Episode 122: Largest Password Dump in History Fuels Credential Stuffing Extravaganza

Sites running Jetpack are being infected via compromised WordPress.com credentials. The largest password dump ever with 8.4 billion passwords is used in credential stuffing attacks. Wordfence Threat Intelligence discloses new plugin vulnerabilities as well as a vulnerability at tsoHost. Data Breaches impact VW and EA, REvil compromises a nuclear weapons contractor, and TurboTax accounts are taken over. Ransomware surveys show conflicting results. Chrome and iOS Safari are both patched against 0-days.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:28 Malicious Attack Campaign Targeting Jetpack Users Reusing Passwords
3:24 Largest Password dump of all time, with 8.4 Billion passwords
5:18 Service Vulnerabilities: Shared Hosting Symlink Security Issue Still Widely Exploited on Unpatched Servers
11:00 High Severity Vulnerability Patched in WooCommerce Stock Manager Plugin
11:20 Cross Site Request Forgery Patched in WP Fluent Forms
12:25 Audi, Volkswagen data breach affects 3.3 million customers
12:55 REvil ransomware hits US nuclear weapons contractor
13:34 Hackers Steal FIFA 21 Source Code, Tools in EA Breach
14:10 Intuit notifies customers of compromised TurboTax accounts
15:00 Exclusive Ransomware Poll: 80% of Victims Don’t Pay Up; Too many firms are still willing to pay up if attacked
16:34 Vigilante malware blocks victims from downloading pirated software
19:19 New Chrome 0-Day Bug Under Active Attacks – Update Your Browser ASAP!
20:08 Apple Hurries Patches for Safari Bugs Under Active Attack

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 122 Transcript

Ram:
Welcome to Think Like a Hacker, the podcast about WordPress, security, and innovation. I’m Ram Gall, Threat Analyst at Wordfence. And with me as Director of Marketing Kathy Zant. It kind of looks like we’ve got a busy week in WordPress security, huh?

Kathy:
Busy week in all security, it looks like.

Ram:
We’ve sort of had to reformat by category this week. We’ve got a bunch of every kind of story. So …

Kathy:
We sure do, but let’s start, let’s just dive right in. Let’s start talking about what we are seeing, or what we have been seeing for the past … looks like it started June 1st. We started seeing malicious attackers targeting Jetpack users that were reusing passwords. We saw this from our site cleaning business. Right?

Ram:
Correct. So here’s the thing. If your WordPress website has Jetpack installed, in order to use that functionality, you have to connect it to a WordPress.com account, which is well and good because it means that you can manage stuff on your site from there. What a lot of people might not know is that you can also manage stuff like installing plugins onto your site from the WordPress.com account, which again is not a problem unless you used a weak password or reused a password on your WordPress.com account, and that password has been in a credential breach.

Kathy:
And there are a lot of sites that use Jetpack. It’s probably one of the most popular plugins and it does a ton of different things. Some of those things that it does, some of the services that it provides, are reliant upon a WordPress.com account. So it really, if you’re using those services, you kind of have to have it connected. Right?

Ram:
Absolutely. You literally can’t use a lot of their services without this connection.

Kathy:
Okay. All right. But that connection, even though you’re not hosting on WordPress.com, so you’re hosting your site on Bluehost or SiteGround or GoDaddy or any of the other hosting providers…

Ram:
Even your own server. Yeah. Self hosted WordPress that uses Jetpack is impacted by this.

Kathy:
Okay, great. Because there is a connection, there is an authentication, that happens. So if someone compromises your WordPress.com account, it still can impact your site that’s hosted someplace else.

Ram:
Correct. And what we’re seeing is attackers using these compromised WordPress.com accounts to install malicious plugins onto users’ WordPress self hosted WordPress sites. Malicious plugins that for the most part are redirecting everyone except logged in administrators or people who are logging in, redirecting them to malicious domains, typically internationalized malvertising domains ending in a dot RU prefix, or the Cyrillic equivalent of dot RU.

Kathy:
Ah gotcha. Okay. So they’re uploading the plugin via WordPress.com and that’s how it’s getting onto these sites that are hosted elsewhere.

Ram:
Yes. We’ve actually got an article about this that includes indicators of compromise the most common malicious files we’re seeing, most common malicious domains we’re seeing. But yeah, and again, I mean the good news is that this is not like a vulnerability. This is reliant on someone compromising your WordPress.com account using the credentials for that account. And we’ve seen this going back, we’ve had this happen a few years ago too, but we’re really seeing an uptick in this. And it just so happens that the largest password dump of all time just happened last week as well, with 8.4 billion unique passwords. Now, most of these are not newly breached passwords. These are passwords that have been floating around for a while, but it looks like someone has taken all the password dumps from all the breaches and collected them all into one big password file. And it turns out that having these all together in one place is really accelerating account takeovers via password spraying attacks.

