cross-Site Scripting protection against any exploits targeting this type of vulnerability.
Why are these vulnerabilities so common?
By a general definition, shortcodes are unique macro codes added by plugin developers to dynamically and automatically generate content. Developers can use shortcode attributes to optionally add settings, making the content even more dynamic and providing more options for users.
It is important to note that shortcodes are typically used in the post content on WordPress sites, and the post content input is sanitized before being saved to the database, which is a WordPress core functionality, so it is often sanitized in all cases.
Developers might assume that since WordPress core sanitizes post content, the attributes used in shortcodes are also sanitized and secure. However, the wp_kses_post() sanitization function only sanitizes complete HTML elements.
These vulnerabilities occur when the value provided in the shortcode attribute is output in dynamically generated content within the attributes of an HTML element. In such cases, the value specified in the shortcode contains only HTML element attributes, which are not sanitized during the save of a post. As mentioned earlier, the sanitize function only sanitizes complete HTML tags.
An example shortcode containing an HTML tag sanitized by the wp_kses_post() function:
[custom_link class=”<p onmouseover=’alert(/XSS/)’>Click Here!</p>”] In this case, wp_kses_post() checks and sanitizes the entire<p>tag and its attributes.
An example shortcode not sanitized by thewp_kses_post()function: [cutsom_link class="' onmouseover='alert(/XSS/)'"] As there is no HTML tag in this case, the wp_kses_post() function does not check or sanitize anything.
Note: The above explanation demonstrates the usage of cross-site scripting within HTML attributes as it is the most common scenario, but the same problem applies to JS variable values, which will be equally vulnerable if not properly escaped.
Even the WordPress security handbook says the following about escaping output:
“Most WordPress functions properly prepare the data for output, and additional escaping is not needed.”
After reading this, developers might reasonably assume that the shortcode attributes are sanitized and secure. However, as demonstrated in the above example, there are exceptions.
We recommend using one of the built-in WordPress escaping functions before outputting user data. WordPress has a number of functions that can be used for different situations. You can read more about these functions at:https://developer.wordpress.org/apis/security/escaping/
Technical Analysis #1
A general but fictional shortcode will be used to demonstrate a shortcode XSS vulnerability, focusing only on the most important details.
Let’s take an example where shortcode attributes are used as HTML attributes.
Let’s take a look at an example where the following shortcode is used in the post content: [custom_link class='my-custom-class']Link Text[/custom_link]
As a result, the following link will be displayed in the post:
1
<aclass="my-custom-class"href="#">Link Text</a>
In this case, the class attribute of the shortcode is used and outputted in the class attribute of the <a> HTML tag.
The Exploit
Now, let’s take a look at a threat actor that wants to inject malicious web scripts into a post using the plugin’s shortcode. To accomplish this, the attacker needs to leave the specified HTML attribute, which in the example is the “class” attribute and add an additional malicious HTML attribute after.
Here’s an exploit example: [custom_link class='" onmouseover="alert(/XSS/)']Link Text[/custom_link]
With the payload above, the following link will be displayed in the post:
The first double quotation mark provided in the shortcode’s “class” attribute closes the “class” HTML attribute within the <a> tag. After that the “onmouseover” HTML attribute containing a malicious script is added to the <a> tag. This means that whenever a user mouses over the rendered shortcode, a prompt with “XSS” would appear on the screen.
The Solution
To make the shortcode secure, escape functions must be used. This prevents user-defined input from leaving the original “class” HTML attribute as any quotes used to leave the HTML attribute will be escaped.
The “class” data is an attribute, so it is recommended to use the esc_attr() function there. The “href” data is a url, which is an attribute that has more specific requirements, so it is recommended to use the esc_url() function there.
The above two functions make the shortcode completely secure against Cross-Site Scripting.
If the attacker tries to add a malicious shortcode using the patched functionality, it will result in the following link, which no longer contains executable JavaScript:
The “color” data is a JS variable, so it is recommended to use the esc_js() function.
