Vercara’s Open-Source Intelligence (OSINT) Report – April 19 – April 25, 2024

Critical Forminator plugin flaw impacts over 300k WordPress sites. 

(TLP: CLEAR) The Forminator WordPress plugin, utilized in over 500,000 sites, has been identified as vulnerable to a flaw enabling unrestricted file uploads to the server. Forminator, developed by WPMU DEV, serves as a versatile tool for creating various types of forms on WordPress sites, boasting drag-and-drop functionality and extensive integrations. Japan’s CERT recently issued an alert on its vulnerability notes portal (JVN), highlighting a critical flaw (CVE-2024-28890, CVSS v3: 9.8) in Forminator, potentially allowing remote attackers to upload malware onto affected sites. 

JPCERT’s security bulletin outlines three vulnerabilities: 

• CVE-2024-28890: Insufficient file validation during uploads, enabling remote attackers to upload and execute malicious files on the server. 
• CVE-2024-31077: SQL injection flaw, permitting remote attackers with admin privileges to execute arbitrary SQL queries in the site’s database. 
• CVE-2024-31857: Cross-site scripting (XSS) flaw, enabling remote attackers to execute arbitrary HTML and script code in a user’s browser through specially crafted links. 

Site administrators are strongly advised to update Forminator to version 1.29.3, addressing all three vulnerabilities. However, despite the release of the security update on April 8, 2024, approximately 320,000 sites remain vulnerable due to delayed updates. While there have been no reported instances of active exploitation for CVE-2024-28890, the severity of the flaw and its ease of exploitation necessitate prompt action. To mitigate risks, administrators are encouraged to minimize plugin usage, keep plugins updated, and deactivate unnecessary plugins. 

(TLP: CLEAR) Comments: The Forminator plugin enables the creation of many different forms on a WordPress site, including contact forms, order forms, payment forms, email forms, and feedback widgets. According to the official WordPress site, this plugin has over 500,000 active installations. Because this plugin creates a lot of user-input fields, malicious actors will look to exploit those fields to see if they are suspectable for web application attacks, and without proper input validation or security measures in place, malicious actors could gain access to underline data or inject malicious code to cause cyber security concurs for future victors to that site.  

(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-41 Revision 1, “Guidelines on Firewalls and Firewall Policy”: “The HTTP protocol used in web servers has been exploited by attackers in many ways, such as to place malicious software on the computer of someone browsing the web, or to fool a person into revealing private information that they might not have otherwise. Many of these exploits can be detected by specialized application firewalls called web application firewalls that reside in front of the web server. 

(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, delivers robust web application protection. This cloud-based service shields against application layer and web application firewall software threats, ensuring fast, secure defense for your online assets. 

Source: https://www.bleepingcomputer.com/news/security/critical-forminator-plugin-flaw-impacts-over-300k-wordpress-sites/#google_vignette 

GitHub comments abused to push malware via Microsoft repo URLs. 

(TLP: CLEAR) Threat actors have exploited a potential flaw in GitHub’s file upload feature, using it to distribute malware via URLs linked to Microsoft repositories, thereby lending an air of trustworthiness to the files. Although the focus has primarily been on Microsoft GitHub URLs, this vulnerability could be leveraged with any public repository on GitHub, enabling threat actors to create convincing lures. 

McAfee recently reported on a new LUA malware loader distributed through seemingly legitimate Microsoft GitHub repositories, such as vcpkg and the STL library. However, an investigation by BleepingComputer revealed that these files were not part of the repositories but were uploaded as comments on commits or issues within the projects. GitHub’s file upload feature allows users to attach files to comments, which are then automatically associated with the related project using unique URLs. Even if the comment is not posted or is deleted, the files remain on GitHub’s CDN, and the download URLs continue to function indefinitely. This flaw presents a significant risk as threat actors can upload malware disguised as legitimate files in comments on various repositories, making them appear trustworthy. Although GitHub has removed the malware linked to Microsoft’s repositories, similar campaigns involving other repositories, such as HTTP router, persist. Despite efforts to notify GitHub and Microsoft about this abuse, the information-stealing malware is still distributed through links associated with Microsoft’s GitHub repository. While GitHub has taken action to remove the malware from Microsoft’s repositories, the threat remains active through other channels. 

(TLP: CLEAR) Comments: Malicious actors look to interject malicious code into reputable code/data repositories with the hope that programmers will use their malicous code to gain easy access to networks once the final code is implemented. Organizations should develop and use a detailed code review process before implementing any new code onto production systems. 

