As many as 47,337 malicious plugins have been uncovered on 24,931 unique websites, out of which 3,685 plugins were sold on legitimate marketplaces, netting the attackers $41,500 in illegal revenues.
The findings come from a new tool called YODA that aims to detect rogue WordPress plugins and track down their origin, according to an 8-year-long study conducted by a group of researchers from the

As many as 47,337 malicious plugins have been uncovered on 24,931 unique websites, out of which 3,685 plugins were sold on legitimate marketplaces, netting the attackers $41,500 in illegal revenues.

The findings come from a new tool called YODA that aims to detect rogue WordPress plugins and track down their origin, according to an 8-year-long study conducted by a group of researchers from the Georgia Institute of Technology.

"Attackers impersonated benign plugin authors and spread malware by distributing pirated plugins," the researchers said in a new paper titled "**Mistrust Plugins You Must**."

"The number of malicious plugins on websites has steadily increased over the years, and malicious activity peaked in March 2020. Shockingly, 94% of the malicious plugins installed over those 8 years are still active today."

The large-scale research entailed analyzing WordPress plugins installed in 410,122 unique web servers dating all the way back to 2012, finding that plugins that cost a total of $834,000 were infected post-deployment by threat actors.

YODA can be integrated directly into a website and a web server hosting provider, or deployed by a plugin marketplace. In addition to detecting hidden and malware-rigged add-ons, the framework can also be used to identify a plugin's provenance and its ownership.

It achieves this by performing an analysis of the server-side code files and the associated metadata (e.g., comments) to detect the plugins, followed by carrying out a syntactic and semantic analysis to flag malicious behavior.

The semantic model accounts for a wide range of red flags, including web shell, function to insert new posts, password-protected execution of injected code, spam, code obfuscation, blackout SEO, malware downloader, malvertising, and cryptocurrency miners.

Some of the noteworthy findings are as follows -

*   3,452 plugins available in legitimate plugin marketplaces facilitated spam injection
*   40,533 plugins were infected post-deployment across 18,034 websites
*   Nulled plugins — WordPress plugins or themes that have been tampered to download malicious code on the servers — accounted for 8,525 of the total malicious add-ons, with roughly 75% of the pirated plugins cheating developers out of $228,000 in revenues

"Using YODA, website owners and hosting providers can identify malicious plugins on the web server; plugin developers and marketplaces can vet their plugins before distribution," the researchers pointed out.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

YODA Tool Found ~47,000 Malicious WordPress Plugins Installed in Over 24,000 Sites

Malware borrows generously from code used by other botnets such as Mirai, Qbot and Zbot.

Malware borrows generously from code used by other botnets such as Mirai, Qbot and Zbot.

A rapidly evolving IoT malware dubbed “EnemyBot” is targeting content management systems (CMS), web servers and Android devices. Threat actor group “Keksec” is believed behind the distribution of the malware, according to researchers.

“Services such as VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase and more are being targeted as well as IoT and Android devices,” reported AT&T Alien labs in a recent post. “The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities,” they added.

 According to AT&T’s analysis of the malware‘s code base, EnemyBot borrows generously from code used by other botnets such as Mirai, Qbot and Zbot. The Keksec group distributes the malware by targeting Linux machines and IoT devices, this threat group was formed back in 2016 and includes several botnet actors.

****EnemyBot Working****

The Alien lab research team study found four main sections of the malware.

The first section is a python script ‘cc7.py’, used to download all dependencies and compile the malware into different OS architectures (x86, ARM, macOS, OpenBSD, PowerPC, MIPS). After compilation, a batch file “update.sh” is created and used to spread the malware to vulnerable targets.

The second section is the main botnet source code, which includes all the other functionality of the malware excluding the main part and incorporates source codes of the various botnets that can combine to perform an attack.

The third module is obfuscation segment “hide.c” and is compiled and executed manually to encode /decode the malware strings. A simple swap table is used to hide strings and “each char is replaced with a corresponding char in the table” according to researchers.

The last segment includes a command-and-control (CC) component to receive vital actions and payloads from attackers.

AT&T researcher’s further analysis revealed a new scanner function to hunt vulnerable IP addresses and an “adb\_infect” function that is used to attack Android devices.

ADB or Android Debug Bridge is a command-line tool that allows you to communicate with a device.

“In case an Android device is connected through USB, or Android emulator running on the machine, EnemyBot will try to infect it by executing shell command,” said the researcher.

