Think Like a Hacker 106

Episode 106: Admin Password Resets, Blockchain Botnets and a Central Management RCE

WordPress 5.7 is due to be released on March 9, and it will allow administrators to send password reset emails to users. A botnet is abusing the Bitcoin blockchain for command and control, while VMWare fixes a critical remote code execution bug in all default vCenter installations. Android users now have an easy way to check password security. We talk about the ramifications of vulnerability disclosures and how last year’s File Manager vulnerability did not have long lasting effects on plugin installation base or growth. We also discuss how investor data breach fatigue has reduced the stock price impact of cybersecurity failures.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:41 Wordfence/Defiant is hiring, and we’re offering a $500 gift card for anyone who refers a successful candidate
2:30 The Wordfence K-12 site cleaning and site audit program continues to help schools around the world
3:00 WordPress 5.7 will allow administrators to send password reset emails
6:20 This botnet is abusing the Bitcoin blockchain to stay in the shadows
9:52 VMWare fixes critical RCE bug in all default vCenter installations
11:53 Android users now have an easy way to check password security
14:40 Investor data breach ‘fatigue’ reduces Wall Street punishment for cybersecurity failures

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 106 Transcript

Ram:
Welcome to Think Like A Hacker, the podcast about WordPress, security, and innovation. I am Ram Gall, threat analyst at Wordfence, and with me is director of marketing, Kathy Zant. Kathy, how are things?

Kathy:
Things are very, very good compared to last week. It’s almost like Texas has somewhat recovered. At least the weather’s recovered. I think people here-

Ram:
Do have power and water now?

Kathy:
I have power. I have water. The skies were blue yesterday. We have ping pong ball sized hail coming, apparently. What is with Texas? I don’t know. It’s interesting, though. Got to keep-

Ram:
Everything is bigger in Texas, even the hail.

Kathy:
Even the hail. It’s a crazy place. Anyway, all is well. And we have some interesting things, some big things happening with Wordfence.

Ram:
I hear we are hiring.

Kathy:
We are hiring. We’re hiring for four specific roles. These are senior roles. So we wanted to sweeten the pot for all of our listeners who are out there listening who… Come on. You guys know someone who’s amazing. Someone who’s looking for-

Ram:
And you like free money, too, right?

Kathy:
And you like free money. So we thought we’d put all of those things together, and we want you to refer someone that you think would be exceptional in one of these roles and that would enjoy the fun, fast-paced environment we have here at Wordfence.

Kathy:
We have a security operations role. We want someone who’s up on the AWS scene. We’re looking for a couple of senior PHP developers and a senior researcher who is very interested in website performance. If you know someone and you refer someone, we will give you a $500 gift card if you refer a successful candidate. And if you think you might be a successful candidate, we would love to talk to you. There are links in the show notes for these job descriptions so you can get the full details about what these jobs entail and the benefits of working here at Defiant. Benefits that even include a week off between Christmas and New Year’s, which is always a nice time. Don’t you love that, Ram?

Ram:
Yeah. Yeah. Honestly, the last few years we’ve been doing it, but they finally made it official policy instead of just a cool thing we decided to do at the last minute.

Kathy:
Yeah, exactly. It’s a nice way to end the year. Just kind of think back over the previous year and plan for the future. Always a good time.

Kathy:
We also have our K-12 school initiative, site cleaning and site audits available for any government or state funded school in the United States, in Canada, in Mexico, anywhere in the world. If you know of a school that could use some security support, send them our way. We are cleaning and auditing those sites for free, and educating the educators. That program is continuing and continues to be a success, so we just wanted to mention it. We would love your referrals. Just send those schools our way.

Kathy:
Now, we saw some interesting stuff coming in WordPress 5.7. Ram, what do you know?

Ram:
WordPress 5.7 is actually fulfilling a sort of long-requested feature to let administrators send password reset links. And this is very cool. I mean, there is some potential for abuse via social engineering, but I mean, if you think about it, an attacker can already request a password reset for a user if they know or can guess the username or email address, so it’s not like attackers can’t send password resets to people anyways.

Kathy:
Sure, sure. Now this feature is rolling out in WordPress 5.7, which is coming up pretty soon. This has been a five-year-old ticket that has been in the trac system, and it’s going to allow administrators to manually send a password reset link to users instead of having to instruct a user about what to do, how to go about doing it. The administrator can just say, “Okay, let me just send that to you,” rather than trying to explain something to maybe a user who’s just a subscriber or a user who is a student in a learning management system, to basically get that lost password link to them so that they can go ahead and reset that password.

Kathy:
But obviously that send password reset link is going to be in several places, and with anything that sending to a user, there’s a potential if that site ever is hacked that that could trigger something that an attacker could use to basically trigger a user to perform some actions.

