Episode 110: Active Exploitation Continues on Unpatched Thrive Themes

Attackers continue to exploit recently patched vulnerabilities in Thrive Themes, though not all of them are successful. Two vulnerabilities are patched in the Facebook for WordPress plugin installed on over half a million sites. Google Chrome version 90 will use HTTPS by default, bringing significant improvements to speed and security. A ransomware insurance provider experiences a breach that could affect customers, and Slack’s new “Slack Connect” feature has some security concerns.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:13 Recently Patched Vulnerability in Thrive Themes Actively Exploited in the Wild
7:20 Two Vulnerabilities Patched in Facebook for WordPress Plugin
11:27 Google Chrome will use HTTPS as default navigation protocol
13:37 CNA insurance firm hit by a cyberattack, operations impacted
15:41 Slack now lets you DM people outside your company
18:27 Protecting K-12 Schools with the best WordPress Security with Colette Chamberland

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 110 Transcript

Ram:
Welcome to Think Like a Hacker, the podcast about WordPress, security, and innovation. I am Ram Gall, Threat Analyst at Wordfence, and with me is Director of Marketing, Kathy Zant. So let’s get started. What’s up first, Kathy?

Kathy:
Hey, let’s get started right away. I see that you have been extremely busy this week looking at these Thrive Themes and then an active attack that’s targeting them. What’s going on with this?

Ram:
So this one was actually kind of interesting. One of our site cleaning folks, Charles, came to us the other day with, “Hey, we’ve got this site that’s infected and here’s some interesting stuff in the logs. It looks like they might use these REST API endpoints to get in.” So Chloe and I started looking at the code. We got a proof of concept up, and I want to say it took maybe an hour and a half to go from, “Hey, this is may be a thing to prove a concept.” But it probably would have taken a lot longer if we hadn’t had those logs to see exactly what endpoints they were hitting. It was teamwork all the way. Like, Charles brought it to us. We started all sort of gathered together on Slack virtually and sort of hypothesized about how it could have happened. We got a proof of concept up. I wrote some firewall rules. Chloe tested them, got an article written up in record time so we could get our customers not only protected, but informed. It was amazing.

Kathy:
Wow. That’s awesome. So it looks like they have a couple of different vulnerabilities and they were what, chaining these different exploits together in order to get into sites. How did that work?

Ram:
Correct. Basically, there were two vulnerabilities. There was an options update vulnerability because Thrive Themes, they allow integration with Zapier, but if you don’t turn that on, you can still use the endpoint. And at the time, in the vulnerable versions, you could just add a random option by providing an empty API key. And on its own, it wouldn’t really do much. It’s just, here’s this option that has whatever you want in it. And that’s all. You can’t really do anything else with it. But it turns out that if you set the right values in that option, you can then feed that option to a separate endpoint and it’ll download and write to a file based on what’s in that option.

Kathy:
Oh, wow.

Ram:
And you could download malicious code to a PHP file and overwrite like any existing file based on what was in that option that you injected. So, that’s where it gets interesting because getting an executable PHP on a site means that you pretty much own that site, not necessarily the server it’s on, depending on how that’s configured, but at least that site and probably any other sites hosted on the same account on that server.

Kathy:
Right. So you could do a very simple PHP file through this unauthenticated options update. You’d have a very simple PHP file that basically ends up being a backdoor that gives you the capability of doing just a little bit more until you ultimately take over the whole site?

Ram:
Well, I mean, I don’t even want to say just a little bit more. The backdoors we’re seeing are pretty functional. They’re password protected to prevent other attackers from getting in. They should allow you to just execute commands directly on the server. And I mean, if you can do that, you can do things like directly access the database to add a new administrative user. You can remove or add new files. You can do pretty much whatever you want once you have that level of capability.

Kathy:
Okay. Interesting. Tell me about the other vulnerability that was part of this exploit chain.

Ram:
So the other one was like I said, it was basically an image compression endpoint. But again, if you could feed it crafted data and combine that with what was in the first option injection one, it would grab whatever content you want from a URL you supplied and write it to a file. So, yeah, that was the second one on the chain.

Kathy:
Okay. And we only saw one IP address that was doing this. And did we see this on other sites?

Ram:
We did see one IP address attacking this initially. I am seeing a couple other actors sort of attacking this for the time being. Again, there’s only a few IPs really particularly active about this. So I mean, we’ve already blocked attacks against, I want to say on another 1900 sites by now, or sorry, 1200 sites by now, since we put the rule out and that’s just against our premium customers. This is kind of bad. And again, this is only what we have visibility into. We’ve seen a lot of sites infected with this already that we were able to confirm, okay, this is the back door and they’re running these vulnerable endpoints. So this is how they got that on then.

