This Month in Cybersecurity - January Edition

WordPress Plugin Containing Vulnerabilities Found in over 300,000 Websites

According to security researchers, there were two flaws found inside of a Mailer Plugin associated with WordPress hosted websites discovered in the month of December. The researchers stated that the flaws affected over 300,000 websites and were discovered within a few weeks of each other. One flaw allowed for the hijacking of the password reset function through the plugin’s authentication API and the other allowed for threat agents to insert dangerous or malicious code into the webpages.

WordPress was notified with the findings and proof-of-concept code that demonstrated how the flaws could be exploited, and to the benefit of everyone, WordPress worked over the holiday break and released an update that addressed these flaws (version 2.8.8 of POST SMTP Mailer Plug). The researchers have noted only 53% of the plugin installations are currently running the latest updated version, leaving those who have not vulnerable.

Incidents like this show why it is imperative to both keep your software and any associated plugins up to date, but also why it is important to make sure to audit your third party risk management practices/plans. If you need any help with this, please feel free to reach out to Cyber Defense!


Critical Password Reset Vulnerability at GitLab Patched

GitLab has resolved a critical authentication vulnerability that was found, allowing threat agents to hijack password reset emails. The vulnerability was found to affect all GitLab accounts that allowed logins with username and passwords. Even accounts that had two-factor authentication (2FA) were subject to password reset, but not the full takeover, as the vulnerability did not allow access to the 2FA tokens.

The initial vulnerability was focused around an option that allowed users to reset their account passwords with a secondary email, but the flaw created an instance where that secondary email did not need to be verified, allowing the threat agents to use non-account associated email addresses to receive the reset email. GitLab has updated all instances of their software to close out this vulnerability, but they still suggest that all users update to the latest version and enable 2FA on all accounts.


Windows SmartScreen Bypass Exploited In Attacks

Trend Micro released a report showing that a recent vulnerability within Windows SmartScreen is actively being exploited in attacks. The exploit is being used by threat agents to use social phishing techniques to have unknowing users click on a URL that then does not trigger the Windows Defender SmartScreen checks and allows for the delivery of malicious code.

According to Microsoft the security defect has been patched, but Trend Micro reports that it is actively being used in a malicious campaign to deliver a malware strain that can harvest information to be leveraged against the company being affected. The malware not only steals data from web browsers and various messaging applications, it also takes screenshots of and gathers system information to be leveraged by the threat agents.

Vulnerabilities like these show why, despite systems in place to protect us from phishing attempts, nothing can replace knowledge and best practices when it comes to dealing with sensitive information and outside sources. If you have any questions, or would like to take a look into having your employees trained against situations like these, please reach out!

 

Defensible Strategies

Learn from those who have been attacked

Operation Triangulation Deemed Most Sophisticated iPhone Hack

A hidden hardware function in iPhones was found to be the center of what Kaspersky’s security researchers are calling the most sophisticated hack they have seen involving Apple. This vulnerability was used to spy on an undisclosed key political figure and the unknown threat agent didn’t go after mass deployment, even though they utilized the exploit for roughly four years.

The exploit, similar to the Pegasus attacks that plagued iPhone users a few years ago, relied on iMessage to backdoor the iPhone, but also relied on the usage of three other vulnerabilities, of which one was the hidden hardware function similar to that of a developer debug program. The researchers were not able to determine how the threat agent was able to find this exploit, as the hardware function does not seem to have been documented anywhere and could have been included in the phone on accident.

Apple has since patched out the exploits that made Operation Triangulation possible, so most people should have no worries, but researchers point towards examples like these as reminders that despite Apple’s reputation of being more secure, threat agents will never stop trying to get into personal devices to leverage information.


SonicWall Firewalls Found to be Vulnerable to Potential Attacks

Security researchers have found over 178,000 next gen firewalls from SonicWall that have had their management interface exposed online. This seems to be the result of security flaws CVE-2022-22274 and CVE-2023-0656, that are caused by the same exploitation and code path as each other, just in different places along that path.

These exploits allow for remote code execution (RCE) attacks, which allow threat agents to execute malware on a remote device either over public or private networks. In the instance that the threat agent can’t get full control though, they are also able to push the firewall into maintenance mode, causing disruption of service issues.

SonicWall’s Product Security Incident Response Team has attested that they have no knowledge of an active exploit, but to make sure to update to the latest firmware versions as soon as possible.