Think Like a Hacker Episode 93

Episode 93: Nitro Documents on the Dark Web and Botnets Targeting Older Vulnerabilities

We cover a couple of breaking stories this week, including the emergency release of WordPress 5.5.3 on Friday, October 30. In preparation for this, a number of sites autoupdated to version 5.5.3-alpha. We also look at the the defacement of the Trump Campaign website, and how 2-Factor Authentication could have prevented this. We also look at the implications of a massive Nitro database impacting numerous large organizations. A botnet is targeting a number of content management systems, including WordPress sites. And AdWare found on the Google Play Store is targeting kids. 

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:00 Emergency WP 5.5.3 Release
1:00 Defacement of the donaldjtrump.com Website
2:31 Wordfence Central Teams
4:05 Massive Nitro Data Breach Impacts Numerous Companies
7:10 Sophisticated Botnet Feasts on Old Vulnerability to Exploit Content Management Systems
10:47 AdWare Found in 21 Android Apps with more than 7 Million Downloads

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 93 Transcript

Kathy Zant:
Hi, this is Kathy Zant with Wordfence. We recorded the podcast earlier this week, but there have been a couple of breaking stories since we’ve recorded. Just wanted to highlight those for you.

So, the WordPress core team released an emergency release of WordPress 5.5.3, just one day after the release of version 5.5.2. That emergency release was done to remedy an issue introduced in WordPress 5.5.2 that made it impossible to install WordPress on a brand new website without database connection configured. In preparing for this emergency release, a second issue caused a number of sites to be erroneously updated to version 5.5.3-alpha.

Some post mortem notes are on wordfence.com/blog if you’d like to read about what happened. Essentially, all you need to do is make sure your website is updated to 5.5.3. We’ll have more on this for you next week.

The second story is about donaldjtrump.com, the campaign website for the president. It was hacked earlier this week on October 27th at about 4:50 PM Mountain Time. The site was defaced, and the defacement had two cryptocurrency wallets on it, asking visitors to vote for whether or not they would like compromising information about President Trump released.

We were not involved with incident response for this particular hack, but we did take a look because of the interest obviously in the American election. We came to the conclusion that compromised credentials are most likely the reason why the site was compromised.

And we will take another opportunity to remind you to put two-factor authentication on everything, from your campaign website to your WordPress site, to your bank accounts, where we can 2FA, you should be using it. Now on to the rest of the podcast with Ram Gall.

Ram:
Hello, and welcome to Think Like a Hacker, the podcast about WordPress security and innovation. I am a Wordfence threat analyst and QA engineer, Ramuel Gall, and joining me is Kathy Zant.

Kathy:
Hi, it’s me, Kathy, Director of Marketing, the person who makes everyone look good. How are you doing, Ram?

Ram:
Well, you do a great job of making us look good. I’m pretty excited because we just launched something pretty cool on wordfence.com today. It’s a new Central feature called Wordfence Central Teams. So yeah, if you’ve got any questions about that, now is the time to ask.

Kathy:
Yeah, I do. I mean, I watched you guys working on this over the past few months. This seems like a really powerful feature to add to Wordfence Central, and Central is a free dashboard that allows people to manage all of their security in one place, right?

Ram:
Correct. Basically, with Wordfence Central, you can, if you’ve got Wordfence running on multiple sites, you can add them all to your Wordfence Central dashboard, manage scans, view security events, and be alerted when something happens. With Wordfence Central Teams, that gives you the ability to invite other trusted administrators to manage your sites for you, without necessarily giving them the entire keys to the sites.

Kathy:
Right.

Ram:
It does allow them to manage security issues, site configurations that are in your account without giving them your account’s username and password, which is important. And it helps with keeping accounts separated. I believe on Wordfence Live we’ve discussed why that’s very important to create a separate account for each administrator, even if you trust everyone involved.

Kathy:
Exactly. Yeah. So, we’ve got that on Wordfence Central now. So, check that out. If you haven’t tried Wordfence Central yet, just go to wordfence.com/try-central. It gives you a little overview about what Central’s all about. It works with your sites that are protected by Wordfence Premium, as well as the sites that are protected by Wordfence Free. So, give that a go.

Kathy:
Now, we’ve got some interesting stories in security news this week. What’s going on with this Nitro data breach that looks like it’s impacting some major companies, Ram, what did you see here?

Ram:
Well, it looks like Bleeping Computer broke the story on this one. A little bit of background. Nitro is a cloud service that lets you create PDFs, share them, and have people sign them. I don’t know if you’ve ever used DocuSign, but it’s a fairly similar service.

Kathy:
Yeah.

Ram:
So, on October 21st, Nitro software issued an advisory to the Australian Stock Exchange and let them know that they were impacted by a low-impact security incident. They claim that no customer data was impacted, but then a cyber and security intelligence firm Cyble found a threat actor selling a user and document databases and a terabyte of documents on the dark web, that they claim to have stolen from Nitro Software.