Kathy:
Wow. Okay. So somebody’s made it incredibly convenient for even the most beginning hackers to do brute force attacks?

Ram:
Yep. This is the RockYou2021 password collection. And we are seeing an uptick in brute force attacks. I mean, I’ve personally gotten a couple emails in the last few days of like, “Hey, someone tried to log into your account, but it’s been a while. So here’s this authentication code you have to answer.” And I use a password manager, but there’s always accounts that you forgot you set up a few years ago and it’s mostly been those accounts.

Kathy:
Okay. Interesting. So like MySpace way back in the day.

Ram:
Yes.

Kathy:
Gotcha.

Ram:
Exactly.

Kathy:
Interesting. Okay. So, what people can really do right now, especially for WordPress owners, if you do have a Jetpack connected account, to just make sure you’re using unique passwords, as well as two factor authentication on that WordPress.com account?

Ram:
Two-factor authentication, seriously. Strong, unique passwords are important, but two-factor authentication is a huge part of preventing this kind of thing from actually working. Because here’s the thing, if you have that turned on and someone tries to get in, even if they have your password, even if they guess, right, they’re not going to be able to get in without a lot of additional steps, usually involving socially engineering.

Kathy:
Okay. All right. So 2FA all the things. Let’s move on, what did we find with the symlinks on tsoHost?

Ram:
One of our security analysts, Charles Sweethill, who incidentally also brought the Jetpack thing to our attention … he’s been kind of an MVP around here lately.

Kathy:
Yeah, lately sure has been.

Ram:
He discovered that tsoHost, which is a host that allows people to purchase servers with a built-in web host manager, a WHM, which lets you set up individual cPanel accounts. And, if you want to resell access to those cPanel accounts or just split up your users with separate cPanel accounts. It turns out that there was a vulnerability in how it was configured, where if an attacker took over one site on the hosting account, it would let them take over all the other sites as well, which is not a thing that should happen with a properly divided like server with separate cPanel accounts.

Kathy:
Right. So the cPanel is a panel system. It’s kind of a system that allows you to manage your site, but it also has a sort of a higher level manager web-based interface that allows you to manage all of the cPanels under it. And so the vulnerability that existed here was sort of above and beyond the actual websites themselves. Right?

Ram:
Correct. It was basically in how the entire server was configured, so that even though it had separate user accounts for everything that shouldn’t have been able to access each other’s stuff, it turns out that attackers could use what’s called a symbolic link or symlink.

Ram:
So let’s backtrack a little bit. Every WordPress site has a wp-config file, right? Which contains in most cases, database connection information, database username, a database password. Now a lot of the time you can’t connect to the database externally, you have to do it from the localhost. But it turns out that what attackers were able to do was infect a site, and once they had that site infected and had full control, they could basically create a symlink to the configuration files of other accounts on the server. And once they had the access to the database connection information in those different configuration files, they already had local access to the database. They could just log into these other accounts databases.

Kathy:
Oh, okay. So basically you have say, 50 sites on a server. One of the sites has, let’s say file manager vulnerability and they’re able to get into, and basically take over that one particular site. And because of how this was set up, because they had one site to compromise, they were able to then basically take access or get control of all of these other sites just by using symlinks to access the wp-config files.

Ram:
Correct. They basically pivoted by creating a symbolic link to the wp-config files that they shouldn’t have been able to access on these other accounts, grabbing the credentials, connecting to the other accounts’ databases, and then adding their own administrators to those other accounts’ databases. Once they were administrators on those other sites, they could just log in to the other sites and upload some malware and take over those other sites.

Kathy:
Our site cleaning team noticed there were sites that were being infected when there didn’t really seem to have an intrusion vector. There was nothing really happening in the log files. And so they investigated further?

Ram:
Yeah. Administrators were just logging in like new administrators in some cases, or in some cases, just as administrators with, say normal administrators, cause you can also inject your own password into the user field if you have database access.

Kathy:
Wow. So it looks like in this article, he mentions that there were about six sites where we had visibility from site cleanings and we were able to piece this all together and realized what was actually happening. And so Charles contacted tsoHost. Showed them the proof of concept. Basically, I think he set up a test account to see if he could actually do this and then was able to give them a proof of concept. They fixed things right away. But what he’s also saying in this article is that this is still a widely exploited issue on servers out there. Do we have any thoughts on how widely exploited this might be?

Ram:
We don’t actually have that much information. It’ll continue to come in as we see more and more accounts impacted by this.

Ram:
TsoHost patched very quickly, once we made them aware of it. There’s actually a number of different patches available for this issue. It’s basically a configuration weakness, but you know, KernelCare, cPanel, and Plesk all have patches available. And they’ve been out there for more than three years in some cases.