The following script will be displayed in the post if the attacker tries using the same malicious shortcode:
1
<script>let color=""; alert(/XSS/); let more="";</script>
Conclusion
In this blog post, we have detailed Stored Shortcode-Based XSS vulnerabilities within several WordPress repository plugins. This vulnerability allows authenticated threat actors with contributor-level permissions or higher to inject malicious web scripts into pages that execute when a user accesses an affected page. As with all XSS vulnerabilities, a malicious payload could be used to perform actions as an administrator, including adding new malicious administrator users to the site and embedding backdoors in plugin and theme files, as well as redirecting users to malicious sites.
We encourage WordPress users to verify that their sites are updated to the latest patched version of each impacted plugin. For unpatched plugins that have been closed by the WordPress.org security team, we recommend that WordPress users delete the affected plugin and look for an alternative solution.
All Wordfence users, including those running Wordfence Premium, Wordfence Care, and Wordfence Response, as well as sites still running the free version of Wordfence, are fully protected against this type of vulnerability.
If you know someone who uses any of these plugins on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this type of vulnerability poses a significant risk.
For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.
Did you know that Wordfence has a Bug Bounty Program? We’ve recently increased our bounties by 6.25x until December 20th, 2023, with our bounties for the most critical vulnerabilities reaching $10,000 USD! If you’re an aspiring or current vulnerability researcher, click here to sign up.
UniFi Network Application 8.0.7 adds support for Radio Manager, WireGuard VPN Client, and Site Overview, and improves the Port Manager section by adding an overview of all ports and the VLAN Viewer.
Radio Manager
The new Radios page provides an overview of the Access Point radios and their configuration, statistics, and performance.
Filter Devices – Show all APs or only specific devices.
Filter Bands – Use the filters to display only certain bands or MIMO, e.g. 5 GHz or 3×3.
Bulk Edit – Change the radio configuration on multiple APs at the same time.
Improved Port Manager
The new Ports page provides an overview of all ports across your devices.
Filter Ports – Use the filters to display only certain ports, e.g. only PoE or SFP ports.
Filter Devices – Show all ports or only ports on a specific device.
Insights – View and compare statistics between ports on the same device.
The VLAN port management has been redesigned to improve UX when managing VLANs.
Native VLAN / Network – Used for untagged traffic, i.e. not tagged with a VLAN ID. Previously this option was called ‘Primary Network’.
Tagged VLAN Management – Used for traffic tagged with a VLAN ID. Previously this option was called ‘Traffic Restriction’.
Allow All – Configured VLANs are automatically tagged (allowed) on the port.
Block All – All tagged VLANs are blocked (not allowed) on the port.
Custom – Specify which VLANs are tagged (allowed) on the port. Any VLAN that is not specified is blocked.
When adding a new VLAN, it is automatically tagged (allowed) on the port when using ‘Allow All’. If ‘Custom’ is used, the new VLAN needs to be manually added to the port.
VLAN Viewer
Provides an easy way to see Native and Tagged VLANs across your devices.
Native VLAN Assignment – This shows which VLAN ID is set as native.
VLAN Tagging – Shows which VLANs are tagged, blocked, or native.
Search for VLANs using the VLAN name, ID, or subnet.
WireGuard VPN Client
Allows you to connect your UniFi Gateway to a VPN service provider and send internet traffic from devices over the VPN. Uploading a file and manual configuration are both supported.
Site Overview
Provides an overview of all sites used on UniFi Network Applications managing multiple sites.
UniFi Devices – See how many devices are connected to each site.
Client Devices – See how many WiFi/wired clients and guests are connected to each site.
Insight – See which sites have offline devices and critical notifications.
Client Connections
The System Log now provides much more details on client connections such as the connection time and data usage.
Improvements
Improved Port Manager.
Added all ports overview.
Added VLAN Viewer.
Improved VLAN port management UX.
Added Site Overview.
Added ability to select which networks Suspicious Activity is enabled on.
Added sorting feature for IP Groups.
Added ability to allow opening predefined firewall rules.
Improved validation for Prefix ID in Virtual Network settings.
Improved empty MAC whitelist validation in Port Manager.
Improved validation for DHCP options.
