Think Like a Hacker with Wordfence

A critical SQL injection vulnerability was discovered in WooCommerce, the most popular e-Commerce plugin used by over 5 million WordPress sites. The WordPress.org team pushed a forced security update ensuring that over 90 versions of WooCommerce were patched. REvil ransomware gang targeted a zero-day vulnerability in Kaseya, used by many in the banking industry, before going dark. A new SolarWinds zero-day was found in their Serv-U FTP platform.

Security researchers accidentally leaked 0-day exploit code for a new Windows bug, now called PrintNightmare, while easily exploitable vulnerabilities in the ProfilePress plugin were patched quickly. An unprotected cloud database containing over 814 million DreamHost user records was found online. Google Chrome is getting a HTTPS-only feature in an upcoming version, and two bugs, one of which is a zero-day, are leading to attackers fighting over control of Western Digital My Book Live devices.

Over 30 million Dell devices are at risk for remote BIOS attacks due to four separate security bugs, which can have far reaching effects for enterprise organizations heavily invested in Dell devices. VMware Carbon Black App Control has been updated this week to fix a critical-severity vulnerability that allows authentication bypass. Antivirus creator John McAffee dies in a Spanish jail, and a bug found by a security researcher in Atlassian’s authentication could have led to a supply chain attack. 

Sites running Jetpack are being infected via compromised WordPress.com credentials. The largest password dump ever with 8.4 billion passwords is used in credential stuffing attacks. Wordfence Threat Intelligence discloses new plugin vulnerabilities as well as a vulnerability at tsoHost. Data Breaches impact VW and EA, REvil compromises a nuclear weapons contractor, and TurboTax accounts are taken over. Ransomware surveys show conflicting results. Chrome and iOS Safari are both patched against 0-days.

Wordfence is now a CVE Numbering Authority, or a CNA. As a CNA, Wordfence can now assign CVE IDs for new vulnerabilities in WordPress Core, WordPress Plugins & WordPress Themes. An outage at Fastly takes down major websites including Reddit, Twitch, & Amazon. Microsoft patches numerous Windows 0-day vulnerabilities, and Google patches a RCE in Android phones. An informant and a messaging app led to huge global crime sting & Windows container malware targets Kubernetes clusters used by numerous data centers.

A security fix was pushed out to WordPress sites using Jetpack that bypassed local settings preventing autoupdates. A ransomware attack on JBS that shut down meat processing operations in the US has been attributed to REvil, a private Russian ransomware operation. A critical 0-day was discovered by the Wordfence site cleaning team in the Fancy Product Manager plugin, used by 17,000 WordPress sites. Amazon devices will soon automatically share your Internet with neighbors, unless you opt out by June 8.

A Critical Vulnerability in VMWare's vCenter Server threatens some of the largest data centers in the world. An actively exploited 0-day in macOS was used to take screen shots of infected computers.

Four memory corruption vulnerabilities are being actively exploited on Android devices & nearly 2 dozen popular Android apps exposed over 100M users’ sensitive information in cloud databases. Over 600K sites using WP Statistics required a patch to fix a blind SQL injection vulnerability. WP User Avatar undergoes a dramatic rebranding to ProfilePress, adding divergent functionality & causing a user revolt in reviews. More details emerge about the ransomware attack on Colonial Pipeline.

A ransomware attack on Colonial Pipeline affected fuel availability in 17 US states, and Bloomberg reported that the ransom was paid $5M to a Russian ransomware organization. The Biden Administration issued an executive order to increase US cybersecurity defenses. WordPress 5.7.2 was released to patch a critical vulnerability in PHPMailer, and a critical vulnerability was found in External Media plugin. Vulnerabilities were discovered in all WiFi devices & patch is available for a 0day in Acrobat Reader.

A vulnerability discovered in Packagist, which is used by Composer to manage PHP package requests, could have allowed attackers to cause Composer to download the wrong source code, potentially affecting all WordPress sites. Packagist reports that it's not aware of any exploits. A SQL injection vulnerability was patched in the CleanTalk AntiSpam plugin installed on over 100k sites. Vulnerabilities were discovered in Exim mail server, including 3 RCE vulnerabilities.

Apple patches a MacOS gatekeeper bypass vulnerability requiring an update to patch. Though this vulnerability requires some social engineering to exploit, it is believed to be actively exploited since Jan. 9. Some Digital Ocean customers were affected by a breach exposing personally identifiable information. A WordPress trac conversation considers blocking FLoC as a security release, and Creative Commons Search is coming to WordPress.org in a few weeks. Google Chrome has another RCE bug.

Attacks on unpatched SolarWinds systems continue, and we're now learning of a supply chain attack that started in late January 2021 affecting 29K Codecov customers, as well as a 0day actively attacked affecting customers of PulseSecure VPN. Customers of these 3 services are well known enterprise & government organizations. Two add-on plugins experiencing active attacks: Kaswara Modern WPBakery Page Builder Addons & The Plus Addons for Elementor. Vulnerabilities are patched in Redirection for Contact Form 7.

An FBI initiative began remotely removing webshells from infected Microsoft Exchange servers. WordPress 5.7.1 was released with a few security patches. Over 15 Elementor addon plugins were found to have vulnerabilities affecting over 3.5M sites. Google Chrome was found to have two 0day vulnerabilities. The US & UK blame Russian hackers for the attack campaigns against SolarWinds. Organizations are still being urged to patch the 5 vulnerabilities being exploited in ongoing attacks.

A new Wix ad campaign targets WordPress but ends up being tone deaf in both content and strategy. New details emerge about the PHP compromise, but the full story remains unclear. Facebook user data from 2019 ends up on the dark web, and Have I Been Pwned adds a phone number check to help users determine if they’ve been affected. GitHub Actions are being used by cryptojackers, Gigaset Android phones have been infected with malware in a supply chain attack, and new phishing methods emerge using Telegram.

The self-hosted Git repository for PHP was compromised, with attackers adding a backdoor to a development version of PHP 8.1. The intrusion was detected by the PHP community quickly, and no production environments were affected. Ubiquiti experienced an intrusion in January that was far worse than originally reported; attackers gained access to nearly all of the AWS assets for the company who has shipped 85 million IoT devices.