2021.06.18

Episode 122: Largest Password Dump in History Fuels Credential Stuffing Extravaganza

Sites running Jetpack are being infected via compromised WordPress.com credentials. The largest password dump ever with 8.4 billion passwords is used in credential stuffing attacks. Wordfence Threat Intelligence discloses new plugin vulnerabilities as well as a vulnerability at tsoHost. Data Breaches impact VW and EA, REvil compromises a nuclear weapons contractor, and TurboTax accounts are taken over. Ransomware surveys show conflicting results. Chrome and iOS Safari are both patched against 0-days.

Episode 121: Wordfence is Now a CVE Numbering Authority

2021.06.11

Episode 121: Wordfence is Now a CVE Numbering Authority (CNA)

Wordfence is now a CVE Numbering Authority, or a CNA. As a CNA, Wordfence can now assign CVE IDs for new vulnerabilities in WordPress Core, WordPress Plugins and WordPress Themes. An outage at Fastly takes down major websites including Reddit, Twitch, Amazon, and many others. Microsoft patches numerous Windows 0-day vulnerabilities, and Google patches a RCE in Android phones. A FBI informant and a messaging app led to huge global crime sting, and Windows container malware targets Kubernetes clusters used by numerous data centers.

Think Like a Hacker Ep 120

2021.06.04

Episode 120: Jetpack Autoupdate Security Patch Bypasses Local Settings

A security fix for an information leak vulnerability was pushed out to WordPress sites using Jetpack that bypassed local settings preventing autoupdates. A ransomware attack on JBS that shut down meat processing operations in the United States has been attributed to REvil, a private Russian ransomware-as-​a-service operation. A critical zero-day vulnerability was discovered by the Wordfence site cleaning team in the Fancy Product Manager plugin, used by 17,000 WordPress sites. Amazon devices will soon automatically share your Internet with neighbors, unless you opt out by June 8. Google PPC ads are serving up malicious content targeting searches for AnyDesk, Dropbox & Telegram apps.

Get notified by email when there is a new episode of Think Like a Hacker.

Multiple rack-mounted network routers with hand grasping ethernet cable

2021.05.28

Episode 119: Critical VMWare Vulnerability Threatens Data Centers

A Critical Vulnerability in VMWare’s vCenter Server threatens some of the largest data centers in the world. An actively exploited 0-day in macOS was used to take screen shots of infected computers. CodeCov claims another victim as Japanese e-Commerce unicorn Mercari reports a massive data breach. Domino’s India and Air India suffer from large-scale data breaches. And last, but not least, it’s time to update Chrome again, thanks to some high-severity vulnerabilities that were just patched.

Think Like a Hacker Episode 118

2021.05.21

Episode 118: Four Android Vulnerabilities Under Active Attack

Four memory corruption vulnerabilities are being actively exploited on Android devices and nearly 2 dozen popular Android apps exposed over 100 Million users’ sensitive information in cloud databases. Over 600,000 sites using WP Statistics required a patch to fix a blind SQL injection vulnerability. WP User Avatar undergoes a dramatic rebranding to ProfilePress, adding completely divergent functionality and causing a user revolt in reviews. More details emerge about the ransomware attack on Colonial Pipeline, as DarkSide shuts down after losing access to their infrastructure. A popular Russian language hacking forum bans ransomware discussions, and an Apple executive claims there are unacceptable levels of Mac malware during the Epic Games lawsuit.

Think Like a Hacker Episode 117

2021.05.14

Podcast 117: Cyber Attack on Colonial Pipeline Affects Fuel Availability in 17 States

A ransomware attack on Colonial Pipeline affected fuel availability in 17 southeastern US states, and Bloomberg reported that Colonial Pipeline paid $5 million to DarkSide, a Russian ransomware service provider. The Biden Administration issued an executive order to increase US cybersecurity defenses. WordPress 5.7.2 was released to patch a critical object injection vulnerability in PHPMailer. A critical vulnerability was patched in the External Media plugin, used by over 8K sites. Vulnerabilities were discovered in all WiFi devices, and patch is available for a zero-day RCE under active attack in Acrobat Reader.