(TLP: CLEAR) Recommended best practices/regulations: NIST SP 800-53 Rev5 SI-3: “MALICIOUS CODE PROTECTION   

“Control:   

“a. Implement [Selection (one or more): signature-based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;   

“b. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;   

“c. Configure malicious code protection mechanisms to: 1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection; and   

“d. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.”  

NIST requires malware detection and prevention solutions. This can be on the device, as with anti-virus agents, but also can be augmented by Protective DNS provided by the network that the device is on or across the Internet. This provides defense-in-depth and support for devices such as Internet of Things (IoT) or some servers that cannot run an endpoint client. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses a multi-petabyte data lake filled with DNS query history and indicators of compromise from multiple Cyber Threat Intelligence (CTI) data feeds to correlate an incoming DNS query in realtime with previously-observed malicious activity. This ensures that users and devices only go to safe, policy-compliant Internet locations. 

Source: https://www.bleepingcomputer.com/news/security/github-comments-abused-to-push-malware-via-microsoft-repo-urls/ 

‘Crude’ ransomware tools proliferating on the dark web for cheap, researchers find. 

(TLP: CLEAR) Sophos researchers have identified a trend of cheap, one-time-use ransomware being sold on dark web forums, allowing entry for inexperienced cybercriminals. These ransomware varieties, likened to “junk guns” due to their low cost and accessibility, range in price from $20 to 0.5 bitcoin (around $13,000 at the time of posting), with a median average price of $375. Unlike ransomware-as-a-service models, these tools don’t involve affiliates, providing independence for aspiring cybercriminals. However, there are risks associated with these tools, including defects or scams. Despite uncertainties regarding their effectiveness, some instances of successful attacks have been reported. Small businesses and individuals are likely targets, as they often lack robust security measures. The dark web forums selling these tools also reveal amateurish operations, with users seeking guidance and sharing how-to guides. The rise of cheap, disposable ransomware poses challenges for defenders, as attacks against small and medium-sized businesses are likely to go undetected and unreported, creating an intelligence gap in cybersecurity efforts. 

(TLP: CLEAR) Comments: With the sale of cheap malware on the dark web this will allow individuals with little to no coding knowledge to conduct cyber-attacks. With the sale of these cheap malware, it raises the threat landscape for organizations because they not only have to worry about established ransomware groups but now also must worry about unskilled individuals such as insider threats or other disgruntled individuals. 

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.PS-05: “Installation and execution of unauthorized software are prevented”  

By enforcing a content filtering policy to block typical software download sites in addition to hacker tools and P2P services, organizations reduce the amount of malware and trojan horses that are introduced into their organization unknowingly by their users.  This can be done via a protective DNS or forward web proxy solution with website category feeds. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), functions as a complement to anti-virus and Endpoint Detection and Response (EDR) agents to reduce the total amount of malware infections. 

Source: https://therecord.media/cheap-ransomware-for-sale-dark-web 

JavaScript malware switches to Server-Side Redirects & DNS TXT records as TDS. 

(TLP: CLEAR) The article highlights a persistent malware campaign targeting compromised WordPress sites, which injects malicious JavaScript code to redirect visitors to malicious domains. The campaign has evolved over time, switching from client-side to server-side redirects and utilizing various obfuscation techniques and domain names in its traffic direction system. The malware campaign, detected on over 46,000 sites, employs dynamic DNS TXT records to obtain redirect URLs, with domains like cloud-stats[.]com being utilized for this purpose. While the malware initially used client-side injections, it has transitioned to server-side redirects, often through PHP snippets injected via the WPCode plugin. The injected PHP snippets are designed to evade detection, often hiding the WPCode plugin itself and employing backdoor functionality for attacker control. The malware persists by regularly checking and reactivating the WPCode plugin if site owners deactivate it. To mitigate the risk posed by this malware campaign, website owners are advised to strengthen WordPress admin passwords, remove unfamiliar users, review and delete suspicious code snippets and plugins, ensure all plugins and themes are up-to-date, and consider leveraging a web application firewall for additional protection. Additionally, web hosts are encouraged to sinkhole the domain names used in the campaign to mitigate the threat at a broader level. 

(TLP: CLEAR) Comments: WordPress is a constant vector of attack for bad actors due to ignored or delayed updates, use of untrusted plug-ins and a plethora of available vulnerabilities to exploit.  Planning and vigilance is necessary to maintain the hygiene of WordPress deployments used by organizations.  Bad actors are getting more and more creative as well as adaptive with their WordPress exploits. 