Improved DHCP Server TFTP Server field validation.
Improved Traffic Rule IP Address validation.
Improved Firewall Rules UX.
Improved Security Settings UX.
Improved Global Network Settings UX.
Enabled auto upgrade for UXG-Pro after the adoption is completed.
Remove LTE Failover WAN from IPTV Options.
Show the local language in the Language dropdown.
Prevent provisioning more Layer 3 static routes than UniFi switches can support.
Routes that are over the limit at the time of upgrade will be marked as Paused.
This does not mean that total static route support on Layer 3 UniFi switches is decreased, instead, UX is improved to prevent configuration of routes that are not functional.
VPN
Added WireGuard VPN Client.
Added messaging to create traffic routes after creating VPN Clients. This applies to the VPN Client feature, not adding clients to VPN Servers.
Added validation in VPN Server settings when the port overlaps with a Port Forwarding rule.
Added IP/Hostname override option for OpenVPN and WireGuard VPN Servers.
This adds a custom hostname or IP address to the configuration file used by clients.
This option is useful if the UniFi Gateway is behind NAT or is using a dynamically assigned IP address.
Added validation for Local IP in IPsec Site-to-Site VPN settings.
Automatically remove Site-to-Site Auto IPsec configuration if the adopted gateway doesn’t support it.
Improved Site-to-Site VPN validations.
Improved configuration file generation time for OpenVPN Servers.
Increased OpenVPN and WireGuard VPN Client limit from 5 to 8. This applies to the VPN Client feature, not VPN users connecting to VPN Servers.
Remove the PPTP Server if the adopted gateway doesn’t support it.
Clients and Devices
Added PoE power cycle option to the device side panel.
Added confirmation message when configuring Network Overrides.
Improved UniFi Devices page performance on larger setups.
Improved System Logs for client connections.
Locked the first column for Devices/Clients pages when scrolling horizontally.
Client hostnames (if present) are now shown in the side panel overview.
Moved filters to the left side in the Device and Client pages.
WiFi
Added Radio Manager.
Added ability to enable Professional installer toggle for Consoles.
Improved adding clients to MAC Address Filters.
Improved actionable feedback when Outdoor Mode is enabled.
Removed Global AP Settings, you can now use Radio Manager for bulk editing.
Collapse RF Scan tab by default in the AP device panel.
Changed WiFi Experience to TX retries for APs in their device panel.
Enhanced voucher printing options.
Bugfixes
Fixed an issue where some UniFi devices were incorrectly shown on the Client Devices page or not shown at all.
As a result of this fix, unmanaged non-network UniFi devices (e.g. UniFi Protect camera) may appear again as offline devices.
These offline devices will be removed automatically based on the Data Retention settings.
Automatic removal is an automated, periodic process that will run for several minutes after updating. Manual removal is also possible.
Fixed an issue where blocked clients couldn’t connect if they were removed until the next AP provision.
Fixed incorrect channel width for BeaconHD/U6-Extender.
Fixed an issue where Virtual Network usable hosts were incorrectly calculated.
Fixed missing ISP names in internet-related notifications.
Fixed rare gateway adoption issues via Layer 3.
Fixed an issue where WiFiman speed test results were not shown.
Fixed issue where WAN configuration is not populated when moving a gateway device to a new site.
Fixed an issue where CGNAT IP addresses were incorrectly marked as public IPs for Site Magic.
Fixed invalid connected client count for In-Wall APs.
Fixed unmanaged Network devices not shown on Client and Device pages in rare cases.
Fixed an issue where the Console would appear offline in rare cases.
Fixed sorting when there are multiple pages.
Fixed an issue where Voice VLAN settings are not effective when all VLANs are auto-allowed on switch ports.
Fixed an issue where Lock to AP is not disabled when removing an AP.
Fixed an issue where RADIUS profiles couldn’t be disabled when using a WireGuard VPN Server.
Fixed rare gateway configuration error.
Additional information
Create a backup before upgrading your UniFi Network Application in the event any issues are encountered.
See the UniFi Network Server Help Center article for more information on self-hosting a server.
