Episode 76: Ongoing Attacks on WP Growing in Volume Plus Numerous Plugin Vulnerabilities

On this week’s Think Like a Hacker podcast, we cover an active attack campaign targeting WordPress sites and numerous plugin vulnerabilities. This active attack campaign has been ongoing and has outpaced all other attacks on WordPress vulnerabilities. Our threat intelligence team has been tracking this attacker for months now, and we’re seeing these attacks intensifying. We also look at vulnerabilities found in Google’s Site Kit plugin and the Page Builder by SiteOrigin, and why it’s so important for plugin developers to have a Responsible Disclosure Policy published in an easy to find location on their site.

We also look at how a combination of two vulnerabilities were used in a zero-day active attack on sites running Elementor Pro and the Ultimate Addons for Elementor plugin.

We also look at some new updates to Fast or Slow, the new global site speed profiling tool created by the Wordfence engineering team, and the impromptu hard launch the site experienced when it rose to the #1 position on Hacker News on May 8, 2020.

May has been a rather busy month in WordPress security and for the Wordfence team. Enjoy the podcast, and stay safe.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:24 Fast or Slow rises to the #1 position on Hacker News, and our team launches a re-architecture and expands profiling to 18 global locations.
5:37 Vulnerability discovered in Google Site Kit grants attackers Google Search Console access.
7:50 28,000 GoDaddy hosting accounts compromised.
9:32 Combined Attack on Elementor Pro and Ultimate Addons for Elementor put 1 million sites at risk.
13:34 Vulnerabilities patched in Page Builder by SiteOrigin affects over 1 million sites.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 76 Transcript

Hello my WordPress friends and welcome to episode 76 of Think Like a Hacker. This is the podcast about WordPress, security and innovation. I am your host, Kathy Zant. We have a number of stories this week about WordPress security. So, let’s get started.

First, a quick note about Fast or Slow. This is the application developed by the engineering team here at Wordfence. On Friday, May 8th, we started to see some increased traffic to the site at fastorslow.com. Upon further investigation, we found that Fast or Slow was being featured on the front page of Hacker News, which was surprising and big news. We had only soft launched this application, mailing to just a few select recipients and just watching how the application performed with a lot of traffic coming at it because it is rather complex.

Fast or Slow is a tool that measures your site performance from various locations around the globe. Obviously you are in one location and when you look at your site, it may respond differently for you than it does with someone on the other side of the world. So we wanted to create a tool that allowed people to measure performance across a wide variety of geographic locations.

So one of the users that we had mailed to saw the value and shared to Hacker News, and we had the experience of an impromptu hard launch. The site is growing since then, garnering additional traffic from places around the world. The team was actually in the midst of rearchitecting parts of it for growth, preparing for growth. The site now is prepared for future growth. We’ll have some news about that coming soon.

We created Fast or Slow for ourselves, and it’s really great and exciting to see it received so well by the web development community, even beyond WordPress. So thank you to everyone who is using Fast or Slow and watch for those improvements and features to be added soon. If you haven’t looked at it yet, why not. Go to fastorslow.com and see how your site is performing around the world.

You may have noticed I didn’t get a podcast out last week. Part of that was watching that meteoric usage of Fast or Slow. But there was also just an insane amount of security research and news happening in the WordPress world in the first week of May. Now we’re in the second week of May and it certainly does not want to be the neglected younger sibling of the month. So we’ve had another week of just a ton of news in WordPress security. So let’s get started with that.

Our first WordPress security story is a continuing story that started on Monday, May 4 when we loaded things up in our virtual offices as a remote team around the world. Ram Gall on our QA and threat research team noticed a dramatic increase in the number of attacks hitting sites running the Wordfence firewall. Most of these were cross-site scripting attacks that were targeting smaller plugins with rather old vulnerabilities. But the news there was just the sheer volume of attacks.

We published a post detailing what we were seeing because we were fairly certain we’d start seeing additional attacks coming from this threat actor. True to form, about a week later, we saw another uptick to the point where this singular threat actor, now it could be a group of people, but this singular campaign was launching more attacks against vulnerabilities than any other vulnerability exploding campaign happening that is targeting WordPress in the world.

So Ram Gall, Chloe Chamberland, and Mark Maunder, took a look at what was happening and not only did we find that these threat actors had fixed a bug in their code, we found that this threat actor has been around for a while. We were starting to see similar patterns and markers from a campaign that was happening earlier this year, that was using Bulletproof Hosting to launch attacks against sites worldwide.

What is our take from this? WordPress obviously is running about a third of the internet and threat actors are always going to keep targeting WordPress. Once you know a system and you know probable vulnerabilities and probable exploits, you’re likely to keep targeting it. So what we’re seeing with this particular threat actor is that their attacks are maturing, in both size and the vulnerabilities being targeted. The great thing about Wordfence Premium is that this real time blacklist that’s part of Wordfence Premium tracks this attacker. So as they move from IP address to IP address, the blacklist follows them, ensuring their attacks can’t even see your WordPress site. So if you do have a vulnerability that they’re targeting, they won’t even be able to see it because those IP addresses are going to be blocked by this rolling blacklist. It’s the most powerful feature of Wordfence.

