Episode 78: Targeted Phishing Bypassing Security Checks and a new DDoS Record
This week, we look at some targeted phishing attacks that are bypassing Microsoft Outlook’s protective filters, and phishing campaigns using calendar invitations to target unsuspecting recipients. We also look at some successful bitcoin scams and a new record for a massive DDoS attack that targeted an AWS customer.
Drupal pushes out some security fixes, and zero-day vulnerabilities found in numerous Netgear routers.
Here are timestamps and links in case you’d like to jump around, and a transcript is below.
2:35 Targeted phishing campaigns are bypassing Microsoft Outlook spam filters, and Wells Fargo customers targeted by calendar invites
4:48 Bitcoin scam using vanity addresses nets $2 million
5:55 AWS said it mitigated a 2.3 Tbps DDoS attack, the largest ever
7:37 Drupal patches critical security flaws
9:07 Netgear zero-day vulnerability allows full takeover of dozens of router models
Episode 78 Transcript
Welcome to another episode of Think Like a Hacker, the podcast about WordPress, security, and innovation. I’m your host Kathy Zant from Wordfence and today we’re going to dive into some security news.
There’s not much happening in the world of WordPress security. Even the attackers that we’ve seen ramping up some significant attacks in the recent months have been pretty quiet. Maybe it’s the doldrums of summer, or maybe the craziness in the world is hitting the hacking world. Either way, we’ll take a little bit of quietude after the frenzy of activity we had in May 2020. We hope you’re well. Let’s get into some news.
First a note about Office Hours. A couple of months ago, Tim Cantrell and Scott Miller, a couple of the Customer Service Engineers here at Wordfence, came up with an idea of doing Wordfence Office Hours to bring you a way to learn how to use Wordfence. Usually we do these types of things at WordCamps, but since we’re all quietly waiting for life to get back to normal, we figured we’d provide that value in other ways. Since our quiet start, we’ve moved to live streaming on YouTube, and it’s been pretty active. If you haven’t joined us for our Wordfence Office Hours, we invite you to come join us every Tuesday at noon Eastern, 9:00 AM Pacific. Past episodes are archived up on YouTube where you can watch us walk through some of the features of Wordfence to get the most out of the plugin. You can also look at some of our walkthroughs of Wordfence central and Wordfence login security [on our YouTube channel].
We’ve also been joined in the past few weeks by Chloe Chamberland, who’s one of our threat analysts here at Wordfence, who has discovered a number of plugin vulnerabilities over the recent months. And she showed us how hackers compromised vulnerabilities in WordPress plugins. And last week we took a look at how to clean a hacked site using Wordfence. We have some additional episodes coming up that I think you’ll find interesting. Ram Gall is going to join us to show us how hackers can compromise vulnerable plugins without capabilities checks and what plugin coders can do in order protect against these types of exploits. And we’ve also got some interactivity, so you can come play with us. We have a lot planned with Wordfence Office Hours in the coming weeks. So please come join us.
Let’s dive into some news.
Our first story is about a phishing campaign that is bypassing some spam filters in Outlook, Microsoft’s email platform. These are targeting Bank of America customers, and it’s a phishing campaign that is targeting only a few people in an organization. And because it’s only targeting a few people, this low volume is enabling these to slip past Microsoft’s email security. Also, because this phishing campaign is passing all of these security checks because it’s using a Yahoo email address rather than a Bank of America email address, it’s authenticating to the types of checks that they do on domain authentication. So technologies like SPF, DKIM, and DMARC are helping to verify if an email has been sent from the domain it claims to be originating from, and because this is coming from Yahoo, it looks okay with those checks. But in this case, the email’s originating from Yahoo.
So the email body doesn’t have any domains that can be recognized as malicious. So the phishing domain that they’re using nulledco[.]store was registered on June 1st, has a valid SSL certificate and is not in any security databases. So it is not being flagged as malicious.
What does this tell us? Well, it’s telling us that spammers and phishers can bypass some of these security tools that we have in place to identify malicious emails coming in. So the responsibility still lies with us. Any email that comes in, whether it’s from a bank or our friends, any email that ends up in your inbox still should be looked at with some scrutiny to determine whether or not that is a valid email. And when you’re going to your bank just type in the domain name yourself, don’t click links in emails, [that] would be my advice.
And in a related story, Bleeping Computer also is reporting that there is a phishing campaign targeting Wells Fargo customers that is baiting customers with calendar invites. So you’ll want to watch out for those as well.
Our next story is about Bitcoin giveaway scams. I see these on Twitter all the time, and I always wonder who falls for these. And apparently some people have. ZDNet is reporting that Elon Musk’s name is being used in vanity Bitcoin addresses, and they have been successful in scamming users out of about $2 million. Not even quite sure why Elon Musk’s name tricks people into falling for these scams, but basically these vanity addresses have Elon Musk’s name in them and they have noticed that about $2 million has been harvested by these attackers. So just to educate our friends, that Bitcoin scams exist and to not fall for them, if there is a Bitcoin giveaway, make sure that you walk the other way. Bitcoin’s like $9,000 at the moment, I’m sure that will change, it’s so volatile, but interesting to see that these vanity addresses are all it takes for people to fall for these scams.