Kathy:
And it looks like there are a number of different themes that Thrive has that were updated. It looks like they updated, they released patches on March 12th, but the attacks on these vulnerabilities were occurring because people haven’t updated yet. Correct?

Ram:
Correct. Yes. These have been patched and it looks like there may have been attacks at least as early as March 12th. But even though they’ve been patched, attackers are still attacking these. A big part of that is that premium themes, even though thrive does make it very easy to update to the newest version compared to some premium providers, people with premium themes tend to not update quite as often. Maybe sometimes it’s because their license has expired and they can’t. Maybe sometimes it’s because the premium provider doesn’t give you an easy way to do that other than going to the site and doing it manually, though that’s less common these days. Anyways, it’s worth it if you are using a premium plugin or theme to keep your license current, just because that way you can always get updates when they’re timely because things like this really demonstrate the importance of that.

Kathy:
Yeah, definitely do. And it looks like on the blog post that you and Chloe and Charles worked on that was posted the other day, it looks like someone named Susie said that she was having some trouble updating and was having some issues. And Chloe said to reach out to Thrive for support. So it does look like there may be some issues with updating. At least Susie had issues. I’m hoping other people are not having issues because it’s really important to get these patched. So we’re protecting Wordfence Premium customers have received their firewall rules, but customers who are still using the free plugin aren’t going to get these until April 22nd. So if you are one of the estimated 100,000 plus users have a Thrive theme, really important to get your themes updated. And if you need assistance doing that, please do reach out to your Thrive Themes support channels, and get those.

Ram:
I mean, that’s the main reason we do these PSAs is we might only provide direct protection to our premium customers initially, but if something is patched, we will still tell everyone so that our free customers can update and be safe because we do actually care about that.

Kathy:
Right. And it does look like from our post, we’re basically giving a PSA that this is actually happening in the wild before we wrote about it at all, but we’re not giving any details that an attacker can use going forward. Right?

Ram:
That’s correct. And you know what? Some of the attacks we’re seeing, they do seem a little bit like the attackers haven’t quite figured out how to exploit it. So yes, it does look like there’s probably a single threat actor who has figured this out and a few other potential imitators.

Kathy:
Okay. Easiest way to get those imitators, to thwart them is to make sure you’re updated. Now, Chloe found a vulnerability, actually, a couple of them in Facebook for WordPress, a plugin that’s over 500,000.

Ram:
Half a million sites.

Kathy:
Half a million, that’s right. What do you know about these vulnerabilities? It looks like one is critical and one is high severity. How do these work?

Ram:
So the first one is a PHP object injection. And what’s interesting about this one is that it actually comes with a complete POP chain, which is unusual. I think we discussed PHP Object Injections a few episodes back, but most of the time you can insert a PHP object to using it, but then you have to make sure that the object you injected matches what we call a magic method. And most of the time, you just kind of have to either hope or do some research to make sure that the site’s running something that you can then exploit that further and maybe write files or execute code.

Ram:
This one is interesting because it actually included a vulnerable magic method that was exploitable. So an attacker didn’t necessarily have to hope or do more research on that front. Now, the good news is that it did require that the site’s salts and basically the cryptographic salts that it uses to generate nonces, it did require that the attacker had access to those. So that’s not going to be the case for most sites, just because the only places to get those are the wp-config file or from the database.

Ram:
So the site would have to have like separate SQL injection vulnerability or have an exposed wp-config backup file, though that’s not quite that unusual. People change their database passwords when they find out about that, but they don’t always change their salts. So that’s really the kind of case we’re concerned about, a case where an attacker finds the site that has this running finds and all the backup wp-config file goes, “Oh, hey, I can guess what the nonce is going to be for an unauthenticated user,” and then uses that to achieve this.

Kathy:
Wow. So not a super simple exploit, is it?

Ram:
Yeah, this is another case where you’d really need to… It would need to be targeted. It would take some research. It is high complexity according to the CVSS vector, which means that it relies on factors beyond the attacker’s immediate control. It’s just that if the stars aligned, the amount of damage they can do is catastrophic. That’s really what it is, which is why it still has a high score despite that requirement.

Kathy:
Yeah, because I see the CVSS score is a nine, critical, and yet this seems rather complex. Interesting. And then the second one that she found is a Сross-Site Request Forgery, and these require that an administrator actually take some action that they are socially engineered or tricked into doing something, clicking on a link or something like that. How did this one work?

