Think Like a Hacker Ep 120

Episode 120: Jetpack Autoupdate Security Patch Bypasses Local Settings

A security fix for an information leak vulnerability was pushed out to WordPress sites using Jetpack that bypassed local settings preventing autoupdates. A ransomware attack on JBS that shut down meat processing operations in the United States has been attributed to REvil, a private Russian ransomware-as-​a-service operation. A critical zero-day vulnerability was discovered by the Wordfence site cleaning team in the Fancy Product Manager plugin, used by 17,000 WordPress sites. Amazon devices will soon automatically share your Internet with neighbors, unless you opt out by June 8. Google PPC ads are serving up malicious content targeting searches for AnyDesk, Dropbox & Telegram apps.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:10 WordPress force installs Jetpack security update on 5 million sites
9:08 Ransomware Attack Hits Meat Supplier JBS
12:42 Critical Zero-Day in Fancy Product Designer Under Active Attack
17:15 Amazon Sidewalk and do you really want to share your internet with everyone around you?
20:53 Google PPC Ads Used to Deliver Infostealers

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 120 Transcript

Ram:
Welcome to Think Like a Hacker, the podcast about WordPress, security and innovation. I am Ram Gall, threat analyst at Wordfence, and with me is Director of Marketing, Kathy Zant. How are you, Kathy?

Kathy:
Well, we got sideswiped this afternoon. Didn’t we?

Ram:
Why yes, we did. So I don’t know if you heard, but Jetpack just had a security release. It was actually, I want to say, yesterday?

Kathy:
Yeah. It looks like it was two days ago. We’re recording on the afternoon of June 3rd. And just as we were getting ready to start recording the podcast, we did one last look at the news and came across the fact that WordPress force-updated* Jetpack onto over five million sites because of a security update. We had all of our stories together, we were ready to record, and all of a sudden we came across this and it’s like, well, I guess we have our top story right now. So Ram, you’ve just spent the last half hour or so going over all of these updates of what actually happened. What did you find out about this? We have a couple of things we want to talk about with this, but first of all, let’s talk about the security update itself. What did you see in the code?

Ram:
This actually seemed pretty low severity. It kind of looked like in some configurations an attacker could read the comments for any post, regardless of whether it was a private post, regardless of whether it was unpublished or in draft status, regardless of whether or not they were allowed to read the post itself, and regardless of whether or not it was actually an attachment. It was only intended to allow people to read the comments on like images that they were allowed to see. But instead it let them read the comments on anything, any post, regardless of whether they were allowed to see it or not. So, I mean, it might have some privacy implications, but this is not a site takeover.

Kathy:
Right. Okay. But it looks like this vulnerability existed in every version of Jetpack since version 2.0, but it’s not like a super high severity. It’s more kind of like an information leakage type disclosure type of situation. Now, what was interesting about this is that wordpress.org team determined that this needed an auto update and the list of versions that received this automatic update is pretty large. It goes back to version looks like 2.0.8.

Ram:
Eight. So yeah, 2.0. Anyone with 2.0 or higher. Yeah.

Kathy:
Right. And we’re on version what 9.7 or 9.8 right now. So a lot of sites running Jetpack received this as an automatic update. In the wp-config file, you can create a setting within that file that says, “I don’t want any auto updates whatsoever.” But that constant was not actually adhered to. Even if you had that set in wp-config, you still got an automatic update. Is that what we’re seeing?

Ram:
Yeah, that’s what we’re seeing. Basically even if you had your site configured not to update anything, even if you had auto updates turned off, this was still able to be pushed onto your site. And that has the potential to be troubling. We’ve discussed this kind of thing before, how if an attacker managed to actually get a hold of the update servers and perform a supply chain attack, this could be a major problem. It does look like there’s likely to be a lot of checks in place to prevent that from happening.