Our next story also from ZDNet, AWS said it mitigated at 2.3 terabyte per second (Tbps) DDOS attack. And this is the largest DDOS attack ever recorded. The previous record for the largest DDOS attack was 1.7 terabytes per second, recorded in March of 2018. So this report doesn’t identify the targeted AWS customer, but it says the attack was carried out using hijacked CLDAP web servers, and caused three days of elevated threat for AWS Shield staff. So connectionless lightweight directory access protocol, it’s an alternative to the older LDAP protocol. It’s used to connect search and modify internet shared directories.
This protocol has been abused for DDOS attack for about four years and CLDAP servers are known to amplify DDOS traffic by 56 to 70 times initial size, so highly sought after protocol for attackers. And this is a common option that is being used by DDOS for hire services. And CloudFlare has reported that 92% of the DDOS attacks that it mitigated in the first quarter of 2020 were under 10 gigabytes per second (gbps). And about half of those were even smaller, under 500 megabytes per second (mbps). So a 2.3 terabytes per second DDOS attack is pretty significant. And it sounds like someone was targeted in this attack. It’ll be interesting to see if we see more of this.
Our next story comes from portswigger.net. They’re reporting that Drupal has patched a couple of critical security flaws. Drupal is a content management system, similar to WordPress. The flaws that were patched first up was a cross site request forgery or a CSRF that was in the form API. It was failing to properly handle certain form input from cross-site requests. The second critical vulnerability was an arbitrary code execution risk. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. And with that directory in place, an attacker could attempt to brute force a remote code execution vulnerability. And Windows servers were most likely to be affected by that. These critical vulnerabilities were resolved in Drupal versions 7.7.2, Drupal 8.8.8, Drupal 8.9.1, and Drupal 9.0.1. There were a few other vulnerabilities patched in these updates, but they were less critical. There are full details on the Drupal site and we’ll have a link for you in the show notes to check that out if you are managing Drupal sites along with your WordPress sites. Definitely important to keep all of your open source software patched and to keep everything safe.
Our final story is about a zero-day flaw in NETGEAR routers that allows for full takeover of dozens of router models. This is coming from ThreatPost and it was published on June 19, 2020. This unpatched vulnerability in this web server of the device firmware gives attackers root privileges, according to researchers. They discovered the zero-day vulnerability that puts 79 device models at risk for a full takeover. So the flaw stems from a memory safety issue that’s present in the firmware’s HTTPD web server. Basically, there’s a web server on your router that allows you to basically browse to that router and configure the settings that you want on a router.
Now, unfortunately, with this flaw, authentication isn’t required to exploit the vulnerability, which means that anyone can exploit it. Authenticated vulnerabilities means that you have to be an authenticated user, you have to be logged in with username, password, or some kind of credentials that logs you into the device. But with this one, you don’t need to be authenticated. Anyone can exploit it.
Now what’s kind of frightening about this is that this security researcher states that they informed NETGEAR of the vulnerability in January, but they’ve still not delivered a patch for affected devices. So this is what typically happens in the security world. Security researchers find a vulnerability, you go to the manufacturer of the device or to the plugin author in many of our cases and you disclose the vulnerability. You provide a proof of concept, show how it works, and then you work with that vendor to ensure that the vulnerability is patched.
So in this case, the researcher was asked by NETGEAR to extend their deadline for public disclosure until the end of June. And the researcher decided not to extend that deadline, it’s been six months, of course. And they discovered the flaw initially in the NETGEAR R7000 routers series, but then they eventually identified 79 different NETGEAR devices and 758 firmware images that include a vulnerable copy of this web server. So what does this mean for you? If you are using one of the affected devices and you should go check out this ThreatPost article to determine whether or not you are using a NETGEAR router with this vulnerability, you’re going to need to watch for a patch. And when that patch is released, you need to make sure your router is patched so that you have all of those security fixes in place.
This is not the first problem with security for NETGEAR. In March, NETGEAR patched a critical remote code execution bug that could allow unauthenticated attackers to take control of wireless AC router Nighthawk, the R7800. So NETGEAR is no stranger to some security issues. It’s really important. You think about patching your computer and making sure that that’s all updated. Obviously you think about your WordPress website and want to ensure that that is updated. But you have to consider every device that’s on your network, including the router that allows you to access the internet, that needs to be patched as well.
So, yeah, not much going on in WordPress security, which is nice, but there’s a lot going on in the security world as a whole. Obviously staying on top of all of these security stories is our beat. And if we think it’s relevant to you, we will cover it. If there’s a story you would like us to cover, we will take that little tip, send it to us at firstname.lastname@example.org and our researchers will get on it. If there’s a story you’d like us to cover in WordPress that is beyond security, we’d love to take a look at that as well.
And join us on the office hours, every Tuesday at noon on the East coast of the United States, 9:00 AM on the West coast. We have a few of us coming from the East coast and a few of us here in Arizona, and we look forward to showing you some secure coding practices coming up next.
We will talk to you soon again on the podcast. Hope if it is after the 4th of July, that you have a safe holiday, if you are here in the United States. And if you are elsewhere, we hope that your summer is peaceful and that things are well for you. Stay safe and we’ll talk to you again on Think Like a Hacker.
Please give us a like or give us a review on Apple podcasts. Definitely join us over on YouTube. Follow me on Twitter and I’ll let you know what the whole Wordfence team is up to. Of course, if you’re not following Wordfence on your favorite social media, we are Wordfence everywhere, whether it is Instagram or Facebook or Twitter.