Ram:
So this was actually a Сross-Site Request Forgery to stored cross-site scripting, which realistically that’s kind of almost the same attack as a reflected cross-site scripting, since both typically require social engineering, even though the mechanism is different. But effectively what happens is you could trick an administrator into clicking a link that would submit a request that would save the license key or the settings. And then you could stick some malicious JavaScript in that license key. So the good news is that this was only present in a few versions, in the version 3.0.0 to version 3.0.3. So it was a much narrower range of versions that was vulnerable. Bad news is that it’s… You think that you’re immune to social engineering, but cross-site scripting is super under estimated.

Kathy:
Everyone thinks they’re immune to social engineering, and guess what? We’re all not immune. We’re all vulnerable to social engineering. It’s just, it takes one click. It takes one attack.

Ram:
You just have to have not had quite enough coffee that morning.

Kathy:
Yeah, exactly. They get you at a weak point, and there you go. Moving on, we have a story about Google Chrome using HTTPS as default navigation protocol coming up in version 90, which is set to be released on April 13th. It looks like this is going to speed up users’ interface with a site. How exactly does that work?

Ram:
So it turns out that like, I want to say 82% of all websites have a valid TLS or SSL certificate as they call them. So that’s basically if you type a domain name into Chrome without telling it an HTTP or an HTTPS, it’ll try the HTTP one first and then it’ll try the HTTPS. And that takes time. Actually, if you go to fastorslow.com, our tool that we use for site speed analysis, and you try entering the HTTP version of the site and then the HTTPS version of the site. If you have an SSL, you’ll see how much faster it is if you just try the HTTPS the first time. So this is actually going to be a major win for people using Chrome.

Kathy:
It might be like just fractions of a second, but when you’re on the Internet, fractions of a second actually make a big difference. It makes a difference to how the appearance of a site in your browser, the experience. It might be just a subconscious experience, but it does make an experiential difference to anybody who’s browsing the web. So, this will be interesting.

Ram:
The best technology is transparent. Good technology should be unnoticeable. It’s like it just works.

Kathy:
Yes.

Ram:
I mean, there’s access security reason for this too. There’s still going to be a few sites out there that have a certificate but maybe don’t automatically redirect people to the secure version. So this will make sure that more people land on the secure version of any sites that are set up like that.

Kathy:
Excellent. And of course, it’s important. If you do not have a SSL certificate on your site, it is a ranking factor for your site’s SEO. So Google is still sort of pushing the envelope for site owners to ensure that you’re doing things in a secure way and rewarding you with better search performance in the search engine result pages. What do we know about this insurance firm that was hit by a cyber attack?

Ram:
This is interesting because this was CNA insurance and they actually provide cybersecurity insurance to other companies. One of the ways that you can deal with risk is basically called Risk Transference, and for a lot of companies, that basically just means if there’s a cybersecurity risk, that they buy insurance to pay out if that happens, which I mean works for some types of incidents and not so much for other types of incidents. Where this kind of has the capacity to go really wrong is that one kind of incident that insurance tends to pay out on is ransomware attacks.

Kathy:
Oh, sure. We’ve seen a lot of that.

Ram:
So by obtaining a list of this company’s customers, attackers now have a really good list of companies to target that they know have a good chance of paying out.

Kathy:
Yeah, definitely. Oh my gosh. So it’s basically just like getting high net worth individuals or corporations that have this insurance. Basically, getting a lead list for who you should attack with your ransomware attacks. That’s scary.

Ram:
That does seem to be the scenario that is being floated about as one possible motive for this. And that does seem to be a workable scenario for attackers.

Kathy:
Definitely. Well, we’ve definitely seen a ton of ransomware attacks, especially on the healthcare industry over the last few years. Municipalities have been targeted, and it looks like… If you’re a major organization and you have a lot of systems to secure and you have cybersecurity insurance, just protect yourselves in every way possible.

Ram:
Yes. Don’t just think that Risk Transference is sufficient. There are other risk mitigation strategies you should look into because this has just increased your risk for having, for using solely that strategy.

Kathy:
It has. You’re now on the leads list for hackers, sorry to say. What do we know about Slack letting people DM, direct message people outside of organizations?

Ram:
So, Slack added a new feature called Slack Connect, which basically means that if you are running Slack and anyone else is running Slack, you can basically get in touch with them directly through Slack, even if they’re in a different Slack. At first, that sounds like it could be really convenient because it’s like, “Hey, I want to talk to this person at this company.” It turns out they didn’t necessarily think it through entirely. For one thing, it wasn’t possible to filter out invitations, which people could use that for abuse and harassment. There were some indications that it might also allow people sending the invites, if the invite got accepted, to see a list of all users in the Slack that they’re sending the invite to, though that hasn’t been confirmed yet.