Kathy:
Yeah. So there’s a lot of different ways that people use WordPress. I mean, I use it for my blog that is sorely in need of an update, and there’s tons of like cat blogs and there’s enterprise servers. There are e-commerce servers. There are servers that are running WordPress that have deliberate and procedural things in place to ensure that updates don’t happen unless it happens first on a staging server or a test server, and then there’s a path for an update that happens, and this would have bypassed all of that. So the staging server would have gotten the update as well as the production server. And in an enterprise environment, this could be kind of troubling that code is being pushed or pulled to a server that haven’t-

Ram:
That you haven’t tested for compatibility with your stuff.

Kathy:
Right. Exactly. So it’s kind of violating those corporate procedures, which kind of violates sort of that sanctity of a corporate process, doesn’t it?

Ram:
I don’t want to necessarily turn it into a big thing since there… There are definitely reasons I could see this as being useful and for the good of the community and having the capability. Yeah, I could see why it could be really useful to have this capability, in some cases. Though, again, if your users are turning off the updates for this programmatically, then maybe you should listen to their preferences. And that’s a problem. But I can see that the ability to push automatic security patches, and even overriding certain user settings and preferences, if it’s severe enough, that could be necessary in some cases. But this does not appear to be a critical severity. This is not the kind of thing where 30 million sites are going to get taken over if it gets exploited. This seems like a poor use of that capability.

Kathy:
It seems like maybe a little boy who cried wolf-ish, because it’s not that severe of a situation where you need to have all hands on deck and protect the entire community because there’s wolves at the door. This is more of like, there’s a situation, a lot of sites are to be affected by this. We don’t want these sites to be affected by this. So we’re going to ensure that these sites are taken care of and patched. The code changes did not seem to be that big of a deal, but still, it does seem like a bit of an overreach. If this… update process was ever taken into malicious hands, this would be a backdoor that could take any kind of update to any kind of code.

Ram:
Yeah. This could go very badly. It’s one of those slippery slope things where I kind of worry a little bit that first they’re using it for critical severity updates. And then for hey, it’s some random comment reading bug. Eventually if it becomes sort of like an everyday thing, then the very tight controls they hopefully have in place might stop following quite as much of an intense procedure to pass those checks. I don’t know.

Kathy:
Right. Right. Yeah. Well, there’s a lot of web developers in enterprise types of situations that have to answer… and I’ve talked to some of these people and they have to answer to security personnel at a large corporation, and there’s an actual security department that has security procedures. If they have to go and say, “Okay, well this happened and here’s the incident write up about it,” because that’s what their company requires, then they have to say what happened and why. And that calls into question in those enterprise kinds of environments: what’s happening with WordPress. And that to me is the concern. We want WordPress to be a usable tool for everyone from the personal blog and the cat blog all the way up to the enterprise. And if these types of things happen, it causes problems in the enterprise types of environments. Maybe it’s a good thing in those security departments. We’ll make an exception for this kind of update because it’s ultimately protecting an open source-

Ram:
I mean, generally you want to test security patches, like in an enterprise environment you don’t apply patches, even security patches, unless you test them. You might test them very quickly if they’re critical enough, but just a quick, hey, this didn’t break anything major, did it? Okay. No. Cool. Apply it.

Kathy:
Yeah. Yeah. Well, I think there’s going to be some fallout from this. I mean, this obviously just happened within a few hours, but obviously piqued our interest because it’s kind of in our wheelhouse. So we’re going to be watching the story going forward to see if there is any fallout. I think there might be. But I understand, security is always something that you… It’s a continuum and it’s something where you have to throw the needs of the users and the needs of the security of the organization or the website or the application, and all of these things have to be measured. It’s like the question though, in this case is who’s doing the measuring and who’s making decisions? I guess we’ll just put this in the wait-and-see category and see how this turns out. It will be interesting, huh, Ram?

Ram:
It will. And speaking-

Kathy:
You know what else is-

Ram:
… Interesting. I’ll let you do it.

Kathy:
I know what else is interesting. More ransomware. It seems like ransomware is like the big thing in 2021. It’s looking like a meat supplier, JBS, was hit with ransomware, and this is affecting protein supply chains. Who do they think is up to this ransomware attack?

