Les Bell
Blog entry by Les Bell
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
WordPress Plugins Problems Persist
The web content management system marketplace is dominated by WordPress, largely on account of its large number of plugins which make it an extremely versatile platform for corporate web site development. However, WordPress security news is dominated by problems not in the platform itself but in the plugins, which often have a very large installed base.
One example, initially brought to light by WPScan, is a vulnerability in the Composer plugin from tagDiv, which is a companion to the firm's Newspaper and Newsmag themes. CVE-2023-3169, which surfaced in August, is a cross-site scripting vulnerability which is exploitable via an exposed RESTful API which allowed unauthenticated access. The vuln was partially fixed in tagDiv Composer 4.1 (which at least required admin authentication), and fully fixed in version 4.2. However, according to Sucuri, at least one malware gang was making use of it to inject malware onto vulnerable sites - and that may remain after the sites updated the plugin.
The Balada malware gang has a history of exploiting tagDiv's premium themes, having run a massive campaign targeting the Newspaper and Newsmag themes back in 2017, when the themes had only 40,000 paid users - that number has grown to over 135,000 for Newspaper alone. Their current campaign has run through six distinct waves:
- Wave 1: Initial script injections
- Wave 2: Autogenerated malicious WordPress users
- Wave 3: Backdoors in Newspaper’s 404.php file
- Wave 4: Malicious wp-zexit plugin installation
- Wave 5: Three new Balada Injector domains
- Wave 6: Even more obfuscated injections
During this campaign, the Balada crew have been diligent in varying their techniques in order to evade detection and to make it harder to find indicators of compromise in locations like logs and the WordPress database. According to Sucuri, they achieved considerable success with this approach - in September, their SiteCheck scanner detected various types of Balada Injector on over 17,000 sites, almost twice the number seen in August. Over 9,000 of these detections were related to the Newspaper theme vulnerability.
Apart from a detailed analysis and some IOC's, the Sucuri blog post also provides a specific list of mitigation actions for site admins using the Newspaper theme.
In other WordPress plugin news, specialist firm Wordfence has revealed a sophisticated backdoor which is posing as a legitimate plugin. Like any other plugin, this backdoor has access to all the normal WordPress functionality, and uses it to create a new admin account called superadmin (which it can also delete when the attacker is finished with the backdoor).
The backdoor adds several filters which modify pages as they are being rendered - unless the pages are being viewed by an administrator, in which case they will appear normal - allowing the insertion of malicious content, spam links an buttons. The backdoor code can also detect pages being fetched by bots and search engine spiders, using keyword stuffing to increase the search engine ranking of pages serving malicious content. Other code allows the remote activation and deactivation of arbitrary plugins.
The result of all this is that the backdoor operators can remotely control and monetize the victim site; users may - or may not see - the malicious content, and admins may not even realize that the site has been infected.
Wordfence have included a signature for this backdoor in the free version of their product since 1 September 2023, and the commercial versions protect users via a firewall rule as of 9 October 2023. They also provide incident response services at a premium.
Phan, Truoc, tagDiv Composer < 4.2 - Unauthenticated Stored XSS, vulnerability description, 17 August 2023. Available online at https://wpscan.com/vulnerability/e6d8216d-ace4-48ba-afca-74da0dc5abb5/.
Sinegubko, Denis, Balada Injector Targets Unpatched tagDiv Plugin, Newspaper Theme & WordPress Admins, blog post, 6 October 2023. Available online at https://blog.sucuri.net/2023/10/balada-injector-targets-unpatched-tagdiv-plugin-newspaper-theme-wordpress-admins.html.
Wotschka, Marco, Backdoor Masquerading as Legitimate Plugin, blog post, 10 October 2023. Available online at https://www.wordfence.com/blog/2023/10/backdoor-masquerading-as-legitimate-plugin/.
Upcoming Courses
- SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 November 2023
- SE221 CISSP Fast Track Review, Sydney, 4 - 8 December 2023
- SE221 CISSP Fast Track Review, Sydney, 11 - 15 March 2024
- SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 May 2024
- SE221 CISSP Fast Track Review, Virtual/Online, 17 - 21 June 2024
- SE221 CISSP Fast Track Review, Sydney, 22 - 26 July 2024
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.