UniFi Network Application 7.5 and newer requires MongoDB 3.6 (up to 4.4) and Java 17.
UniFi Network Native Application for UniFi OS
A specific application version that is only compatible with the UDM and UDR (running UniFi OS 3.1.6 or newer).
The UniFi OS update uses the application version that is required for your console.
The manual update process via SSH requires you to use the compatible package. Incompatible packages will be rejected on installation.
Older UniFi OS versions (before UniFi OS 3.1.6) on the UDM and UDR still use regular UniFi Network Application for UniFi OS.
Wordfence just launched its bug bounty program. Through December 20th 2023, all researchers will earn 6.25x our normal bounty rates when Wordfence handles responsible disclosure for our Holiday Bug Extravaganza! The researcher who reported this vulnerability was awarded $2,751.00! Register as a researcher and submit your vulnerabilities today! 🎁
On November 8th, 2023, Wordfence launched a Bug Bounty Program to help support our mission in securing the web. In only a month’s time, we have had over 270 vulnerability researchers register and submit almost 130 vulnerabilities!
On December 5th, 2023, shortly after the launch of our Holiday Bug Extravaganza, we received a submission for a PHP Code Injection vulnerability in Backup Migration, a WordPress plugin with over 90,000+ active installations. This vulnerability makes it possible for unauthenticated threat actors to inject and execute arbitrary PHP code on WordPress sites that use this plugin.
We quickly released a firewall rule to protect Wordfence Premium, Wordfence Care, and Wordfence Response customers on December 6, 2023. Sites still running the free version of Wordfence will receive the same protection 30 days later, on January 5, 2024.
We contacted the BackupBliss team, makers of the Backup Migration plugin, on the same day we released our firewall rule. After providing full disclosure details, the team released a patch just hours later. Kudos to the BackupBliss team for an incredibly swift response and patch.
We urge users to update their sites with the latest patched version of Backup Migration, which is version 1.3.8 at the time of this writing, immediately.
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated threat actors to easily execute code on the server.
Technical Analysis
Line 118 within the /includes/backup-heart.php file used by the Backup Migration plugin attempts to include bypasser.php from the BMI_INCLUDES directory. The BMI_INCLUDES directory is defined by concatenating BMI_ROOT_DIR with the includes string on line 64. However, note that BMI_ROOT_DIR is defined via the content-dir HTTP header on line 62.
This means that BMI_ROOT_DIR is user-controllable. By submitting a specially-crafted request, threat-actors can leverage this issue to include arbitrary, malicious PHP code and execute arbitrary commands on the underlying server in the security context of the WordPress instance.
Disclosure Timeline
December 5, 2023 – We receive the submission of the PHP Code Injection vulnerability in Backup Migration via the Wordfence Bug Bounty Program. December 6, 2023 – We validate the report and confirm the proof-of-concept exploit. December 6, 2023 – We initiate contact with the plugin developer and send over the full disclosure details. The vendor acknowledges the report and begins working on a fix. A fully patched version of the plugin, 1.3.8, is released.
Conclusion
In this blog post, we detailed a critical PHP Code Injection vulnerability within the Backup Migration plugin affecting versions 1.3.7 and earlier. This vulnerability allows unauthenticated threat actors to inject arbitrary PHP code, resulting in a full site compromise. The vulnerability has been fully addressed in version 1.3.8 of the plugin.
We urge WordPress users to verify that their sites are updated to the latest patched version of Backup Migration.
Wordfence users running Wordfence Premium, Wordfence Care, and Wordfence Response have been protected against these vulnerabilities as of December 6, 2023. Users still using the free version of Wordfence will receive the same protection on January 5, 2024.
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.
Dirk Schrader Published: November 14, 2023 Updated: November 24, 2023
In the wake of escalating cyber-attacks and data breaches, the ubiquitous advice of “don’t share your password” is no longer enough. Passwords remain the primary keys to our most important digital assets, so following password security best practices is more critical than ever. Whether you’re securing email, networks, or individual user accounts, following password best practices can help protect your sensitive information from cyber threats.