Ram:
We actually brought these guys up in a previous podcast. It’s REvil, or R-evil. They’re the folks who ransomed a subsidiary of Apple in I want to say Taiwan and threatened to expose a bunch of internal documents and diagrams and technical specs. But yeah, same folks. And they ransomed JBS, which is the largest meat producer in the world. And all of their US operations were shut down.

Kathy:
Yeah, this was pretty scary. And there’ve been a lot of conspiracy theories going around with all of these ransomware attacks, with the supply chain attacks, with SolarWinds and Codecov and everything that’s happened this year. A lot of people are saying that the supply chains are all under attack. What happened with Colonial Pipeline over the last couple of weeks, and the stresses that that put on the Southeast with gasoline. People are very conspiratorial, like what’s going on here? And the more and more I look at these situations, I don’t necessarily think it’s a conspiracy to take down supply chains as much as it is a conspiracy that Russian ransomware gangs like money, a lot, and that’s basically what’s happening.

Kathy:
It looks like though that JBS’s systems are coming back online. They, they did have some backups that were not affected by this. They had some databases that were encrypted that required a little more diligence in restoring, but that by the time this podcast is published, they should be back online. Also it looks like REvil is also maybe under suspicion for an attack that’s affecting Fujifilm as well. So just ransomware, no matter where you look these days.

Ram:
Indeed. And I mean, yeah, I think that you’ve got a really valid point. A lot of these industries that have been around for a long time and are maybe a little bit slower to adopt best practices, but have a ton of money to burn, they make very tempting targets for ransomware attackers.

Kathy:
Well, they’re going after big targets that have a lot of money and those big targets are involved in supply chains and so those supply chains are going to be affected, and they typically have older legacy systems that may not be taken care of with best practices. So if you’re listening to this and you are in charge of legacy systems, update things or retire things that can’t be updated. It’s affecting all of us.

Ram:
It is. I mean, the good news is this is probably not going to impact any WordPress sites. Back in 2017, people were ransoming WordPress sites and desktop computers at home, but like 200 bucks that your average desktop user would maybe pay that much to get their documents back, but why go after that when you could go after these megacorps that have millions of dollars to pay a ransom?

Kathy:
$1 million?

Ram:
Uh-huh (affirmative).

Kathy:
Exactly.

Ram:
So, I mean, realistically, if your WordPress site is impacted by ransomware, it’s probably because your host got ransomwared and just happened to store all of your files with everyone else’s files. But I think we may have brought that up in the past as well.

Kathy:
Yeah, good point. So we started our week earlier this week. This is the week of Memorial day here in the United States. and we came back from our Memorial Day long weekend to find a critical zero-day in a plugin. And Charles in our site cleaning department initially found this. There was a site that had been hacked and they hired us to clean the site and get it taken care of. He started taking a look at what happened with this hacked site and actually looking at the log files to see if he could determine how that site was compromised, which is standard procedure here at Wordfence.

Kathy:
When we clean a hacked site, we want to know how they got into that WordPress site and see if there’s anything that we need to do in order to protect the community as a whole. And there was a zero-day in this plugin called Fancy Product Designer installed on 17,000 sites. Ram, you took a deeper look at this and sort of identified what was happening and had put out a blog post earlier this week about indicators of compromise, where the attackers were coming from. What can you tell us about this?

Ram:
So Memorial Day, I get a ping from Charles, he’s like, “Hey, I think I found a zero-day.” I look into it, go hmm, oh, wow. Oh, wow. That is vulnerable. Uh oh, I think I know how this works.” So yeah, Charles found it, Charles stuck around to test the firewall rule. We got it all out in a few hours, got in touch with the plugin developer and honestly, they had a great response. They patched basically the day after we sent the full disclosure, which was the day after we sent the initial contact. But I mean, if you’re seeing sites actively being attacked, then that means that the secret’s kind of out already. So we’re going to at least notify the public that, “Hey, you may want to do something about this.”

