Episode 86: War of the Hackers

Millions of attacks have been targeting the recent File Manager plugin zero-day vulnerability discovered last week. Two attackers are vying for control over sites compromised through the vulnerability.

A security researcher has revealed that specially crafted Windows 10 themes can be used to perform Pass-the-Hash attacks.

A database belonging to the Digital Point webmaster forum leaked records of over 800,000 web professionals that are members of the forum. Visa is warning of a new Baka Javascript credit card skimmer that removes itself from memory after exfiltrating stolen data, making it difficult to detect.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:12 Attackers Fight for Control of Sites Targeted in File Manager Vulnerability
2:02 Windows 10 themes can be abused to steal Windows passwords
3:45 Webmaster forum database exposed data of 800,000 users, original research: WebsitePlanet and Jeremiah Fowler’s report
5:12 Visa warns of new Baka credit card JavaScript skimmer

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 86 Transcript

Scott Miller:

Hey, everyone. It’s Scott from Wordfence. You’re listening to Think Like a Hacker, the weekly podcast about WordPress, security and innovation. Let’s jump into this week’s stories.

My first story of the week is an update on the File Manager plugin vulnerability. So last week we covered the zero-day vulnerability in the File Manager plugin. The plugin is installed on over 700,000 sites, and since September 4th, we’ve seen the number of attacked sites go from 1.7 million to 2.5 million sites. We’ve also uncovered evidence that there are multiple threat actors involved, one of which was previously responsible for attacking millions of other sites.

Now, the vulnerability has been used by multiple attackers at this point who have successfully been stealing passwords and scattering back doors among the sites. Once a site is infected, passwords are stolen by adding code using Telegram Messenger’s API, which pulls credentials of anyone logging into the site. This code is being added to the user.php file, and in cases where WooCommerce is installed, there could be changes made to WooCommerce files to pull out the credentials there as well.

After cleaning a number of sites infected with these issues, our cleaning analysts had determined that malware was present from multiple threat actors. In total, we’ve seen over 370,000 different IPs being used in these attacks as well as obfuscated back doors located in ICO files. Make sure to check for any new administrator accounts on the site as well, as we have also seen malicious administrators added in some attack cases.

Also, be sure your Wordfence firewall is optimized, and your File Manager plugin is up to date. As we mentioned previously, these sorts of plugins are best to only be installed when needed, and they can be removed otherwise. If you’re curious about more information about this attack, check our original blog post on the vulnerability and also our updated post for more information on the attacks.

In our second story this week, Windows 10 themes are being used to steal users Windows passwords. So, Windows account credentials are being stolen from unsuspecting users in pass-the-hash attacks where the specially built Windows 10 themes are being designed to steal user’s credentials. If you’re not familiar, you can customize a theme’s color, sound, cursors, wallpaper, etc. for your system to use on Windows 10. These attacks are specifically to steal Windows login credentials and password hashes, hence the name pass-the-hash, and it’s done by getting a user to access a server message block share requiring authentication.

First, an attacker then creates a .theme file and changes the desktop wallpaper setting to use a remote authentication required resource. At that point, when Windows attempts to access the remote authentication required resource, Windows will automatically try to remotely log in which sends over the Windows credentials and NTLM hash of their password. This information is then gathered by the attackers who try to de-hash and use the credentials.

It’s also worth noting that in some cases, dehashing a password can take just a few seconds to do. So, to protect yourself against these sorts of theme file attacks, you can block or re-associate the .theme pack and .desktop theme pack file extensions to a different program. It’s worth noting that when you do this, it will break the Windows 10 theme feature, so it would only be recommended to do if you do not need to switch to a different theme afterwards.

In our next story for this week, a Webmaster forum database exposed data of 800,000 users. A database belonging to Digital Point exposed user email addresses names, and more for over 800,000 users. The San Diego, California-based Digital Point describes itself as the largest webmaster community in the world, and it brings together a variety of professionals ranging from freelancers, marketers, programmers, and alike. So, on July 1st, Jeremiah Fowler and the WebsitePlanet research team found an unsecured elastic search database, which contained over 62 million records, including data from 860,000+ Digital Point users.

Shortly after on the same day, the research team sent over a disclosure notice to Digital Point and access to the database was revoked within hours. After that point, there was however no followup or communication from Digital Point with the researchers who disclosed the issue. Now, of course, there are many ramifications from users data being accessed in a situation like this, such as further data theft and phishing. It is definitely recommended to always use a unique password for each site that you access. So in the event of something like this occurring, the password cannot then be paired with your email and login names to access other sites.

In our last story this week, Visa warns of a new credit card JavaScript skimmer. So, Visa has issued a warning regarding a new JavaScript e-commerce skimmer known as Baka that will remove itself from memory after exfiltrating stolen data. The script which was designed to steal credit card data was found by researchers with the Visa’s Payment Fraud Disruption or PFD initiative in February 2020, and was found while examining a command and control or a C2 server that had previously had an ImageID web skimming kit.

The baka features configurable target form files and data removal using image requests as well as advanced design, including a unique obfuscation method, which suggests it’s the work of someone with great knowledge of malware and these sorts of attacks. Now, Visa put out an alert directly, and it mentions the skimmer loads dynamically to avoid static malware scanners and uses unique encryption parameters for each victim to obfuscate the malicious code.

Visa also recommends to consider using a fully hosted checkout solution where customers enter their payment details on another webpage hosted by that checkout solution specifically, which would be separate from the merchant’s site. This is the most secure way to protect the merchant and their customers from eCommerce skimming malware. We have seen these sorts of issues on eCommerce sites in the past and it’s a reminder to always keep plugins up to date and be sure you have an active firewall on your site to scan for vulnerabilities and changes. It’s also recommended to require strong passwords for all administrator accounts and of course, limit who you give admin access to.

That’s all for us this week on Think Like a Hacker, stay safe and join us every Tuesday for Wordfence Live on YouTube at noon Eastern, 9:00 AM Pacific Time. We’ll be back with some more news next week, but until then have a good weekend, and we’ll catch you soon.

Follow me on Twitter @wfscottmiller. You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.