Read this guide to explore password best practices that should be implemented in every organization — and learn how to protect vulnerable information while adhering to better security strategies.
The Secrets of Strong Passwords
A strong password is your first line of defense when it comes to protecting your accounts and networks. Implement these standard password creation best practices when thinking about a new password:
Complexity: Ensure your passwords contain a mix of uppercase and lowercase letters, numbers, and special characters. It should be noted that composition rules, such as lowercase, symbols, etc. are no longer recommended by NIST — so use at your own discretion.
Length: Longer passwords are generally stronger — and usually, length trumps complexity. Aim for at least 6-8 characters.
Unpredictability: Avoid using common phrases or patterns. Avoid using easily guessable information like birthdays or names. Instead, create unique strings that are difficult for hackers to guess.
Combining these factors makes passwords harder to guess. For instance, if a password is 8 characters long and includes uppercase letters, lowercase letters, numbers and special characters, the total possible combinations would be (26 + 26 + 10 + 30)^8. This astronomical number of possibilities makes it exceedingly difficult for an attacker to guess the password.
Of course, given NIST’s updated guidance on passwords, the best approach to effective password security is using a password manager — this solution will not only help create and store your passwords, but it will automatically reject common, easy-to-guess passwords (those included in password dumps). Password managers greatly increase security against the following attack types.
Password-Guessing Attacks
Understanding the techniques that adversaries use to guess user passwords is essential for password security. Here are some of the key attacks to know about:
Brute-Force Attack
In a brute-force attack, an attacker systematically tries every possible combination of characters until the correct password is found. This method is time-consuming but can be effective if the password is weak.
Strong passwords help thwart brute force attacks because they increase the number of possible combinations an attacker must try, making it unlikely they can guess the password within a reasonable timeframe.
Dictionary Attack
A dictionary attack is a type of brute-force attack in which an adversary uses a list of common words, phrases and commonly used passwords to try to gain access.
Unique passwords are essential to thwarting dictionary attacks because attackers rely on common words and phrases. Using a password that isn’t a dictionary word or a known pattern significantly reduces the likelihood of being guessed. For example, the string “Xc78dW34aa12!” is not in the dictionary or on the list of commonly used passwords, making it much more secure than something generic like “password.”
Dictionary Attack with Character Variations
In some dictionary attacks, adversaries also use standard words but also try common character substitutions, such as replacing ‘a’ with ‘@’ or ‘e’ with ‘3’. For example, in addition to trying to log on using the word “password”, they might also try the variant “p@ssw0rd”.
Choosing complex and unpredictable passwords is necessary to thwart these attacks. By using unique combinations and avoiding easily guessable patterns, you make it challenging for attackers to guess your password.
How Password Managers Enhance Security
Password managers are indispensable for securely storing and organizing your passwords. These tools offer several key benefits:
Security: Password managers store passwords and enter them for you, eliminating the need for users to remember them all. All users need to remember is the master password for their password manager tool. Therefore, users can use long, complex passwords as recommended by best practices without worrying about forgetting their passwords or resorting to insecure practices like writing passwords down or reusing the same password for multiple sites or applications.
Password generation: Password managers can generate a strong and unique password for user accounts, eliminating the need for individuals to come up with them.
Encryption: Password managers encrypt password vaults, ensuring the safety of data — even if it is compromised.
Convenience: Password managers enable users to easily access passwords across multiple devices.
When selecting a password manager, it’s important to consider your organization’s specific needs, such as support for the platforms you use, price, ease of use and vendor breach history. Conduct research and read reviews to identify the one that best aligns with your organization’s requirements. Some noteworthy options include Netwrix Password Secure, LastPass, Dashlane, 1Password and Bitwarden.
How Multifactor Authentication (MFA) Adds an Extra Layer of Security
Multifactor authentication strengthens security by requiring two or more forms of verification before granting access. Specifically, you need to provide at least two of the following authentication factors:
Something you know: The classic example is your password.
Something you have: Usually this is a physical device like a smartphone or security token.
Something you are: This is biometric data like a fingerprint or facial recognition.
