JavaScript | Bach Seat

Tag Archive for JavaScript

RB | June 17, 2019

Comments Off

Is Yuzo on Your WordPress site?

I am still busy unpacking and re-arranging the furniture at the new home of Bach Seat. One of the nicer things about my new host is that I can now get WordPress alerts. And I have been getting a ton of alerts from the firewall that it blocked “yuzo-related” attack attempts. So I decided to see WTF “yuzo-related” attack attempts were about and found an excellent explanation on the WordFence site.

60,000 WordPress websites

Dan Moen at WordFence explains that the Yuzo Related Posts (YRP) plugin for WordPress has an unpatched vulnerability that was publicly disclosed by a security researcher on March 30, 2019. The flaw which allows stored cross-site scripting (XSS), is now being exploited in the wild. The buggy plugin is installed on over 60,000 websites and has been removed from the WordPress.org plugin directory.

WordFence recommends that all users remove the plugin from their sites immediately.

The blog’s author writes that the vulnerability in YRP stems from missing authentication checks in the plugin routines responsible for storing settings in the database. The code below is the crux of the problem. There is more in-depth coding tech-talk at WordFence.

8 }elseif( is_admin() ){ // only admin

He says developers often mistakenly use is_admin() to check if a piece of code that requires administrative privileges should be run, but as the WordPress documentation points out, that isn’t how the function should be used.

Injects malicious JavaScript

The result is that an unauthenticated attacker can inject malicious content, such as a JavaScript payload, into the plugin settings. That payload is then inserted into HTML templates and executed by the web browser when users visit the compromised website. This security issue could be used to deface websites, redirect visitors to unsafe websites, or compromise WordPress administrator accounts, among other things.

As evidenced by the number of probes against my site, threat actors have begun exploiting sites with YRP installed. The exploits in the wild inject malicious JavaScript. When a visitor lands on a compromised website containing the malicious payload, they will be redirected to malicious tech support scam pages – like this example:

The WordFence analysis shows that the attempts to exploit this vulnerability in YRP share a number of commonalities with attacks on two other vulnerabilities discovered in other plugins: Social Warfare and Easy WP SMTP.

The security researchers found all three campaigns so far have used these exploits:

A malicious script hosted on hellofromhony[.]org, which resolves to 176.123.9[.]53.
Involved exploitation of stored XSS injection vulnerabilities and have deployed malicious redirects.

WordFence is confident that the tactics, techniques and procedures in all three attacks point to a common threat actor.

WordFence recommends WordPress Site owners running the Yuzo Related Posts remove it from their sites immediately, at least until a fix has been published by the author.

rb-

What to do?

- Keep your WordPress and plugins up to date.
- Do you really need Yuzo Related Posts? Here is a list of alternatives from WordPress.
- Make sure you have good backups of your WordPress site – and you can restore it.
- Get a firewall on your WordPress site
- Block the IP 176.123.9[.]53. From your site.
- Harden your WordPress site.

WordPress plugin sees second serious security bug in six weeks (Naked Security)

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: 2019, administrative privileges, JavaScript, Malware, Security, Social engineering, Wordpress, XSS, Yuzo

RB | July 25, 2012

Comments Off

Social Media Malware Launch Pads

Social networks’ role in the growth of the global virtual society has been well documented. What is not so well documented according to Help Net Security is the role social media has in spreading malware. The security and privacy mechanisms of social networking firms such as LinkedIn (LNKD), Twitter, and Facebook (FB) have proven insufficient to prevent exploitation.

The article notes that “To Err is Human,” and human errors lead to exploitation and manipulation whether the social network is online or offline. Social media hold a plethora of personal information on the users that create the network. Individual connections between users collectively form a web of connections. To build each link between users an implicit trust is required between the two users and implicitly across the entire network. Any information provided by an individual user through chained connections becomes a part of the full network. When an attacker is able to exploit one user in the social network, they have the potential to be able to push malicious content into the network. The network’s connectivity enables the spread of exploitation. The blog explains that attackers exploit the weakest link in the chain.

The inability of users to determine the legitimacy of content flowing through the social media helps this exploitation process. Help Net Security says the biggest problem with online social networks is that they do not have built-in protection against malware. For example, current social networks do not scan the URLs and embedded content coming from third-party servers such as Content Delivery Networks. Therefore, there is no way to authenticate the URLs passed among the user objects in the social networks.

The infection process begins with the exploitation of human ignorance and followed by the spreading of the malware through the trust upon which the network is based.

The article further explains that to start the exploitation process, an attacker will pick an issue that affects human emotions to evoke a response so the social network user will do something the attacker wishes. Phishing and spam messages about weather calamities, politics, and financial transactions are used for starting infections. The author states that since social network exploitation begins by exploiting an individual’s ignorance common attack strategies have emerged.

One of the simplest infection techniques is to put malicious URLs on a user’s Fac eb ook message wall. When a user clicks on an illegitimate hyperlink it can result in the automatic download of malware through the browser. Some of the exploits used are:

Browser Exploit Packs (BEP) fingerprint the browser version and other software on the user machine. Based on this information, a suitable malware is served to the user which uses exploits for that particular browser.
Drive-by-Download attacks begin by visiting a malicious page. They exploit vulnerabilities in browsers and plugins. Successful exploitation of the vulnerability causes a shellcode to run that in turn downloads the malware into the system.
Malicious advertisements (malvertisements) happen when an attacker injects a malicious link into a user’s Facebook wall to spread malware. The fake post is linked to a third-party website that has malicious advertisements embedded in it. These advertisements are linked to malicious JavaScripts which execute the malicious content in the browser.

Help Net Security states that online social media is not harnessing the power of Safe Browsing API’s from Google (GOOG) or similar services to instantiate a verification procedure before posting a URL back to a user profile. Lack of such basic protections is a key factor in making the social networks vulnerable to exploitation.

Microsoft (MSFT) recently spotted a Facebook attack in the wild that exploited Facebook user’s trust in a social engineering campaign. The attack tries to trick Facebook users into installing a backdoor Trojan with keylogging capabilities according to the Help Net Security report.

MSFT says the Facebook Wall messages varied but they all lead to fake YouTube pages. Once there, the user is urged to download a new version of “Video Embed ActiveX Object” to play the video file. Unfortunately, the offered setup.exe file is the Caphaw Trojan.

The trojan bypasses firewalls, installs an FTP and a proxy server, and a key logger on the affected machine. Microsoft’s Mihai Calota says ” … has built-in remote desktop functionality based on the open-source VNC project.” MSFT says the Facebook attack can be used to steal money, “We received a report .. that money had been transferred from his bank account … The keylogging component, coupled with the remote desktop functionality, makes it entirely possible for this to have happened.”

rb-

The articles correctly state that security and privacy mechanisms are indispensable for safe online social networking. Built-in security is necessary because attackers exploit the trust, curiosity, and ignorance of the social network customers to their own profit. Users should demand safe and secure transmission of the information and the user’s privacy. These should also be a focus of the social networking companies.

To protect themselves, users should:

Have up to date AV software running on their computers
Keep their browsers and operating systems fully patched
Change the passwords on all their sensitive accounts regularly
Warn friends and Facebook if an account seems to be hacked by using the Facebook “report/mark message as spam” option.

Facebook denies malware risk from message bug (go.theregister.com)

Category: Uncategorized | Tags: 2012, Browser exploit, Content delivery network, Drive-by download, Facebook, FB, GOOG, Google, JavaScript, LinkedIn, LNKD, Malware, Microsoft, MSFT, Security, Social media, YouTube

S	M	T	W	T	F	S
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30

Bach Seat