Kathy:
Whoa. A terabyte is a lot of documents, isn’t it?

Ram:
I mean, yeah. Yeah. I mean, PDFs are a little big, but a terabyte is still a lot of documents and we’ve got some numbers, it’s well over 100,000 documents impacted from some very large companies, so.

Kathy:
Okay. And what are they selling this for? It seems like a hefty price.

Ram:
Yeah. I guess, it’s going on a private auction with a starting bid of $80,000.

Kathy:
Whoa.

Ram:
Well, so Cyble says that they found a user credential database table with 70 million user records, with email addresses, hash passwords, which is good because it means it’d be harder for those passwords to be reversed. That’s news all on its own.

Kathy:
Sure. So, not only are these documents involved in this breach, but personally identifiable information of customers that were using Nitro services also involved in this?

Ram:
Correct. And honestly, for the first time, for one of these breaches, it sounds like that’s actually the less severe breached data. It looks like some of the documents were from Amazon, Apple, Citi, Chase, Google, Microsoft, and literally thousands of documents from all of these except Chase, which only had a couple hundred. Just the document titles indicate that the stolen documents were things like NDAs or financial reports or secret stuff, the kind of thing that could give an unscrupulous company an incredible competitive advantage, if they went there.

Kathy:
Yeah. Wow. So, 70 million records and major corporations, and it looks like some sensitive information here. So, this is obviously … It looks like it’s still a developing story. We don’t really know what exactly might happen from this being available on the dark web, but $80,000 for a nation-state would be chump change. Right?

Ram:
Yeah, it would. And these could do some damage if it is what they say they are, and Cyble seems to be a fairly reputable security firms. So, yeah.

Kathy:
Interesting. So, we’ll keep an eye on this and let you know if anything interesting comes of this. What did we find out about this Botnet that was looking at old vulnerabilities on content management systems like Joomla, WordPress, and other content management systems? You took a deeper look at this, KashmirBlack is what this group is being called.

Ram:
Yeah. Imperva, which also does web application firewall work, released a report on a botnet threat actor titled KashmirBlack that’s been attacking a number of CMS systems, including WordPress, Joomla, and I believe Drupal was one of them as well. It looks like their main exploit was a remote code execution in PHPUnit, that was found in 2017. PHPUnit, for some background is a software testing platform used for testing PHP applications, making sure that all your code works the way you think it will. It is used in QA fairly frequently. So, in this case, the vulnerability basically allowed attackers to just send a request to one of the files and get whatever code they send executed. And I guess that they also saw attackers going after one of these same vulnerable components found in the recent WP File Manager vulnerability.

Kathy:
Interesting.

Ram:
I did do some cross correlation on the IOCs and the IPs that they sent. It looks like we have seen and a blocked a few attacks from this threat actor, but they haven’t been terribly active or focused on sites protected by us.

Kathy:
Interesting.

Ram:
… the good news for our users.

Kathy:
Yes.

Ram:
Though, they are targeting older websites with older versions of CMS systems.

Kathy:
Okay.

Ram:
So, always update, always patch.

Kathy:
Interesting. And someone at Imperva said that typically CMSs are interesting low hanging fruit for attackers like this, that are going after older vulnerabilities, because there’s a higher probability of finding sites that don’t have basically their CMS software or plugins patched. And because CMS servers often have more resources like memory disk space and CPU, that these are attractive. Is that something that you see also with our threat intel?

Ram:
Definitely. I mean, attackers are always trying to take over WordPress sites because then they can use those WordPress sites in a botnet or as a jumping point to attack other WordPress sites.

Kathy:
Yeah.

Ram:
Honestly, it looks like KashmirBlack actually had a fairly interesting structure in that they had a single C2 server or command and control server, but they also had a bunch of additional servers that were just infected sites, that they used to distribute malicious code. In addition to serving up malicious code on their GitHub page.

Kathy:
Interesting. So, really if you want to keep your site safe from these types of attackers, basic security really is going to help you just stay covered. It’s really not that difficult. Keep everything updated, keep Wordfence on your site and you’re probably going to be okay.

Ram:
Yeah. I mean, keeping everything up to date is one of the most important things you can do. And we do have a web application firewall that tends to block a lot of attacks, even if they’re unknown.

Kathy:
Sure. So yeah, some of our generic rules, like the file upload, directory traversal, cross-site scripting, some of those just things that are baked into Wordfence as a whole block a lot of these attacks, doesn’t it?

Ram:
Yeah. I mean we do triage anytime a vulnerability is discovered by any other threat research as well. We have to determine whether or not we have to write a firewall for it. And in a lot of cases, our existing firewall rules, just the built-in ones, already provide ample protection.

Kathy:
Excellent. Good to know. And you’ve heard it from Ram himself. What’s our final story? This is about adware being found in some Android apps. What do we have here?