“Keksec’s EnemyBot appears to be just starting to spread, however due to the authors’ rapid updates, this botnet has the potential to become a major threat for IoT devices and web servers,” the researchers added.

This Linux-based botnet EnemyBot was first discovered by Securonix in March 2022, and later in-depth analysis was done by Fortinet.

****Vulnerabilities Currently Exploited by EnemyBot****

The AT&T researchers release a list of vulnerabilities that are currently exploited by the Enemybot, some of them are not assigned a CVE yet.

The list includes Log4shell vulnerability (CVE-2021-44228, CVE-2021-45046), F5 BIG IP devices (CVE-2022-1388), and others. Some of the vulnerabilities were not assigned a CVE yet such as PHP Scriptcase and Adobe ColdFusion 11.

*   Log4shell vulnerability – CVE-2021-44228, CVE-2021-45046
*   F5 BIG IP devices – CVE-2022-1388
*   Spring Cloud Gateway – CVE-2022-22947
*   TOTOLink A3000RU wireless router – CVE-2022-25075
*   Kramer VIAWare – CVE-2021-35064

“This indicates that the Keksec group is well resourced and that the group has developed the malware to take advantage of vulnerabilities before they are patched, thus increasing the speed and scale at which it can spread,” the researcher explained.

****Recommended Actions** **

The Alien lab researcher suggests methods to protect from the exploitation. Users are advised to use a properly configured firewall and focus on reducing Linux server and IOT devices’ exposure to the internet.

Another action recommended is to monitor the network traffic, scan the outbound ports and look for the suspicious bandwidth usage. Software should be updated automatically and patched with the latest security update.

EnemyBot Malware Targets Web Servers, CMS Tools and Android OS

Validation check loopholes exposed

Malicious actors can take unauthorized ownership of online accounts even before their victims sign up for services, according to new research backed by the Microsoft Security Response Center (MSRC).

Dubbed ‘account pre-hijacking’, the class of attack involves an attacker setting an account takeover exploit in motion before the victim has even registered with an online service. After the victim signs up, the attacker takes advantage of security holes in the service’s authentication mechanisms to access or take ownership of the newly-created account.

The study (PDF) found dozens of high-traffic services to be vulnerable to at least one type of pre-hijacking attack. The research sheds light on the security issues surrounding account creation, a seldom scrutinised issue.

**More than one way to pre-hijack an account**

The research was supported by one of the Identity Project Research Grants awarded by the MSRC in early 2020.

“In this project, we explored several topics, but soon noticed a pattern emerging around the ‘pre-hijacking’ threat model,” Andrew Paverd, a senior researcher at MSRC, and independent researcher Avinash Sudhodanan told The Daily Swig.

Account pre-hijacking assumes that the victim doesn’t yet have an account on the target service and the attacker knows the email and other basic details of the victim. The researchers discovered five types of pre-hijacking attack scenarios.

Some take advantage of multiple account creation modes supported by many online services. On many websites, users can directly provide an email address and password to create their account or use federated authentication by using a consumer-focused single sign-on (SSO) service, as provided by the likes of Facebook, Google, and Microsoft.

DON’T FORGET TO READ Security ‘researcher’ hits back against claims of malicious CTX file uploads

For example, in one type of attack, the attacker creates an account with the victim’s email address. The victim then creates an account using the federated approach. In some services, this merges the attacker’s and victim’s accounts, giving them both simultaneous access to the same account.

In another type of attack, the attacker creates an account with the victim’s email and associates their own federated identity to the same account. When the victim tries to create their account, they will be prompted to reset their password. The victim will obtain access to the account, but the attacker will also be able to access the account through the SSO identity.

The researchers said: “It’s very positive to see how many online services are moving towards single sign-on \[but\] this means that they might have to support multiple login mechanisms. This in itself is not necessarily an issue, and many services do this securely.

“Our research simply points out some subtle pitfalls to be aware of when supporting multiple login mechanisms,” the researchers added.

**Switch hitter**

Paverd and Sudhodanan pointed out that three of the attacks they found do not require the service to support multiple login mechanisms.

For example, in one scheme, the attacker’s session might remain active even after the victim recovers their account and resets the password.

Catch up on the latest authentication news and analysis

In yet another scenario, the attacker creates an account with the victim’s email and initiates an email change request to the attacker’s own email address. The attacker then waits for the victim to claim the account before completing the email change request and taking ownership of the account.

**Top services affected**

In their study, the researchers examined 75 services that ranked among Alexa’s list of top-150 high-traffic domains. At least 35 were affected by one or more account pre-hijacking attacks, including Dropbox, Instagram, LinkedIn, WordPress.com, and Zoom. Fortunately, all the affected services were notified of the vulnerabilities and have implemented the necessary fixes.