Ram:
I mean, I’m not really worried about that. WordPress now has fairly strong cross-site request forgery protection. I think, realistically, the only potential problem we could see is that now there’s this expectation that you could get a legitimate password reset email sent by an administrator without asking for it. So, I mean, it’s conceivable that these could be spoofed and used in phishing attacks.

Ram:
You send someone something that looks like a password reset link and say, “Hey, I’m the administrator for your site. It looks like your password might’ve been compromised so I’m sending you this link,” and then get them to fill it in on a phishing site. There’s still some caveats with that, where if they log in with their new password and find it doesn’t work, will they then reset it again to the same password? I mean, I could see this being abused. I could see it being fairly difficult to abuse, but there’s always the potential.

Kathy:
Sure. Mostly we just want people to know that this new feature exists, and with any new feature that shows up there’s the potential for it to be used in a unique and never-seen-before way, so just to be aware that that feature exists. That if a password link shows up in a user’s inbox, that that user should definitely look at that if it’s unexpected and investigate further before they go haphazardly clicking links and traversing the internet, right?

Ram:
Yeah. I mean, it’s just like receiving a weird request, like something that could be a spear phishing request in your company email inbox. If you get a request for something that you weren’t expecting from someone, just verify with them via another channel. If you get a password reset link from an admin, maybe you get in touch with them and say, “Hey, did you send this on purpose?”

Kathy:
Exactly. All right, let’s move on. Let’s look at this botnet that we saw abusing Bitcoin blockchains to stay in the shadows. Now, Bitcoin is crazy in the news.

Ram:
Your favorite. That’s your favorite. I know it is.

Kathy:
It’s everywhere. Everybody’s talking about Bitcoin. I mean, when an asset performs in ways that people weren’t expecting or predictable ways, everybody starts talking about it. As soon as cryptocurrency starts increasing in value, we start seeing attackers trying to leverage any technology they can in order to either mine that cryptocurrency, to ransomware people out of cryptocurrency. It just becomes another way that we see attackers trying to monetize attacks, right?

Ram:
Yeah.

Kathy:
What are we seeing with this one?

Ram:
Okay, so one of the things about the blockchain is that effectively, it’s an immutable record of things that have happened. This is actually kind of interesting. The botnet that was using it as actually a skid map malware, which is actually used for mining other cryptocurrency. In this case, Monero, which is popular amongst threat actors, because it’s untraceable or at least it really hard to trace. And by the way, these guys aren’t actually doing a great job. Apparently, they’ve mined like $30,000 in Monero, which is not really a lot considering.

Kathy:
Yeah, come on.

Ram:
Anyways, it looks like what they were doing is the malware that was looking for C2 instructions … So here’s the thing about command and control systems, it’s they’re really easy to disrupt. If your malware is asking for new instructions from so-and-so domain or so-and-so IP, then it’s fairly easy for the hosting provider or the domain registrar to take those down at the request of governments or security researchers once they figure out there’s something malicious happening there.

Ram:
So, a lot of malware that relies on this command and control infrastructure needs a way to figure out, okay, where should I ask for instructions next, because of my current instruction feed has gone down?

Ram:
What they did was they basically added an algorithm that looks at a particular Bitcoin wallet and checks how much had been sent to it, and it used that number in Satoshi’s, which are, I forget if it’s a hundred thousandth of a Bitcoin, but very small amounts of money. It uses that number and basically breaks it up and parses it into an IP address, and that IP address is the IP address of the next server they should check.

Kathy:
That’s crazy.

Ram:
Yeah. Since it’s pretty much immutable, you can’t really shut it down, but what you can do is you can send money to that and mess up the IP address.

Kathy:
Hack the hackers.

Ram:
Pretty much. And that’s cheaper than fixing the IP address back to where it was, but the attacker probably controls that wallet. Giving them money seems like a not great way to get them to stop, especially if they can just give themselves more money to undo what you just did.

Ram:
I think we’ll be seeing a lot more of this in the future, just because it’s a novel command and control method. We’ve seen this in Twitter feeds. We’ve seen this in Instagram feeds. We’ve seen all sorts of C2 methodology happen in the past few years that’s just kind of wild.

Kathy:
Yeah, interesting, because whatever is written into the blockchain, it’s there. It’s not something that can be erased or undone, it’s just there. This’ll be interesting to watch and see how other people are using blockchain technologies in novel ways to, I don’t know, be stinkers on the internet, I guess.

Ram:
Pretty much.

Kathy:
Yeah.

Ram:
Speaking of stinkers on the internet, it turns out there was a VMWare bug, a critical remote code execution bug in all default vCenter installations. So, vCenter server is basically a central management solution for virtual machine hosts.