Ram:
We anticipate that there’s a lot of smaller hosts that maybe offer reseller plans that are going to run into this, or smaller hosts that are resellers themselves that are going to run into this issue. So if you run a small hosting company, make sure that your WHM servers are patched.

Kathy:
Good advice, good advice. And there’s more details. We’ll have a link to this post in the show notes. You can drop over there and say a congratulations to Charles on finding this and protecting more and more WordPress users from malicious activity. Pretty cool.

Kathy:
Next up it looks like we have been assigning ourselves some CVEs, huh, Ram?

Ram:
Why yes, we have. Since we are now a CNA, we can basically assign our own CVEs for our own findings. And so the first one of those was a vulnerability in WooCommerce Stock Manager that Chloe found. Basically it was a Cross-Site Request Forgery where if you could trick an administrator into clicking a link, you could upload a malicious file to a site and get code execution. And once you have that, you have the site taken over. I’ve also got a recent article out about a cross-site request forgery and WP Fluent Forms, which was, again Cross-Site Request Forgery. So you’d need social engineering, but this was to Cross-Site Scripting.

Kathy:
Oh, okay. And that could lead to, it looked like control of the site as well.

Ram:
That can also lead to site takeover. It’s a slightly longer path, but any competent attacker could probably do it.

Kathy:
Okay. Great. And that was a rather older, an older vulnerability patched in March. And most people are patched by now?

Ram:
Correct. We held off on letting people know the details, because basically the functionality that allowed attackers to trick administrators was actually intended to add scripts to contact forms. So there wasn’t really a way to block it without actually blocking legitimate use cases. So we held off on making it public since we didn’t see any evidence of it being exploited. We held off on making it public until we were confident that most people had updated.

Kathy:
Excellent. Great. Okay. You ready for data breaches and ransomware this week?

Ram:
Why, yes, I am. It’s data breach and ransomware time.

Kathy:
It sure is.

Ram:
I think the big one is a Volkswagen Audi group had unsecure data exposed on the internet between August 2019 and May 2021 impacting 3.3 million customers. And this could range from stuff like contact information, which is already PII to stuff like social security numbers and loan numbers. So hooray. Yeah. That one’s not fun.

Kathy:
Data breaches are never fun.

Ram:
Never, never is no. Next up we’ve got REvil, or R Evil. I am never going to know how to pronounce that correctly, but they hit a nuclear weapons contractor-

Kathy:
Oh boy.

Ram:
… Sol Oriens. And they are auctioning off data from them.

Kathy:
Oh Geez.

Ram:
So, you know how a few podcasts go? We were talking about just sort of like the endless screaming? It’s definitely one of those weeks.

Kathy:
Yeah. It’s REvil endless screaming, too.

Ram:
It’s REvil?. It is REvil? Okay. I’m just going…

Kathy:
Oh, no, I’m just saying it’s … the endless screaming has got a brand name.

Ram:
It’s true. REvil is behind a lot of these.

Kathy:
They are behind a lot. Yes. They have been very active this year, but they’re not alone. It looks like Electronic Arts, this one, you think it might be related to Codecov and that breach?

Ram:
That’s just a conjecture, mostly because of what was taken. It was all source code.

Kathy:
Oh, okay.

Ram:
So that’s what makes me think it might’ve been a Codecov related incident, because Codecov was largely attackers spying on developer commits, and basically exfiltrating source code, mostly in the hope of having API keys and secrets. But you know, this does seem like this kind of thing that they might be interested in as well.

Kathy:
Yeah, interesting. Okay. And what else do we have? We have Intuit notifying customers of compromised TurboTax accounts.

Ram:
Yep. This is technically not a data breach, but it looks like there’s a large uptick in compromised TurboTax accounts due to reused credentials. And this is probably also due to that RockYou2021 password dump, just like the Jetpack thing. So if you use TurboTax make sure you reset your password and turn on two-factor authentication too, because your tax information is pretty private.

Kathy:
It is very private.

Ram:
Unless you’re also a Volkswagen customer, in which case, you know …

Kathy:
Then it’s all out there, isn’t it? Yeah. Okay. So if you’re using TurboTax or any kind of Intuit service, you should probably be looking at setting up two-factor authentication for that. What’s up next?

Ram:
I found this one to be kind of interesting. There are two conflicting surveys about Ransomware response. So ThreatPost did a survey of 120 respondents, one-third of which were actually victims of Ransomware. And I mean, that’s a pretty small sample size, but apparently 80% of the actual Ransomware victims didn’t pay up.

Kathy:
Hm. And that’s what they’re self reporting?

Ram:
Yes.

Kathy:
Okay.

Ram:
I mean, it is, self-reporting. It’s a survey> but here’s the other thing, there’s another survey by Neustar International Security Council, of 300 workers in senior positions asking what their company would do if there was a ransomware attack. And according to them, 60% say they would pay up if they were breached. And that doesn’t really add up. Though, the same survey also noted that a quarter of the respondents fear that their current security is not really up to the task and describing them as somewhat or very insufficient to dealing with ransomware.