“We think that a lack of awareness may have been the main cause of these potential vulnerabilities. We are therefore publishing this research to raise awareness and help organizations mitigate these vulnerabilities,” Paverd and Sudhodanan said.

The most important takeaway, the researchers concluded, is “to verify that the user actually owns any user-supplied identifiers (e.g., email address or phone number) before using them to create a new account or adding them to an existing account”. This would mitigate all types of pre-hijacking attacks identified to date.

The researchers’ paper also describes several other possible defense-in-depth strategies.

They recommended that users enable multi-factor authentication (MFA) whenever possible because it stops most pre-hijacking attacks they uncovered.

Another sign of account pre-hijacking is receiving an email about an account that you did not create, which users usually ignore. “Report this to the relevant website,” the researchers said.

YOU MAY ALSO LIKE Tails users warned not to launch bundled Tor browser until security hole is fixed

Dozens of high-traffic websites vulnerable to ‘account pre-hijacking’, study finds

WordPress User Meta Lite and Pro plugin versions 2.4.3 and below suffer from a path traversal vulnerability.

RCE Security Advisory  
https://www.rcesecurity.com

1. ADVISORY INFORMATION  
=======================  
Product:        User Meta  
Vendor URL:     https://wordpress.org/plugins/user-meta  
Type:           Relative Path Traversal [CWE-23]  
Date found:     2022-02-28  
Date published: 2022-05-24  
CVSSv3 Score:   4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)  
CVE:            CVE-2022-0779

2. CREDITS  
==========  
This vulnerability was discovered and researched by Julien Ahrens from  
RCE Security.

3. VERSIONS AFFECTED  
====================  
User Meta Lite 2.4.3 and below  
User Meta Pro 2.4.3 and below

4. INTRODUCTION  
===============  
An easy-to-use user profile and management plugin for WordPress that allows  
user login, reset-password, profile update and user registration with extra  
fields, all on front-end and many more. User Meta Pro is a versatile user  
profile builder and user management plugin for WordPress that has the most  
features on the market. User Meta aims to be your only go to plugin for  
user management.

(from the vendor's homepage)

5. VULNERABILITY DETAILS  
========================  
The WordPress ajax action "um_show_uploaded_file" is vulnerable to an  
authenticated path traversal when user-supplied input to the HTTP POST  
parameter "filepath" is processed by the web application. Since the application  
does not properly validate and sanitize this parameter, it is possible to  
enumerate local server files using a blind approach. This is because the  
application doesn't return the contents of the referenced file but instead  
returns different form elements based on whether a file exists or not.

The following Proof-of-Concept triggers this vulnerability:

POST /wp-admin/admin-ajax.php HTTP/1.1  
Host: localhost  
Content-Length: 147  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Cookie: [your-wordpress-auth-cookies]  
Connection: close

field_name=[your-field-name]&filepath=/../../../../../etc/passwd&field_id=[your-field-id]&form_key=[your-form-key]&action=um_show_uploaded_file&pf_nonce=[your-auth-nonce]&is_ajax=true

6. RISK  
=======  
The vulnerability can be used by an authenticated attacker to enumerate  
local server files based on a blind approach.

7. SOLUTION  
===========  
Update to User Meta/User Meta Pro 2.4.4

8. REPORT TIMELINE  
==================  
2022-02-28: Discovery of the vulnerability  
2022-02-28: WPScan (CNA) assigns CVE-2022-0779  
2022-03-03: Contacted the vendor via their contact form  
2022-03-06: Vendor response, acknowledgement of the issue  
2022-03-18: Version 2.4.2 is released  
2022-03-22: Vulnerability is still exploitable since fix was applied only client-side. Contacted vendor again.  
2022-04-13: No response, contacted vendor again  
2022-04-18: Vendor added a new fix to version 2.4.3. Asked to retest.  
2022-04-19: Vulnerability is still exploitable due to a logic bug in the fix. Contacted vendor again.  
2022-04-29: Vendor asks whether another fix in version 2.4.4 is fine  
2022-05-16: Fix seems to work  
2022-05-24: Public disclosure

9. REFERENCES  
=============  
https://github.com/MrTuxracer/advisories

WordPress User Meta Lite / Pro 2.4.3 Path Traversal

A nascent Linux-based botnet named Enemybot has expanded its capabilities to include recently disclosed security vulnerabilities in its arsenal to target web servers, Android devices, and content management systems (CMS).
"The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities," AT&T Alien Labs said in a technical write-up published last week. "Services

A nascent Linux-based botnet named **Enemybot** has expanded its capabilities to include recently disclosed security vulnerabilities in its arsenal to target web servers, Android devices, and content management systems (CMS).