MFA renders a stolen password worthless, so implement it wherever possible.
Password Expiration Management
Password expiration policies play a crucial role in maintaining strong password security. Using a password manager that creates strong passwords also has an influence on password expiration. If you do not use a password manager yet, implement a strategy to check all passwords within your organization; with a rise in data breaches, password lists (like the known rockyou.txt and its variations) used in brute-force attacks are constantly growing. The website haveibeenpawned.com offers a service to check whether a certain password has been exposed. Here’s what users should know about password security best practices related to password expiration:
Follow policy guidelines: Adhere to your organization’s password expiration policy. This includes changing your password when prompted and selecting a new, strong password that meets the policy’s requirements.
Set reminders: If your organization doesn’t enforce password expiration via notifications, set your own reminders to change your password when it’s due. Regularly check your email or system notifications for prompts.
Avoid obvious patterns: When changing your password, refrain from using variations of the previous one or predictable patterns like “Password1,” “Password2” and so on.
Report suspicious activity: If you notice any suspicious account activity or unauthorized password change requests, report them immediately to your organization’s IT support service or helpdesk.
Be cautious with password reset emails: Best practice for good password security means being aware of scams. If you receive an unexpected email prompting you to reset your password, verify its authenticity. Phishing emails often impersonate legitimate organizations to steal your login credentials.
Password Security and Compliance
Compliance standards require password security and password management best practices as a means to safeguard data, maintain privacy and prevent unauthorized access. Here are a few of the laws that require password security:
HIPAA (Health Insurance Portability and Accountability Act): HIPAA mandates that healthcare organizations implement safeguards to protect electronic protected health information (ePHI), which includes secure password practices.
PCI DSS (Payment Card Industry Data Security Standard): PCI DSS requires organizations that handle payment card data on their website to implement strong access controls, including password security, to protect cardholder data.
GDPR (General Data Protection Regulation): GDPR requires organizations that store or process the data of EU residents to implement appropriate security measures to protect personal data. Password security is a fundamental aspect of data protection under GDPR.
FERPA (Family Educational Rights and Privacy Act): FERPA governs the privacy of student education records. It includes requirements for securing access to these records, which involves password security.
Organizations subject to these compliance standards need to implement robust password policies and password security best practices. Failure to do so can result in steep fines and other penalties.
There are also voluntary frameworks that help organizations establish strong password policies. Two of the most well known are the following:
NIST Cybersecurity Framework: The National Institute of Standards and Technology (NIST) provides guidelines and recommendations, including password best practices, to enhance cybersecurity.
ISO 27001: ISO 27001 is an international standard for information security management systems (ISMSs). It includes requirements related to password management as part of its broader security framework.
Password Best Practices in Action
Now, let’s put these password security best practices into action with an example:
Suppose your name is John Doe and your birthday is December 10, 1985. Instead of using “JohnDoe121085” as your password (which is easily guessable), follow these good password practices:
Create a long, unique (and unguessable) password, such as: “M3an85DJ121!”
If you are looking to strengthen your security, follow these password best practices:
Remove hints or knowledge-based authentication: NIST recommends not using knowledge-based authentication (KBA), such as questions like “What town were you born in?” but instead, using something more secure, like two-factor authentication.
Encrypt passwords: Protect passwords with encryption both when they are stored and when they are transmitted over networks. This makes them useless to any hacker who manages to steal them.
Avoid clear text and reversible forms: Users and applications should never store passwords in clear text or any form that could easily be transformed into clear text. Ensure your password management routine does not use clear text (like in an XLS file).
Choose unique passwords for different accounts: Don’t use the same, or even variations, of the same passwords for different accounts. Try to come up with unique passwords for different accounts.
Use a password management: This can help select new passwords that meet security requirements, send reminders of upcoming password expiration, and help update passwords through a user-friendly interface.
Enforce strong password policies: Implement and enforce strong password policies that include minimum length and complexity requirements, along with a password history rule to prevent the reuse of previous passwords.
Update passwords when needed: You should be checking and – if the results indicate so – updating your passwords to minimize the risk of unauthorized access, especially after data breaches.