Kathy:
Setting up a workspace in Slack is super easy. I mean, you could just set it up and invite people. What does it look like with attackers? Could an attacker actually set up a fake company Slack, like misspelling things like hackers are so good at doing?

Ram:
I hadn’t even considered that aspect of it, but I’d have to get back to you on that. I don’t want to say definitively that, that would be workable or not, but I hadn’t even thought of that. And that does sound like a absolutely terrifying attack if it worked.

Kathy:
Yeah. So, if you get Slack invites… We’re going to have to dive into this and really play with it and see how this could be used. But I mean, I’ve set up Slack workspaces for… My family’s got one. I’m not telling you where it is but my family has one.

Ram:
Yeah, I got one, too.

Kathy:
This is just a way that it’s just like super easy, whether you’re on your phone or on your desktop, that you can share information like with a small group of friends or a major company. And attackers could possibly set up a workspace and then send out messages and you’d be like, “Oh, wow, look at this big company, inviting me through their Slack.” And you’re now connected to the Nigerian prince who wants to give you $25 million or something. I don’t know. It could be interesting.

Ram:
It could be. And I suspect that if there are attacks like that, that are feasible, we will find out about them in the fairly near future.

Kathy:
Yeah. We’ll hear about it. Sorry if I’m giving people ideas.

Ram:
You know what? I am sure that attackers are at least as diabolical.

Kathy:
As me?

Ram:
Well, I don’t know. Almost, maybe. Almost.

Kathy:
Yeah. I don’t know. I only use my diabolical nature for jokes, really. That’s all I’m here for. All right. So our Director of Information Security, Colette Chamberland, who basically turned off Slack Connect for us and won’t let us play jokes on people.

Ram:
I think this is a good thing.

Kathy:
It is a good thing. I love that Colette has always got our back and make sure that our systems are secure.

Ram:
She watches out for us.

Kathy:
She sure does. She chatted on a podcast recently called the Tech & Main podcast. She not only handled securing all of our network and basically deals with a lot of big scary things to make sure that we’re all safe. She also takes care of our site cleaning team and kind of oversees all of that. And that’s also the team that’s doing the K-12 site cleanings. They do site cleaning and site auditing for any public, any government-funded school in the world, not just the United States, but anywhere in the world. If you know of a school, please send them information and let them know that that service is available.

Kathy:
And she talked about that program a little bit, and she also talked about what it’s like to work at Defiant. We’re going to have a link in the show notes so that you can hop on over and listen to that podcast as well. And if it sounds like working at Defiant is a fun thing, like if you haven’t been convinced by Ram and me listening to this podcast over the last few months, we are hiring and we still have a number of positions open. So go look at those and definitely apply if anything looks interesting. And we still have that offer for $500 if you refer a successful candidate to any of those open positions. So definitely take a look at that. We’ll have the links on the show notes for what that offer entails. It has to be a successful candidate, of course. So, yeah, working here is fun. We have great benefits.

Ram:
Come work with us.

Kathy:
Coffee.

Ram:
I got my coffee maker, it arrived at 9:30 last night. I still have to clear out some counter space for it, but I’m very excited.

Kathy:
Really? Okay. Well, I want a report next week on how good that is. Mine’s coming tomorrow. I’m really excited about that.

Ram:
Nice.

Kathy:
It took me a while to pick one out, but yeah.

Ram:
You got to do several hours of research and read all the reviews and figure out… Yeah.

Kathy:
So many reviews.

Ram:
And I mean, like, reviews are a wonderful thing. You should check out Wordfence’s reviews. People love us.

Kathy:
They do! Wow. You are the king of the segue today, Ram. That’s excellent. Yes, we have great reviews. We’ll put some links to some of those fun reviews as well. And once again, we thank you. If you want to do a review for the podcast, you can do that over at Apple Podcasts. That’s a fun place to leave a review for the podcast. If you’ve gotten anything out of this, we’d love to hear it from you.

Ram:
I didn’t even know you could do that, but I would love to be reviewed.

Kathy:
So, review Ram. Review me. Review the podcast. If you’ve been listening for a while, we’re on episode 110 already. We thank you for listening, and we will be back next week with more great news and hopefully some entertainment as well. We hope you stay safe. Bye.

Ram:
Bye.

You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.