Kathy:
Okay. So kind of like ManageWP would be for WordPress, this is for a centralized server for VM hosts, right?

Ram:
Kind of, yeah. Yeah. Basically, it manages all the virtual machines in an organization’s network that they’ve set it up to actually use virtual machines. Anyways, the vSphere client, basically it had a remote code execution vulnerability. It was in one of the vCenter server plug-ins related to something called vRealize operations, but the thing is it was vulnerable even if you weren’t using that particular plugin.

Ram:
An attacker with network access to port 443, which is just the standard SSL port or TLS port, could exploit the issue to execute commands with unrestricted privileges on the underlying operating system that hosted the server, which would probably give them control of all the VMs it was managing, too. Which, for some organizations, would be all of their servers. Apparently, they’ve already seen this being attacked in the wild in several thousand vulnerable servers exposed on the internet. So yeah, I feel bad for those organizations. If your organization is running this, then please update.

Kathy:
Yikes. That just sent chills down my spine. Very, very frightening. So definitely update if you have anything going on with VMWare and vCenter server. Scary.

Ram:
If you’re managing multiple VM hosts using vCenter server, then this is definitely something to be aware of. If you’re just on a desktop or running VMware to run a virtual machine, you’re probably okay. I mean, you’re definitely okay, but yeah.

Kathy:
Wow. Well, it looks like Android users now have an easy way to check password security. What’s going on with this?

Ram:
I don’t know if you’ve heard of Have I Been Pwned-

Kathy:
I have.

Ram:
Which is a online service that you can use to see if your password has been exposed in any data breaches. Which is a really good thing to do, because so many data breaches are the result of passwords exposed in other data breaches, that it’s just not even funny anymore. So yeah, use a password manager with unique passwords for each service you use, please.

Ram:
Anyways, this works really similar to Have I Been Pwned. It basically uses cryptography to ensure that the password checking service never gets your password that you’re checking. Not even just the hash of the password that you’re checking. Which, if you want to know more about password hashes you can listen to our previous podcast and our Wordfence Live show on encryption.

Ram:
Anyways, basically what it does is phones or device sends the first part of the hash of a password to the service, and the service sends back an encrypted set of breached hashes and it compares them without either side ever knowing the full hash you’re checking or the full hash of the breached passwords. It’s pretty cool. If you can turn it on, please do, because that way it’ll let you know if you’re using a password that’s been breached in any of your Android apps. And most of them, if you’re not signing in directly with Google or Facebook OAuth, you probably have an account set up with a password that you’ve probably used somewhere else, too.

Ram:
I remember I got breached in the GrubHub breach a while back because I was reusing a password for that, so this is kind of important.

Kathy:
Very important. So this is resident within all Android phones.

Ram:
If you’re up-to-date, yeah.

Kathy:
It’s a project by Google. Let this be a reminder to you that you should be using a password manager. Most of the major password managers, they have both a desktop as well as a phone, iOS or Android version, and always kind of these tools have ways of letting you know that you are using passwords in multiple places, password checkups, types of features. Always good to have this running in your apps, as well, just across the board. You can’t just have the one password anymore.

Kathy:
Hey, do you want to hear the worst story? One of the first companies I ever worked at in the networking department, and one of our server passwords was Flowbee.

Ram:
Oh gosh. It sucks, and it cuts.

Kathy:
It sucks and it cuts. That should have not been a password, but back in the day you could reuse passwords and do dumb, funny things like that. No longer.

Ram:
No longer.

Kathy:
Yeah. So, let’s talk a little bit about this article you found, Ram, about data breach fatigue. What does that mean, and what does it mean for … I mean, you and Chloe and our threat intel team are constantly finding vulnerabilities and working with plugin developers, theme developers, anybody in the WordPress space, helping them to patch their code and to write more secure code. But then, of course, there comes a point once that’s patched and once firewall rules and updating has occurred, you have to publish details about what you found for educational purposes, for keeping your certifications up. And a lot of, I think, plugin developers and whatnot, is it painful for them when you guys are publishing?

Ram:
We have heard some concerns expressed that publishing the vulnerability will reduce the plugin’s market share. And, you know what? We have seen that happen in the very short term, but they almost always recover. Even the File Manager vulnerability, the one last year-

Kathy:
Yeah, that was a bad one.

Ram:
That was really bad. That was hugely impactful. That was almost a worst case scenario in everything except how they handled it. They handled it pretty quickly, but it was already a zero-day. It was already being exploited by the time it got found out and it had a lot of installations and there were a lot of sites impacted by it. Our site cleaning team is still cleaning sites that were impacted by that and didn’t have Wordfence at the time.