Kathy:
Oh, interesting. You know whose data I would like to see about this? Cybersecurity insurance providers.

Ram:
Yeah.

Kathy:
They’re probably accurate. They would actually probably have some data on actual payouts for ransomware and other types of cybersecurity incidents. That information would be super juicy to take a look at.

Ram:
Why yes it would. Speaking of some other kind of weird news. Sophos is sharing about how a vigilante malware is being distributed that basically locks access to the Pirate Bay and a number of other torrent sites. It’s super basic malware. It basically just edits the host’s file on your machine, so that any attempts to access like a piracy site, just get redirected to 127.0.0.1, or the home IP address. So it just blocks access.

Ram:
But what I did find kind of interesting is that it also phones home and reports the IP of the people who actually downloaded and ran it, so that seems awfully suspicious. I’m not going to state my suspicions of who might be behind this, but you know. Do you remember the Sony rootkit incident? I’m just saying.

Kathy:
Yeah. You know, I’ve always been told to follow the money. Who stands to gain from a vigilante actor like this? That’s probably … huh. It’s interesting. And it seems so simplistic that it’s just editing the host file. That very, very interesting.

Kathy:
Now, we’ve seen some of this type of behavior happen in the WordPress world where we’ve seen malicious actors get into a site that say has like a very common vulnerability and they start cleaning up other people’s malware and makes their malware the prominent malicious actor on that particular site. And you said you saw some of this in the File Manager exploits as well?

Ram:
We started seeing this with the Babayaga a few years ago. But last year back when the File Manager vulnerability was being actively attacked at a enormous and hitherto unforeseen scale, we were seeing attackers basically not just adding their own backdoor, not just removing other people’s malware, but also they were doing things. They were patching the vulnerability so that other attackers couldn’t get in, which is fairly common for advanced threat actors, but they were also, in some cases we saw them keeping the other people’s backdoor, but changing the passwords to their own passwords, stuff like that. It was just … it was wild.

Kathy:
Wow. That’s so interesting. This is one of the reasons why I love security is because there really is … okay. Sure. Yeah. These are hackers and yes, there’s malicious activity happening. But it tends to be super creative and innovative and interesting. And there’s always something new happening. It really requires like that whole thinking like a hacker, outside of the box. And I find these kinds of stories fascinating.

Ram:
Definitely. I mean, there are a few things that are always the same. You know, update your stuff. Some things don’t change. And speaking of things that don’t change, and this is actually from last week, but it came out after we recorded last week’s podcast. It looks like there’s a couple of zero-days in Chrome that were being actively exploited. So update your Chrome. It looks like they were provided by a commercial exploit broker to a nation-state actor who has been using them in limited attacks against targets in Eastern Europe and the Middle East.

Kathy:
Interesting. Okay. Yeah. I got a update notification on Chrome. So that must have been what it is. Actually, because we’ve seen so many different Chrome, zero-days over the course of the past few months. I’m checking the security of Chrome, almost daily now because it’s like, oh, is there another one? What is happening?

Ram:
I mean, just keep your Chrome up to date. Keep your Safari up to date. It looks like Apple has also patch some vulnerabilities under active attack. Good news is these are only in older iOS devices up to sixth generation devices, iOS, or iPhone six. They want to say like the iPad up to like third generation. So yeah-

Kathy:
Do those still work?

Ram:
… the older iOS devices. They do. The batteries don’t last very long and that appears to be on purpose, but you know …

Kathy:
Interesting. Okay. So no matter what you’re using to access the internet, it requires some attention and security. Make sure your Chrome and Safari browsers are updated. Check those extensions that you’re using for Chrome, Safari, Firefox, whatever you’re adding functionality via an extension or some kind of plugin type of code, whatever you’re doing, make sure that those are updated as well. And always check for malicious ones. If something shows up in Chrome that you didn’t install, something you would want to look into and we will keep you updated as more and more security news happens. Won’t we Ram? That’s what we do.

Ram:
We will. There is a lot of security news these days.

Kathy:
There is.

Ram:
And we’re doing our best.

Kathy:
We are doing our best, and we thank you very much for listening every week. If you are enjoying Think Like a Hacker, leave us a review, leave us a rating on Apple Podcasts. We’d love to hear from you as well. If there’s a story that you’ve discovered that maybe isn’t in the mainstream security news, drop us a line at feedback@wordfence.com. Let us know that there is a story that we should be covering and we would love to cover it for you or dive a little bit deeper. Thanks for listening. And we’ll talk to you again next week.

Ram:
Yep, and always a pleasure.

Kathy:
Bye.

Ram:
Bye.

You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.