Category: Website Security

Password Zero Day

Zero Day Vulnerability in WordPress Password Reset

By Wyatt Morgan

This week an unpatched vulnerability in WordPress was disclosed by security researcher Dawid Golunski that could potentially allow an attacker to reset admin passwords. This vulnerability impacts most versions of WordPress, including the current release 4.7.4.

Tags:   vulnerability, WordPress, zero day
Categories:  Website Security, WordPress, WordPress security

How to Keep Your Dashboard Green

By Logan Kipp

The SiteLock Dashboard is designed to deliver a concise report of your website security status at-a-glance. We’ve incorporated a color-coded light system that is so easy to understand, your eyes won’t need more than two tenths of a second to discern the color of your SiteLock status light. If you’re not familiar with the definitions of the three traffic light settings, I sometimes like to explain these using what I call the beach martini rule. I tend to picture our customers relaxing on the beach, unwinding and sipping a martini because they know SiteLock has their back. At about the  point where it’s a good time to reapply your sunscreen, you also take a quick glance at your site status before sinking back into your lounge chair.

SiteLock Dashboard Green LightGreen – The coast is clear, no action is required at this time. Re-apply your sunscreen and order yourself another martini.

SiteLock Dashboard Yellow LightYellow – Action is required to resolve a non-critical item. When you’re done soaking up the rays for the day, go ahead and take a look at what needs your attention.

SiteLock Dashboard Red LightRed – Action is required on a critical item. Let’s go ahead and set that martini down and take a look at what’s going on.

Tags:   account management, alerts, dashboard, malware, SiteLock, vulnerability
Categories:  Website Security, WordPress security
SiteLock Threat Intercept blog

Threat Intercept: Passwords Publicly Exposed by Malware

By Ramuel Gall
This article was co-authored by Product Evangelist Logan Kipp.

THREAT SUMMARY

High Threat
Threat Bar Graphic
Learn More

Category: Shell / Information Disclosure

Trend Identified: 4/20/2017

CVE ID: N/A

Trend Name: Trend Tusayan

Vector: Application Vulnerability, Multiple

The threat rating was determined using the following metrics:

Complexity:

LOW: The vectors used to infect websites appear to be well-documented vulnerabilities in older versions of website platforms.

Confidentiality Impact:

HIGH: This infection provides complete control of the target website, including credential disclosure and database contents.

Integrity Impact:

HIGH: This infection provides the adversary administrator-level access to impacted website applications, making total data loss a possibility.

The SiteLock team has discovered a dangerous malware trend that not only provides website administrator level access to the bad actors involved, but exposes sensitive website credentials publicly over the internet.

Tags:   cpanel, idx shell, Joomla!, magento, malware, password, shell, threat intercept, trend, vulnerability, WordPress
Categories:  Website Security, WordPress, WordPress security
website security scientist

Ask a Security Pro: Encryption Explained

By Logan Kipp

Over the last year I’ve led a multitude of security workshops aimed to educate entry-level WordPress users about website security. Some of the questions I regularly field in these workshops are related to the mechanics of SSL certificates, and their role in protecting website data from prying eyes. As you may know, the installation of an SSL certificate on a web server allows the server to accept traffic on the hypertext transfer protocol (secure), or simply ‘HTTPS,’ the primary form of encrypted data transfer between websites and visitors. I’d like to share the answers to some of the most frequently asked questions I’ve had on the subject.

SSL is the Armored Truck

The first thing I’d like to clarify on the subject of HTTPS and SSL certificates specifically is that the use of SSL certificates and HTTPS do not in any way, shape, or form protect the data on your website itself. HTTPS encrypts data in transit only. Neither does it protect data resting on visitors’ computers. You should consider HTTPS the armored truck of websites, not the bank vault. It acts as the protection against adversaries while data travels from point ‘A’ to point ‘B’.

Tags:   #AskSecPro, Encryption, HTTPS, SSL
Categories:  Ask a Security Pro, Website Security, WordPress security

Malware and WordPress Auto Login

By Michael Veenstra

Malware comes in a great deal of unique shapes and sizes.  Most people know someone who has had the misfortune of an infected computer at some point. Ransomware, trojans, and viruses that affect consumers’ physical devices are generally built with compiled code, which means you can’t easily “take a look under the hood” to get a solid idea of how it works.