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “A core capability of PDNS is the ability to categorize domain names based on threat intelligence. PDNS services typically leverage open source, commercial, and governmental information feeds of known malicious domains. These feeds enable coverage of domain names found at numerous points of the network exploitation lifecycle. Some solutions may also detect novel malicious domains based on pattern recognition. The types of domains typically addressed by a PDNS system include the following:  

“Phishing: Sites known to host applications that maliciously collect personal or organizational information, including credential harvesting scams. These domains may include typosquats – or close lookalikes of common domains. PDNS can protect users from accidentally connecting to a potentially malicious link.  

“Malware distribution and command and control: Sites known to serve malicious content or used by threat actors to command and control malware. For example, these may include sites hosting malicious JavaScript® files or domains that host advertisements that collect information for undesired profiling. PDNS can block and alert on known malicious connection attempts.  

“Domain generation algorithms: Sites with programmatically generated domain names that are used by malware to circumvent static blocking. Advanced malware – including some botnets – depends on the ability to communicate with command and control (C2) infrastructure. Cyber threat actors use domain generation algorithms (DGAs) for malware to circumvent static blocking – either by domain name or IP – through programmatically generating domain names according to a pre-set seed. PDNS can offer protection from malware DGAs by analyzing every domain’s textual attributes and tagging those associated with known DGA attributes, such as high entropy.   

“Content filtering: Sites whose content is in certain categories that are against an organization’s access policies. Although an ancillary benefit to malware protection, PDNS can use a categorization of various domains’ use cases (e.g., ‘gambling’) and warn or block on those that are deemed a risk for a given environment.” 

OWASP Web Security Top 10 A03:2023 – Injection: “An application is vulnerable to attack when: 

• “User-supplied data is not validated, filtered, or sanitized by the application” 
• “Dynamic queries or non-parameterized calls without context-aware escaping are used directly in the interpreter” 
• “Hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records” 

• “Hostile data is directly used or concatenated. The SQL or command contains the structure and malicious data in dynamic queries, commands, or stored procedure” 

One way to validate input on the server dies is through a Web Application Firewall. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), enforces malware filtering as a network service using 4 distinct malware detection engines, including a dynamic decision engine that compares domain details, DNS query details, query answers, and other data points to determine if a domain is malicious before endpoints can be infected by them. 

Vercara’s Web Application Firewall, UltraWAF, sits in front of web applications to protect them against a variety of attacks such as SQLi, XSS, and CSRF. It also integrates bot protections to stop bots and application-layer DDoS attacks. 

Source: https://blog.sucuri.net/2024/04/javascript-malware-switches-to-server-side-redirects-dns-txt-records-tds.html 

WordPress responsive theme flaw let attackers inject malicious HTML scripts. 

(TLP: CLEAR) The article discusses a critical vulnerability, CVE-2024-2848, discovered in the WordPress theme “Responsive,” allowing attackers to inject arbitrary HTML content into websites. Specifically found in the footer section of the theme, the flaw permits unauthorized modification of footer text without authentication. This vulnerability affects all versions up to and including 5.0.2, but it has been addressed in version 5.0.3. The exploitation of this vulnerability can lead to severe consequences, including redirection to malicious sites and the display of unwanted content. Website administrators are urged to update to version 5.0.3 or later to mitigate the risk and enhance security measures against similar vulnerabilities in the future. Regular monitoring of website performance and appearance is recommended to detect any unusual changes promptly, emphasizing the importance of maintaining up-to-date systems and continuous vigilance to safeguard against cyber threats. 

(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-41 Revision 1, “Guidelines on Firewalls and Firewall Policy”: “The HTTP protocol used in web servers has been exploited by attackers in many ways, such as to place malicious software on the computer of someone browsing the web, or to fool a person into revealing private information that they might not have otherwise. Many of these exploits can be detected by specialized application firewalls called web application firewalls that reside in front of the web server. 

(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, equips your company with adaptable security features to counteract the most significant network and application-layer threats, including SQL injection, XSS, and DDoS attacks. Its always-on security posture, combined with cloud-based scalability, ensures comprehensive protection against the OWASP top 10, advanced bot management, and vulnerability scanning, allowing you to effectively shield your critical and customer-facing applications from emerging threats. 

Source: https://cybersecuritynews.com/wordpress-responsive-theme-flaw-let-attackers-inject-malicious-html-scripts/