To me, especially for a site that’s critically important, it’s a must have for your WordPress site. It’s too bad those other content management systems don’t have something as powerful. But again, Wordfence is very specific in the WordPress world, protecting WordPress sites, and our threat intelligence is all about WordPress. So count that as another reason to stick with WordPress.

Our next story is about a vulnerability in the Google Site Kit plugin, installed on over 300,000 WordPress sites. Chloe Chamberland discovered this vulnerability. It allows attackers to add themselves as an owner of the site within Google search console. Owner access will allow them to modify site maps, remove pages from Google search engine result pages, or even to facilitate black hat SEO campaigns using your site. We strongly recommend that if you are using this, that you update to the latest version of the plugin, which is version 1.8.0 of Site Kit by Google. This is a really powerful tool for WordPress site owners.

I was at WordCamp Sacramento last fall, and I was able to see this demonstrated before it even launched. Jake Goldman from the web design agency, 10Up introduced Google Site Kit to a packed standing room only crowd. So I’m sure this talk will make it up on WordPress.TV soon. You might want to check that out. If you’re using Google’s tools to manage your rank in search engine results, having quick and easy access to the data within Google to help you make good decisions with your site is really helpful. So I think this is going to be a great tool for website owners worldwide. Again, as a note, just because a plugin has a vulnerability doesn’t mean that plugin should not be used. It just means that it’s a bug and it needs to get fixed. It’s great that Chloe and Ram and our threat intelligence team continue to uncover these vulnerabilities and work with developers to patch these important plugins. Those of us who are premium customers are supporting that. That supportive Wordfence helps us produce that research and get it out to everyone in the community as quickly as possible, including through this podcast. Education is such a huge part of security because when you have that information, it helps you make good decisions about the data you’re getting and that’s the backbone of security.

Our next story was covered widely in the general tech press. 28,000 GoDaddy accounts were compromised. This is just a small percentage of the company’s 19 million customers. So according to the disclosure that GoDaddy released, on April 17 they discovered and began investigating suspicious activity and it dated back to about October 2019. As soon as they identified this, they began their remediation. They have no indications that this threat actor was using customer credentials and no data shows that they had modified any hosting accounts. They just changed those passwords as a precaution. This only affected SSH logins. SSH stands for secure shell, and basically it gives you a command line access to the server for the account you’re logging into. If you have what they call sudo privileges, it grants you access to basically the entire server in order act as the route administrator. That’s likely not a problem on GoDaddy accounts. Just to put a trivia for something to understand about SSH and how critical it is.

So our advice is if you are using GoDaddy as your hosting provider, and you are not using SSH to login on that command line, you can turn this off. Or you can turn it on when you are using it and then off as a security precaution when you’re not. Again, 28,000 customers sounds like a lot, but it’s really just a drop in the bucket for GoDaddy’s wide user base.

For our next story, on May 6 there was an active exploitation campaign happening that was targeting Elementor based WordPress sites. Now this active attack was targeting a specific combination of two different vulnerabilities. The first was a vulnerability in the popular Elementor Pro plugin, which we estimate as installed on over 1 million WordPress websites. Now, just to differentiate, this does not affect the Elementor plugin that is installed on up to 5 million websites, now, that’s available in the WordPress repository. This vulnerability only affected the Pro version of this plugin. It let anyone with an account, even a subscriber level account, upload a file to the site. That file could be an image, or it could be a PHP backdoor, thus allowing someone to take over the whole site.
This is what we call an authenticated vulnerability, meaning someone has to have an account in order to exploit it. It sounds like not that big of a deal, right? You could just turn off subscribers in many cases and protect your site, but for sites using WordPress as an eCommerce platform with customer accounts or membership sites with member logins or LMS sites with student logins or anything else that requires subscriber accounts for the functionality of the site or greater, it’s kind of a big deal.

With this attack on the zero day vulnerability, another plugin came into play. This plugin is called the Ultimate Addons for Elementor. This is a paid plugin and it’s made by a company called Brainstorm Force. We estimate that this has an installation base of about 110,000. That’s just our estimate. It could be greater, it could be less. This team also makes the lightweight Astra Theme for WordPress. This plugins vulnerability allowed anyone to create an account on a site, even if subscription registration was turned off. So attackers were using this vulnerability to create a user account. Then they proceeded to use the newly registered accounts to exploit the Elementor Pro zero-day vulnerability and essentially achieve remote code execution.