Ram:
Looks like about 21 Android applications basically were found using a type of malware called HiddenAds, according to Czech antivirus maker, Avast. So, this adware strain has been around since 2019. And basically, what it does is it’ll hide the app that you initially download and then it’ll pop up dozens of intrusive ads and open mobile browsers onto ad-heavy pages. So, I guess what was weird about this one is that they were actually targeting kids.

Kathy:
Ew.

Ram:
They actually made ads on social media to try and get kids to download these apps and install them.

Kathy:
Oh, no. And it looks like four of these apps had over a million users, Shoot Them, Crush Car, Rolling Scroll and Helicopter Attack. Yeah, those sound like something kids would play. And they had actual adware in them, huh?

Ram:
Yeah. It’s apparently more than 7 million users total downloaded the collective set of apps before Avast filed their reports. So I mean, the weird thing is that according to this report, six of them are still available on the Google Play Store. Though, I mean, it’s also always possible that those are the ones with lower install counts and Google probably has a triaging system in place as well. So, it’s possible they just haven’t finished reviewing them yet.

Kathy:
Sure. This seems to be a consistent problem on the Play Store. In this article on ZDNet, they stated that Google deactivated the accounts of six developers for uploading apps tainted with Cerberus banking trojan. So, it just seems like this is continuously a problem and something that anyone with a phone and apps and games on their phone, that you just have to be aware that malware and adware can slip through their process of triaging these apps as they get put on the Play Store.

Ram:
Yeah. I think it’s just the case that more apps are published than they can reasonably review in any given period.

Kathy:
Sure.

Ram:
So, they do have to focus their efforts.

Kathy:
Sure.

Ram:
And trusted developers, I mean, you’ll see the same kind of potential for supply chain attacks where even if a developer becomes trusted, if someone else buys the rights to that app and decides to push malware up on it, that can happen as well.

Kathy:
We’ve seen that before.

Ram:
Well, with WordPress plugins.

Kathy:
Yes.

Ram:
Yes, we have actually, usually for crypto mining, that was a big thing back in 2018.

Kathy:
Yeah, it was. Now, you have some advice for people to basically determine whether an app might be problematic on your phone. What advice did you have?

Ram:
Well, anytime you install an app on your device it’ll ask for certain permissions. And it’s a good thing to make sure that the permissions it asks for kind of makes sense for what the app is trying to do. Like if you’re downloading a calculator, there’s no reason for it to need to be able to send or receive SMS messages. Which incidentally is a way that a lot of these malicious actors monetize, is they’ll set up premium text message services. You know those, “Sign up for your free horoscope every day,” and then you find on your phone bill that it’s costing you $3.99 a month. It basically systems like that, where apps sign you up for those things.

Kathy:
Gotcha.

Ram:
That’s how a lot of people monetize. So, make sure that the permissions the apps are asking for lineup with what they say they’re trying to do. I remember you had a pretty funny story about that actually.

Kathy:
Yeah. My daughter, her very first phone was this old hand-me-down Android, and she ended up with an app that all it did is you pushed a button and it said, “Catch me outside. How about that?” From the Dr. Phil meme girl, whatever, that’s all that the app did, but it required the location data in order to do it. I guess, so that if you had to catch someone outside, they would know where you were, I guess. I don’t know.

Ram:
I mean, that’s the best case scenario. Right?

Kathy:
Yeah. Exactly. Yeah. Pretty crazy. But yeah, definitely watch what your app wants to do, because an app … Plugins on your WordPress site are one thing, but your phones are something that you’re carrying around with you all the time, they sleep next to you, next to your bed, cradled on their charger. But to me, it just seems like something that you need to pay a little extra attention to with security, is your mobile device.

Ram:
I completely agree. And there are always terrifying new things discovered at each DEF CON when it comes to mobile security and sometimes in between. Like Project Zero releases a lot of cool stuff about mobile security.

Kathy:
Interesting. Well, we’ll have to keep an eye on that. Well, thanks for joining again this week, Ram. If somebody wants to follow you on Twitter, where do they find you?

Ram:
It’s @ramuelgall on Twitter.

Kathy:
That’s it.

Ram:
And you are @kathyzant, right?

Kathy:
I am @kathyzant. Although, I haven’t been checking my Twitter account very recently, but I’ll have to get back on that more. Thanks for joining us. This is episode 93 of Think Like A Hacker. You can follow us at wordfence.com/podcast or on your favorite app where you listen to all of your podcasts.

Ram:
Like Spotify or iTunes.

Kathy:
Like Spotify or Apple Podcasts or Overcast is my favorite.

Ram:
Ooh.

Kathy:
But we are everywhere.

Ram:
We are. Literally everywhere.

Kathy:
Literally everywhere. So, we will talk to you again next week. Thanks.

Ram:
Bye.

Follow Ram on Twitter @ramuelgall or Kathy @kathyzant.

You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

Did you enjoy this post? Share it!

Comments

1 Comment
  • Good work, thanks for the information guys.