Ram:
This was bad because it let attackers, and the attackers didn’t have to be logged in, let them upload executable PHP files. And once you have those on a site, you can do pretty much anything you want. This is kind of good news is that these attackers don’t seem to be super sophisticated. We’re mostly seeing them uploading file managers to sites and then using those file managers to run database queries, looking for e-commerce order information. There doesn’t seem to be much that’s automated about it, past possibly the initial infection. Even that, it wasn’t a ton of requests. This seemed to be a fairly… I mean, whoever this attacker was, they did spot a pretty cool flaw in the code, but they don’t have the kind of resources to throw millions of requests out at millions of sites, unlike some of our other attackers. So…

Kathy:
But it’s kind of concerning that they’re going after order information, customer information, personally identifiable information that kind of gets the credit card companies into a…

Ram:
Tizzy?

Kathy:
A tizzy, yes. The technical term of a “tizzy” when they start seeing that merchants who are supposed to be PCI DSS certified, following all of the rules, that they are not following those practices. So that’s the big concerning thing to me.

Ram:
And even if your site’s not storing any of that credit card information, if any of your customers are in Europe, guess what? This is also a GDPR breach.

Kathy:
Oh, geez. Yes. That, too. So there’s lots of disclosure maybe going on with… This is like an extension to WooCommerce, right? But they also have a Shopify extension. Was that affected at all?

Ram:
Not as far as we know. Yeah. Shopify has a bit tighter control on things. As I understand, I don’t even think this actually required WooCommerce in order to function. It just generally was designed to be WooCommerce compatible.

Kathy:
Gotcha. So was this exploitable, even if the plugin was installed, but disabled?

Ram:
On some configurations. Yes.

Kathy:
Oh, lovely. Our favorite kinds of vulnerability. So there’s a patch available now, Wordfence Premium customers are protected.

Ram:
But you should still install the patch. And that means-

Kathy:
You should still.

Ram:
… and that means unfortunately it doesn’t look like there’s an auto-update option. That means going to CodeCanyon or wherever you got the plugin from, re-downloading it, re-uploading it to your site using the install plugin functionality. But trust me, it is worth it. Do it.

Kathy:
Definitely, definitely. Keep your customers’ card member data protected. Very important. What do we know about Amazon Sidewalk? This sounds fun.

Ram:
Oh boy. So Amazon’s launching on, I want to say June 8th, this functionality called Amazon Sidewalk, which means that if you have an Echo or any Alexa device, or any of the Amazon Internet of Things devices, except-

Kathy:
Ring.

Ram:
Yeah. I don’t think my Kindle is going to do it, but probably just because it doesn’t have enough processing power, but yeah. All the Ring cams, all the Echoes, pretty much anything with Alexa.

Kathy:
Isn’t this something that unless you opt out of it, you’re automatically enrolled?

Ram:
It is. And the good news is that basically what it is, it’s a way of sharing your internet bandwidth with other people nearby in your neighborhood who also had Amazon devices.

Kathy:
Ew.

Ram:
Yeah.

Kathy:
I don’t want my neighbors’ Amazon devices sharing any… Well, I don’t have any wiretaps, so I’m not that concerned about it. But if I did have a wiretap, I wouldn’t want my neighbor’s wiretap talking to my wiretap. That’s weird.

Ram:
Yeah. It is extremely weird. So first the good news, it’s a pretty small portion of your bandwidth, 80 kilobits per second. They’re not going to take more than a 500 megabytes a month. I mean, it’s not a lot in terms of… It’s not going to impact your data cap unless you’re on a really like 3G mobile or something. It’s not going to like make your Zoom calls or your Netflix viewing experience worse. But that’s still faster than the dial-up speeds we used to have back in the day, and that is enough to send commands or exfiltrate sensitive or private information if there’s any security or configuration issues in their implementation.

Ram:
Amazon is pretty good at security in the “don’t let attackers into your network” sense. We’ve talked about not conflating security and privacy before, and Amazon has maybe played it a little fast and loose in the past with privacy and default configurations. And think like the fact that S3 buckets used to be open by default and they used to let app developers access recordings from Alexa devices. So I suspect it’s just a matter of time until something controversial comes of this. I’m not willing to make any more specific predictions other than this is going to lead to something more controversial than just it happening in the first place.