Swooshy lines representing a network

2021.05.06

Episode 116: Packagist Patch Shows How Supply Chain Threats Could Impact WordPress

A vulnerability discovered in Packagist, which is used by Composer to manage PHP package requests, could have allowed attackers to trick Composer into downloading backdoored source code, potentially affecting all WordPress sites. Packagist reports that it’s not aware of any exploits. A SQL injection vulnerability was patched in the CleanTalk AntiSpam plugin installed on over 100k sites. Vulnerabilities were discovered in Exim mail server, including 3 RCE vulnerabilities. We’re seeing some of the first trickle-down attacks from the Codecov supply chain attack, first from HashiCorp and then from Twilio. Apple releases iOS 14.5.1 to patch vulnerabilities in WebKit that are being exploited in the wild, a DDoS takes down Belgium, Peloton exposes customer information, and Signal taunts Facebook with a rejected advertising campaign.

Think Like a Hacker Episode 115

2021.04.30

Episode 115: Update Your Mac: Gatekeeper Bypass Vulnerability Exploited in the Wild

Apple patches a gatekeeper bypass vulnerability that has been exploited in the wild on MacOS. Though this vulnerability requires some social engineering to exploit, it is believed to have been actively exploited since January 9, 2021. Some Digital Ocean customers were affected by a data breach exposing personally identifiable information. A WordPress trac conversation considers blocking Federated Learning of Cohorts as a security release, and Creative Commons Search is coming to WordPress.org in a few weeks. Google Chrome has yet another remote code execution bug requiring an update to patch. Celebrated Security Researcher Dan Kaminski passes away.

Think Like a Hacker Ep 114

2021.04.23

Episode 114: Trifecta of Compromises Affect Enterprise Systems

Attacks on unpatched SolarWinds systems continue. We’re now learning of a supply chain attack that started in late January 2021 affecting 29,000 customers of Codecov, as well as a zero-day under active attack affecting customers of PulseSecure VPN. Customers of these three services are well known enterprise and government organizations. In the WordPress space, there are two add-on plugins experiencing active attacks: Kaswara Modern WPBakery Page Builder Addons and The Plus Addons for Elementor. Vulnerabilities discovered by our threat intel team in Redirection for Contact Form 7 were patched. We also take a look at updates coming in WordPress 5.8 to prepare the way for WordPress full-site editing.

Think Like a Hacker 113

2021.04.16

Episode 113: An Unprecedented FBI Operation Removes Webshells from Infected Exchange Servers

An FBI initiative began remotely removing webshells from infected Microsoft Exchange servers. WordPress 5.7.1 was released with a few security patches. Over 15 Elementor add on plugins were found to have vulnerabilities similar to those found in the main Elementor plugin; these additional plugin vulnerabilities affected over 3.5 million sites with over 100 vulnerable endpoints. Google Chrome was found to have two 0-day vulnerabilities. The US and UK blame Russian intelligence service hackers for the ongoing attack campaign against SolarWinds.

Think Like A Hacker Episode 112

2021.04.09

Episode 112: Wix Takes Aim at WordPress With New Ad Campaign

A new Wix ad campaign targets WordPress but ends up being tone deaf in both content and strategy. New details emerge about the PHP compromise, but the full story remains unclear. Facebook user data from 2019 ends up on the dark web, and Have I Been Pwned adds a phone number check to help users determine if they’ve been affected. GitHub Actions are being used by cryptojackers, Gigaset Android phones have been infected with malware in a supply chain attack, and new phishing methods emerge using Telegram.

Wordfence think like a hacker 111

2021.04.02

Episode 111: PHP Git Repository Compromised

The self-hosted Git repository for PHP was compromised, with attackers adding a backdoor to a development version of PHP 8.1. The intrusion was detected by the PHP community quickly, and no production environments were affected. Ubiquiti experienced an intrusion in January that was far worse than originally reported; attackers gained access to nearly all of the AWS assets for the company who has shipped 85 million IoT devices. Some OpenSSL vulnerabilities were recently patched, and two new vulnerabilities in Linux-based operating systems could let attackers circumvent Spectre mitigations to obtain sensitive information from kernel memory.