We were alerted this vulnerability and this act of exploitation by someone whose WordPress site was compromised. Then a hosting provider shared their log files with us. We were able to corroborate and verify these reports of active exploitation. Brainstorm Force posted in the wordpress.org forums that they had to fix in place and had contacted Elementor. We had contacted Elementor immediately upon discovery of this and wrote a firewall rule, obviously to protect sites from exploitation that is currently available to premium customers. It didn’t take long for a fix to get posted, but there was a time when the [existence of] a zero day exploit was exposed in numerous Slack channels, as well as the wordpress.org forums.

This is just a testament to how fast the WordPress community acts when a security vulnerability is found. As a reminder, if you find that your site is hacked or you see chatter in a Slack forum or elsewhere about an exploit happening, it’s really important to get notification to the developer of that vulnerable plugin or theme as soon as possible. When things are publicly discussed like that, it puts the entire community at risk. Of course, Wordfence customers receive firewall rules to protect their sites.

Congratulations also to Elementor who just recently hit 5 million active installations with that free plugin in the repo, even in the midst of the Zero Day vulnerability. A reminder that Zero Days are just celebrity bugs. Responsible developers who patch quickly to protect their customers and they’re continuing to create amazing software, these companies will always succeed.

Our final WordPress security story for the second week of May is about the page builder by SiteOrigin plugin. This is installed on over a million sites. Chloe Chamberland found two vulnerabilities in this plugin. Both of these flaws allowed attackers to forge requests on behalf of a site administrator and execute malicious code in the administrator’s browser. The attacker needed to trick a site administrator into executing an action, like clicking a link in an attachment for this attack to succeed. The patched version is version 2.10.16. Both free and premium versions of the Wordfence firewall protects against these vulnerabilities via the built-in cross site scripting protection. This developer patched very quickly and was very thankful for the report of these vulnerabilities via responsible disclosure. They even bought a premium license for Wordfence as a gesture for thanking us to make their software even more secure. So we thank you. That was a great gesture and made us feel really great.

See, a lot of people think that security researchers and developers have a contentious relationship, and that developers look at us with contempt for finding vulnerabilities. It’s simply not true, especially in the WordPress community, this open source community that makes WordPress what it is. Finding and patching security bugs before the hackers find them, making everyone safer, developers understand this. They’re grateful for the additional support in finding vulnerabilities and disclosing them responsibly and getting things patched. It’s also really helpful when these developers have easy to find responsible disclosure policies so that security researchers from Wordfence and elsewhere can contact developers securely, quickly and easily. Especially in cases when there might be active attacks happening, like what we saw last week with the Elementor plugins, the faster we can get in touch with developers, the faster we can contact you and explain what’s going on and give you a proof of concept, showing you what’s happening, it’s going to protect the entire community.

So there are links in all of the show notes for this. Go check out Chloe’s blog posts, both for the SiteOrigin Page Builder, as well as for the [Google] Site Kit. She’s got some proof of concept videos in there that show you how these vulnerabilities are exploitable. I think these videos are great. It really helps explain how vulnerabilities work and also gives you an idea of how the firewall works.

If you like these videos, we have a treat coming up on an upcoming episode of Wordfence Office Hours. We’ve moved Wordfence Office Hours to YouTube, and we’re doing them every Tuesday at noon eastern, 9:00 AM Pacific Time. Chloe will be joining us on an upcoming episode. She’s going to show us how she hacks sites. So there’s going to be some live hacking on Office Hours, which is going to be fun. Chloe is also an amazing human being and I can’t wait for you guys to all meet her. Though if you have been listening for a while, you’ve heard my interview with her a few months ago, weeks ago. This quarantine thing and lockdown his me all discombobulated with days and months.

Anyway, join us for Office Hours, every Tuesday 9:00 AM Pacific, noon on the East coast. It will be very exciting. You can go subscribe to the Wordfence channel on YouTube. I’ll put a link in the show notes. If you hit the bell on the video placeholders for office hours for the upcoming episodes, you’ll get a reminder when the next Wordfence Office Hours is. As of today, we have two episodes up on YouTube. You can go check those out. If you expand the description box, you can see some timestamps of sections of the show so you can dive in and learn more.

In the most recent episode that we recorded on May 12, Tim Cantrell, who joins me along with Scott Miller on Office Hours, he talked about a phishing campaign hitting a lot of inboxes. It is targeting website owners. So that’s definitely something to listen to. It’s yet another bitcoin scam hitting all of these inboxes. I’m excited that more of our team is going to be joining us for future episodes of Office Hours. It’s a heck of a lot of fun, especially since we miss seeing all of you at WordCamps.

Thanks for listening to Think Like a Hacker. Go ahead and give us a like or give us a review on Apple podcasts. Definitely join us over on YouTube. Follow me on Twitter and I’ll let you know what the whole Wordfence team is up to. Of course, if you’re not following Wordfence on your favorite social media, we are Wordfence everywhere, whether it is Instagram or Facebook or Twitter.

Give us a follow and we will keep you updated on all of the security news hitting WordPress. Thanks for listening and we will talk to you soon.