Monitor for suspicious activity: Continuously monitor your accounts for suspicious activity, including multiple failed login attempts, and implement account lockouts and alerts to mitigate threats.
Educate users: Conduct or partake in regular security awareness training to learn about password best practices, phishing threats, and the importance of maintaining strong, unique passwords for each account.
Implement password expiration policies: Enforce password expiration policies that require password changes at defined circumstances to enhance security.
How Netwrix Can Help
Adhering to password best practices is vital to safeguarding sensitive information and preventing unauthorized access.
Netwrix Password Secure provides advanced capabilities for monitoring password policies, detecting and responding to suspicious activity and ensuring compliance with industry regulations. With features such as real-time alerts, comprehensive reporting and a user-friendly interface, it empowers organizations to proactively identify and address password-related risks, enforce strong password policies, and maintain strong security across their IT environment.
Conclusion
In a world where cyber threats are constantly evolving, adhering to password management best practices is essential to safeguard your digital presence. First and foremost, create a strong and unique password for each system or application — remember that using a password manager makes it much easier to adhere to this critical best practice. In addition, implement multifactor authentication whenever possible to thwart any attacker who manages to steal your password. By following the guidelines, you can enjoy a safer online experience and protect your valuable digital assets.
Dirk Schrader is a Resident CISO (EMEA) and VP of Security Research at Netwrix. A 25-year veteran in IT security with certifications as CISSP (ISC²) and CISM (ISACA), he works to advance cyber resilience as a modern approach to tackling cyber threats. Dirk has worked on cybersecurity projects around the globe, starting in technical and support roles at the beginning of his career and then moving into sales, marketing and product management positions at both large multinational corporations and small startups. He has published numerous articles about the need to address change and vulnerability management to achieve cyber resilience.
WordPress 6.4.2 was released today, on December 6, 2023. It includes a patch for a POP chain introduced in version 6.4 that, combined with a separate Object Injection vulnerability, could result in a Critical-Severity vulnerability allowing attackers to execute arbitrary PHP code on the site.
We urge all WordPress users to update to 6.4.2 immediately, as this issue could allow full site takeover if another vulnerability is present.
Technical Analysis
We’ve written about Object Injection vulnerabilities in the past, and the primary reason most Object Injection vulnerabilities are difficult to exploit is the lack of useful POP chains.
The problem here resides in the WP_HTML_Token class, which was introduced in WordPress 6.4 and is used to improve HTML parsing in the block editor. It includes a __destruct magic method that is automatically executed after PHP has processed the request. This __destruct method uses call_user_func to execute the function passed in through the on_destroy property, accepting the bookmark_name property as an argument:
Since an attacker able to exploit an Object Injection vulnerability would have full control over the on_destroy and bookmark_name properties, they can use this to execute arbitrary code on the site to easily gain full control.
While WordPress Core currently does not have any known object injection vulnerabilities, they are rampant in other plugins and themes. The presence of an easy-to-exploit POP chain in WordPress core substantially increases the danger level of any Object Injection vulnerability.
The patch is very simple:
123
publicfunction__wakeup() {thrownew\LogicException( __CLASS__. ' should never be unserialized');}
The newly added __wakeup method ensures that any serialized object with the WP_HTML_Token class throws an error as soon as it is unserialized, preventing the __destruct function from executing.
In today’s PSA, we analyzed a patch for a potentially critical issue in WordPress 6.4-6.4.1 that could allow attackers to take advantage of any Object Injection vulnerability present in any plugin to execute code. While most sites should automatically update to WordPress 6.4.2, we strongly recommend manually checking your site to ensure that it is updated.
We recommend sharing this advisory with everyone you know who uses WordPress, as this is a potentially critical issue that could lead to complete site takeover.
Did you know that Wordfence has a Bug Bounty Program? We’ve recently increased our bounties by 6.25x until December 20th, 2023, with our bounties for the most critical vulnerabilities reaching $10,000 USD! If you’re an aspiring or current vulnerability researcher, click here to sign up.