The types of malware we work with at SiteLock behave a little differently, however. The web-ready files we encounter most frequently are written in Interpreted Languages like PHP and JavaScript. This means that the files involved contain plain, human-readable code, allowing anyone who understands the language to see what the files do.

Tags:   malware, PHP Code, WordPress
Categories:  Website Security, WordPress security
website security scientist

Ask a Security Professional: Feature-Based Malware Detection

By Logan Kipp

Last year we published an #AskSecPro series where we explained how signature-based malware analysis works, as well as how traditional signatures are created. An area we don’t often talk about in public channels, but has played a pivotal role in SiteLock becoming a global leader in website security solutions, is our research and development efforts in new security technologies. In addition to our more traditional approaches to malware detection, SiteLock continues to explore new frontiers in technological improvement to push the field of security research forward. For some time SiteLock has been developing machine learning mechanisms as part of its process for discovering new malware iterations on an automatic basis. Our research in the field has shown that machine learning promises to be an important part of early malware detection and preliminary identification. One of the most significant breakthroughs we’ve had in machine learning as it pertains to malware detection and signatures, has been in feature-based signature analysis.

Tags:   #AskSecPro, analysis, behavioral analysis, feature-based, machine learning, malware, research, signatures, unsupervised learning
Categories:  Ask a Security Pro, Website Security, WordPress, WordPress security
website security scientist

Ask a Security Professional: WordPress Database Security Part Two — Best Practices

By Logan Kipp

In Part One of our #AskSecPro series on WordPress Database Security, we learned about the anatomy of WordPress. Now that we have a firm understanding of the role the WordPress MySQL database plays in a WordPress installation, we can take a look at the various ways an adversary can exploit the mechanisms involved. We’ll also explore some of the ways to defend your database against compromise.

Tags:   #AskSecPro, best practices, database, mysql
Categories:  Ask a Security Pro, Website Security, WordPress, WordPress security
website security scientist

Ask a Security Professional: What is #Cloudbleed?

By Logan Kipp

Over the last few days you may have heard the term #Cloudbleed thrown around the water cooler. Some of the questions our customers are asking us include,  “What is Cloudbleed?” and “Am I protected from Cloudbleed?” As your resident Security Professional, I’ll be glad to help you to understand what the Cloudbleed buzz is all about and how it may impact you.

— First, I want to be very clear that the Cloudbleed bug does NOT impact SiteLock TrueShield™ WAF/CDN. More below.

Tags:   buffer overflow, CDN, cloudbleed, disclosure, leaked, memory leak
Categories:  Ask a Security Pro, Website Security, WordPress, WordPress security

Rogue Pharmacy Defacements via REST API Exploit

By Logan Kipp
SiteLock Research shield

This article was co-authored by Security Researcher Wyatt Morgan from SiteLock Research.

 

This month we’ve seen WordPress websites bombarded with defacements and remote code execution attempts by abusing a vulnerability in the WordPress REST API. As could be expected, compromises motivated by financial gain have now made their debut through the same vector. This most recent flavor of defacements focuses on driving traffic to a rogue pharmacy website, where the visitor is encouraged to purchase — you guessed it, “authentic” erectile dysfunction medication.

Tags:   exploit, pharmahack, REST API, rogue pharmacy, trend, Trend Yuma
Categories:  Website Security, WordPress, WordPress security

Remote Code Execution Attempts via REST API Vulnerability

By Logan Kipp
SiteLock Research shield

This article was co-authored by Security Researcher Wyatt Morgan from SiteLock Research.

 

In the continuing saga of the WordPress REST API vulnerability in WordPress 4.7 and 4.7.1, SiteLock has identified that at least one hacker has launched a campaign specifically attempting remote code execution (RCE) on WordPress websites. The attacks aim to take advantage of WordPress websites using plugins that enable PHP to run inside of posts. If successful, the attack injects a line of code that ultimately downloads a series of malicious files from a Pastebin repository. These malicious files are used to install  backdoors and automatically steal information from  websites. When unsuccessful at remote code execution, the attack overwrites existing posts and leaves behind PHP shortcode.

Tags:   api, backdoor, exploit, rce, remote code execution, rest, Trend Sedona, WordPress
Categories:  Website Security, WordCamp, WordPress security