Think Like a Hacker with Wordfence

Attackers continue to exploit recently patched vulnerabilities in Thrive Themes, though not all of them are successful. Two vulnerabilities are patched in the Facebook for WordPress plugin installed on over half a million sites. Google Chrome version 90 will use HTTPS by default, bringing significant improvements to speed and security. A ransomware insurance provider experiences a breach, and Slack’s new “Slack Connect” feature has some security concerns.

An attack shows how a SMS enablement service was used to bypass SMS 2FA for $16. We discuss the recently patched vulnerabilities in Elementor affecting 7M+ WP sites and how easily these XSS vulnerabilities can be exploited. We also talk about the SQL Injection vulnerabilities in Tutor LMS. The fire at OVH in France that took 3.5 million sites offline also took down some advanced persistent threat (APT) actors. And there's yet another Chrome use-after-free zero-day vulnerability being actively exploited.

A data breach exposes 150,000 security cameras used by organizations around the world, including Tesla and Cloudflare. State-sponsored hacking groups exploit Microsoft Exchange vulnerabilities. A fire in a French data center belonging to hosting company OVH affects millions of websites, including some prominent WordPress services like Imagify and WP Rocket. WordPress 5.7 was released this week with many new features. 

The Wordfence Threat intelligence team finds vulnerabilities in two plugins, the User Profile Picture plugin and the WooCommerce Upload Files plugin. WordPress 5.7 is set to release on Tuesday, March 9 with numerous enhancements for the block editor, a new robots.txt API, and a stay of execution on jQuery-migrate. A zero day affecting Microsoft Exchange Server allows attackers to steal emails. And Brave buys a search engine to add to their growing privacy-oriented portfolio.

WordPress 5.7 is due to be released on Mar. 9, and it allows admins to send password reset emails to users. A botnet is abusing the Bitcoin blockchain for C2, while VMWare fixes a critical RCE in all default vCenter installs. We talk about the ramifications of vulnerability disclosures and how last year's File Manager vulnerability did not have long lasting effects on plugin installation base or growth. We also discuss how investor data breach fatigue has reduced the stock price of cybersecurity failures.

An analysis of WordPress-related search trends found that interest in WooCommerce related results dominated during 2020. We discuss recent vulnerabilities discovered by our threat intelligence team in Ninja Forms, affecting over 1 million sites. WordPress issues a statement that pirated themes and plugins are prohibited on the repository. And a supply chain attack affects users of the once-legitimate Barcode Scanner Android app. We also discuss some career opportunities on the Wordfence team.

This week, the Wordfence team discusses cryptography in-depth, including the basics, a brief history, hashing, and the Crypto Wars. We also go over current news, including 2 new findings by the Wordfence Threat Intelligence team, a new milestone for WordPress, and a recent attack on a Florida Town's water supply.

Wordfence opens the K-12 site audit & site cleaning service for public schools worldwide. Machine learning is now a big part of our malware identification process, which will speed new malware signatures to deployment. A bug in Sudo can let attackers with access to a local system to elevate their access to a root-level account, which has implications for WordPress sites, Mac users, and more. WordPress 5.7, the next major release, will make it much easier for users to migrate their sites from HTTP to HTTPS.

After a disruptive year in 2020, there are new challenges in 2021, but also immense opportunities in numerous fields. In a deep and wide-ranging conversation, Mark Maunder and Kathy Zant discuss artificial intelligence, whether or not we're living in simulation, cryptocurrencies and the opportunities of blockchain technology, open source communities and publishing, avoiding scams and FOMO, as well as what fields are most promising for the next 10 years. 

Wordfence announced a new program offering free site cleaning & site audits to public schools in the US. We talk about why we're offering this program & how to help schools take advantage of it. We also talk about the growing prevalence of WordPress as a content management system and how the incoming administration is using WP. We also talk about an unpatched Windows 10 denial of service vulnerability, a breach affecting over 1.9M Pixlr user, & phishing kits exposing stolen passwords via Google search.

The recent SolarWinds attack was incredibly sophisticated. What happens when that level of sophistication targets a homebuyer during one of the largest transactions of their lifetime? On this episode, we tell the story of an extremely difficult to detect spearphishing attack that almost cost a homebuyer a significant amount. From this story, we review the warning signs and steps you can take to protect against real estate wire transfer fraud. 

Earlier this week, we learned that SolarWinds, the largest provider of network management tools for large enterprise organizations fell victim to a supply chain attack. Reportedly, 18k enterprise & government customers installed malware that was digitally signed as part of an update from SolarWinds’ servers. Microsoft took control of one of the primary C2 domains. We also talk about a vulnerability in the PageLayer plugin and a wormable 0-click XSS bug found in Jabber.

WordPress 5.6 was released this week with a new feature: application passwords. In this episode we talk about how application passwords work, where to find them in WordPress, and why Wordfence decided to turn them off by default in version 7.4.14. We also talk about a new Magecart attack that places card skimmers in CSS files. MailPoet is joining WooCommerce. FireEye reported they were hacked by a nation state APT group, and a wormable zero-click vulnerability was found in Microsoft Teams.

With WordPress 5.6’s imminent release and the recent release of PHP 8, we talk about the rapid changes affecting the future of WordPress with new security features and new functionality available to both WordPress users and developers. We also review a recent vulnerability found in iPhones and a social engineering attack on GoDaddy that targeted numerous cryptocurrency exchange sites.

Two hosting providers experienced outages this week. GoDaddy had a brief outage affecting numerous systems on Tuesday, November 17. Managed.com had an extensive outage due to ransomware that affected all systems. We discuss what types of incident response preparations site owners should consider when events beyond their control occur. We also discuss an attack targeting themes using the Epsilon Framework, the new head of security at Twitter, and an Android chat app exposing private messages.