Ram:
So, yeah, it was a huge thing. And you know what? Their install growth dropped. It went negative for about a month and a half, and then it came back. The growth is not back to where it was, but the install count is right where it was, and growth is still positive and growth went positive again about a month and a half after it got disclosed. So, yeah, if you’re worried about the impact of vulnerability in your plugin, don’t be. It’s much better to fix it than to have people impacted and to not fix it.

Kathy:
Right. Well, there’ve been some major … I mean, Target. When was that? 2013 when Target had all of their point-of-sale cash registers basically compromised and credit card data was compromised. I didn’t stop shopping at Target, and Target’s recovered quite well. It didn’t ruin them completely, right?

Ram:
Yeah. IBM’s done some research on the cost of a data breach report, and I mean, yeah. This is outside of the WordPress plugin ecosystem, mind you, so this is a completely different context. If you’re talking how much a database breach costs a large company, enterprise sector can expect an average bill of like $3.8 million, and some of them can rise up to like $392 million to actually remedy the breach.

Ram:
But they did a study on the stock prices of companies that disclosed breaches, and back in, say 2013, there was a massive impact, but even in 2019 stock prices would drop by like maybe 7% after a data breach was disclosed. Now, it only drops by like three and a half percent. So people are getting used to data breaches just kind of happening as a cost of doing business. That doesn’t mean they shouldn’t be addressed, because they absolutely should. If they’re not addressed, then that leads to much more severe long-term consequences.

Ram:
It only took like a 100 days for prices to recover, apparently, according to this research, and general performance was only slightly poorer in the six months after a breach. So, breaches happen. Address them, fix them, take precautionary measures if you can, but the response is really one of the big things that matters.

Kathy:
Right. Well software, to me, and I think to all of us, is about trust, right? Your WordPress site, you are trusting that a plugin developer has done a good job creating not only the functionality, but the security of that code and you trust it so you install it on your site. Trust comes in a lot of different ways, right? So if you have a vulnerability and you patch it and you don’t disclose that you’re patching it, or you don’t disclose what’s happening in the next version of a site, or you don’t disclose that something might have gone wrong, that destroys trust. That secretism … That’s not the right-

Ram:
Secrecy.

Kathy:
Secrecy, that’s the word.

Ram:
Trying to hide stuff, being sneaky and shady, and “No one will ever know that I was breached.” Yeah, that’s also … In a lot of cases, the law requires you to disclose a breach. If you don’t actually take appropriate action, that’s when you run into trouble. I mean, it’s still expensive. Transparency is good.

Kathy:
Transparency is the best. So when you’re evaluating a plugin to put on your site, that’s a factor that goes into, “Am I going to install this on my site? Do I trust this developer?” You go look at their change log, and if they’ve had a celebrity bug known as a vulnerability … Mark likes to call them celebrity bugs. If they’ve had it, how did they handle it? Did they disclose that in their change log? How was it fixed? How did they work with security researchers that may have disclosed it with them? If there was a zero-day in the past, how did they handle it? You make your evaluations of whether or not you trust someone based on how their past performance has been when they’ve had to deal with anything. Celebrity bugs, functional problems? That transparency really says a lot about a plugin developer. So it’s, I think, a factor when you’re evaluating a plugin.

Ram:
It really does. If you see in someone’s change log, at least look for security issue fixed. If the change log has never fixed a security issue, then I don’t know if I would trust a plugin that’s been around for a while and never fixed a security issue.

Kathy:
Right. Everybody has celebrity bugs at one point or another, don’t they?

Ram:
Pretty much, yeah.

Kathy:
So it’s just how do you handle those issues and how do you communicate about them, which is critically important. To all of the security researchers out there, and to all of the plugin and theme developers who we work with, we’re just really excited when we see plugin developers who have a security policy on their site. Makes it very easy for us to contact you. That you work with us, share information freely so that we can help you get things fixed quickly. Proof of concepts, all of that fun stuff is incredibly important in this disclosure process.

Ram:
Yeah. If you have a security contact, that means that we can send you the full disclosure right away instead of having to go through your support department and having to wait 24 to 72 hours for them to get back to us and say, “Okay, yeah. This is totally the right place to send security issues,” or, “No, here’s who you should send it to.” So that could save you one to three days in fixing something.

Kathy:
Right. And the faster you get it fixed, the faster and better it is for your customers. That’s all I’ve got, Ram. How about you?

Ram:
That’s all I’ve got. It was great chatting with you again, Kathy, and I will see you next week.

Kathy:
See you next week. Thanks, Ram.

Ram:
Bye.

You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

Did you enjoy this post? Share it!

Comments

No Comments