Think Like a Hacker Episode 110

2021.03.26

Episode 110: Active Exploitation Continues on Unpatched Thrive Themes

An active exploitation of recently patched vulnerabilities in Thrive Themes continues, and new attackers are unsuccessfully attempting the same exploit chain. Two vulnerabilities are patched in the Facebook for WordPress plugin installed on over half a million sites. Google Chrome version 90 will use HTTPS by default, bringing significant improvements to speed and security. A ransomware insurance provider experiences a breach that could affect customers, and Slack’s new “Slack Connect” feature has some security concerns.

Episode 109: Stop using sms 2fa

2021.03.19

Episode 109: This Attack Will Make You Want to Stop Using SMS 2FA

An attack shows how a SMS enablement service was used to bypass SMS 2FA for $16. We discuss the recently patched vulnerabilities in Elementor affecting over 7 million WordPress sites and how easily these cross-site scripting vulnerabilities can be exploited. We also talk about the SQL Injection vulnerabilities in Tutor LMS. The data center fire at OVH in France that took 3.5 million sites offline also took down some advanced persistent threat (APT) actors. And there’s yet another Chrome use-after-free zero-day vulnerability being actively exploited.

Think Like a Hacker Episode 108

2021.03.19

Episode 108: Hack Exposes 150,000 Security Cameras at Tesla, Cloudflare and Others

A data breach exposes 150,000 security cameras used by organizations around the world, including Tesla and Cloudflare. State-sponsored hacking groups exploit Microsoft Exchange vulnerabilities. A fire in a French data center belonging to hosting company OVH affects millions of websites, including some prominent WordPress services like Imagify and WP Rocket. WordPress 5.7 was released this week with many new features.  A zero-day vulnerability was listed for sale in a new way, as an NFT on the OpenSea NFT marketplace.

Think Like a Hacker Episode 107

2021.03.19

Episode 107: Two Plugin Vulnerabilities Target File Upload Capabilities

The Wordfence Threat intelligence team finds vulnerabilities in two plugins, the User Profile Picture plugin and the WooCommerce Upload Files plugin. WordPress 5.7 is set to release on Tuesday, March 9 with numerous enhancements for the block editor, a new robots.txt API, and a stay of execution on jQuery-migrate. A zero day affecting Microsoft Exchange Server allows attackers to steal emails. And Brave buys a search engine to add to their growing privacy-oriented portfolio.

Think Like a Hacker 106

2021.02.26

Episode 106: Admin Password Resets, Blockchain Botnets and a Central Management RCE

WordPress 5.7 is due to be released on March 9, and it will allow administrators to send password reset emails to users. A botnet is abusing the Bitcoin blockchain for command and control, while VMWare fixes a critical remote code execution bug in all default vCenter installations. Android users now have an easy way to check password security. We talk about the ramifications of vulnerability disclosures and how last year’s File Manager vulnerability did not have long lasting effects on plugin installation base or growth. We also discuss how investor data breach fatigue has reduced the stock price impact of cybersecurity failures.

Think Like a Hacker Episode 105

2021.02.22

Episode 105: The Hottest Trend in WordPress

An analysis of WordPress-related search trends found that interest in WooCommerce related results dominated during 2020. We discuss recent vulnerabilities discovered by our threat intelligence team in Ninja Forms, affecting over 1 million sites. WordPress issues a statement that pirated themes and plugins are prohibited on the repository. And a supply chain attack affects users of the once-legitimate Barcode Scanner Android app. We also discuss some career opportunities on the Wordfence team.

Think Like a Hacker Episode 104 Feature Image

2021.02.15

Episode 104: Cryptography Demystified

This week, the Wordfence team discusses cryptography in depth, including the basics, a brief history, hashing, and the Crypto Wars. We also go over current news, including 2 new findings by the Wordfence Threat Intelligence team, a new milestone for WordPress, and a recent attack on a Florida Town’s water supply.

2021.02.05

Episode 103: Wordfence Innovates with Machine Learning and Security for Schools

Wordfence opens the K-12 site audit and site cleaning service for publicly funded state schools worldwide. Machine learning is now a big part of our malware identification process, which will speed new malware signatures to deployment for WordPress sites protected by Wordfence. A bug in Sudo can let attackers with access to a local system to elevate their access to a root-level account, which has implications for WordPress sites, Mac users, and many Internet of Things devices. WordPress 5.7, the next major release, will make it much easier for users to migrate their sites from HTTP to HTTPS.