"The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities," AT&T Alien Labs said in a technical write-up published last week. "Services such as VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase and more are being targeted as well as IoT and Android devices."

First disclosed by Securonix in March and later by Fortinet, Enemybot has been linked to a threat actor tracked as Keksec (aka Kek Security, Necro, and FreakOut), with early attacks targeting routers from Seowon Intech, D-Link, and iRZ.

Enemybot, which is capable of carrying out DDoS attacks, draws its origins from several other botnets like Mirai, Qbot, Zbot, Gafgyt, and LolFMe. An analysis of the latest variant reveals that it's made up of four different components -

*   A Python module to download dependencies and compile the malware for different OS architectures
*   The core botnet section
*   An obfuscation segment designed to encode and decode the malware's strings, and
*   A command-and-control functionality to receive attack commands and fetch additional payloads

Also incorporated is a new scanner function that's engineered to search random IP addresses associated with public-facing assets for potential vulnerabilities, while also taking into account new bugs within days of them being publicly disclosed.

"In case an Android device is connected through USB, or Android emulator running on the machine, EnemyBot will try to infect it by executing \[a\] shell command," the researchers said, pointing to a new "adb\_infect" function. ADB refers to Android Debug Bridge, a command-line utility used to communicate with an Android device.

Besides the Log4Shell vulnerabilities that came to light in December 2021, this includes recently patched flaws in Razer Sila routers (no CVE), VMware Workspace ONE Access (CVE-2022-22954), and F5 BIG-IP (CVE-2022-1388) as well as weaknesses in WordPress plugins like Video Synchro PDF.

Other weaponized security shortcomings are below -

*   **CVE-2022-22947** (CVSS score: 10.0) - A code injection vulnerability in Spring Cloud Gateway
*   **CVE-2021-4039** (CVSS score: 9.8) - A command injection vulnerability in the web interface of the Zyxel
*   **CVE-2022-25075** (CVSS score: 9.8) - A command injection vulnerability in TOTOLink A3000RU wireless router
*   **CVE-2021-36356** (CVSS score: 9.8) - A remote code execution vulnerability in KRAMER VIAware
*   **CVE-2021-35064** (CVSS score: 9.8) - A privilege escalation and command execution vulnerability in Kramer VIAWare
*   **CVE-2020-7961** (CVSS score: 9.8) - A remote code execution vulnerability in Liferay Portal

What's more, the botnet's source code has been shared on GitHub, making it widely available to other threat actors. "I assume no responsibility for any damages caused by this program," the project's README file reads. "This is posted under Apache license and is also considered art."

"Keksec's Enemybot appears to be just starting to spread, however due to the authors' rapid updates, this botnet has the potential to become a major threat for IoT devices and web servers,'' the researchers said.

"This indicates that the Keksec group is well resourced and that the group has developed the malware to take advantage of vulnerabilities before they are patched, thus increasing the speed and scale at which it can spread."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

EnemyBot Linux Botnet Now Exploits Web Server, Android and CMS Vulnerabilities

The User Meta WordPress plugin before 2.4.3 does not sanitise and escape the Form Name, as well as Shared Field Labels before outputting them in the admin dashboard when editing a form, which could allow high privilege users to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

CVE-2022-0376

The JivoChat Live Chat WordPress plugin before 1.3.5.4 does not properly check CSRF tokens on POST requests to the plugins admin page, and does not sanitise some parameters, leading to a stored Cross-Site Scripting vulnerability where an attacker can trick a logged in administrator to inject arbitrary javascript.

CVE-2022-0642

The Smush WordPress plugin before 3.9.9 does not sanitise and escape a configuration parameter before outputting it back in an admin page when uploading a malicious preset configuration, leading to a Reflected Cross-Site Scripting. For the attack to be successful, an attacker would need an admin to upload a malicious configuration file

CVE-2022-1009

The BannerMan WordPress plugin through 0.2.4 does not sanitize or escape its settings, which could allow high-privileged users to perform Cross-Site Scripting attacks when the unfiltered_html is disallowed (such as in multisite)

CVE-2022-1275

The IMDB info box WordPress plugin through 2.0 does not sanitize and escape some of its settings, which could allow high-privileged users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Tag

#wordpress