Kathy:
Yeah. It’s definitely interesting to be aware of if you are in the Amazon sort of-

Ram:
Ecosystem.

Kathy:
Yeah. Exactly. The ecosystem of Amazon. If you have Alexa devices, the Echos, the Ring-

Ram:
Echosystem, I like that.

Kathy:
Ah, yeah.

Ram:
Ha ha, I see what you did there.

Kathy:
I see what you did there. Exactly. But they have the Ring doorbells, the Ring cameras. It’s really kind of like this mesh network of Amazon everywhere, and yeah, it’s kind of like one of those things like the “absolute power corrupts, and power corrupts.”

Ram:
This is something that would be very exciting if it was opt-in and done by an organization that hasn’t repeatedly shown a sort of blatant disregard for some of the things we care about.

Kathy:
Yes, definitely. Just something to be aware of, if you have any of these devices with Amazon and privacy is incredibly important to you, you might want to opt out or show your wiretaps to the curb, in my opinion.

Ram:
Yes. And speaking of… I don’t have a good segue for this. This is more of a return of something that we already kind of knew was happening, but just a reminder, that malvertising is still a thing. So it looks like attackers are actually paying for Google search results for AnyDesk, Dropbox and Telegram and basically purchasing malicious ads.

Kathy:
Ew. So these are pay-per-click ads and Google Search results. So if you’re searching for anything about like AnyDesk or Dropbox that you could be served up a malicious PPC ad so you have to be really careful what you’re clicking on there because these look like they’re pushing out malicious packages.

Ram:
Yeah. Infostealers. Redline, Taurus, Teslas and Amadey are the ones that are being delivered primarily. I mean, this is not the first time it happened. And when it comes to reviewing their ads, Google’s generally better than most of the other providers out there as far as not letting malicious ads stay up too long. Even so, generally better than other providers doesn’t necessarily equate to actually effective a hundred percent of the time. Yeah, a week ago, apparently they saw a rigged AnyDesk ad serving up a Trojanized version of AnyDesk app where the ad campaign was actually higher in the search results than AnyDesk’s own ad campaign. So maybe you don’t click on any promoted search results.

Kathy:
I typically don’t. I try to find the actual thing I’m looking for and click on that. I’m not big on ads, which is kind of the weird thing for the marketing lady to say, but-

Ram:
Well, you know-

Kathy:
And-

Ram:
I think you know exactly… You know about ads and you know all about why you probably don’t want to click on them.

Kathy:
Yeah. Yeah. I typically try not to. I’ve seen too many things in the security world, so it’s just something to be aware of. If you’re searching for things and you do have ads and they look a little different, or maybe not exactly what you’re looking for, to trust that… I think the biggest security asset that you have beyond a firewall is that spidey sense that we all have, that something doesn’t look quite right, and maybe I shouldn’t click this.

Ram:
Your greatest weapon is your mind.

Kathy:
There you go. Exactly. So this is just another thing to be aware of. So next week we’re going to be on Wordfence Live, huh?

Ram:
Yep. We are going to be back on Wordfence Live. Had a week off for the holiday, but coming back for the site performance right, right?

Kathy:
Yeah. I think we’re going to start talking about Fast or Slow and Core Web Vitals and all of the ways that you can improve your site’s performance. So look for that coming out next week for Wordfence Live. That’s all I got this week, Ram. We talked a lot.

Ram:
We did. We a lot to cover, but I think we covered it.

Kathy:
We did. I think we did. Thanks for joining us here on Think Like a Hacker. If you want to leave us a review on Apple Podcasts, we would appreciate that. Let us know that you’re listening. We’d also love to hear from you. If you have any stories that you think should be covered, we’d love to hear from you. You can send us a message at feedback@wordfence.com. And we will talk to you again next week. Thanks for listening.

Ram:
Bye.

You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

Did you enjoy this post? Share it!

Comments

No Comments