Zero-Day RCE in vBulletin v5.0.0-v5.5.4

A new remote code execution (RCE) zero-day vulnerability has been disclosed by an anonymous researcher on the Full Disclosure mailing list this past Monday. This vulnerability is extremely severe. It allows any website visitors to run PHP code and shell commands on the site’s underlying server. Am I At Risk? At the time of writing this, this is still a zero-day vulnerability—meaning there are no official patches available to fix this issue. Continue reading Zero-Day RCE in vBulletin v5.0.0-v5.5.4 at Sucuri Blog.

The Hacker Returns: A Backdoor Edition

Once an attacker manages to hack and gain access to a target site or system, they typically work hard to maintain their access—as long as it can to help them achieve their goals. You can think of it like having an annoying party-crasher at your pool party who decides to stick around uninvited, hiding out somewhere and using all of your stuff. In a large majority of hacked sites, attackers often plant and place something called a backdoor. Continue reading The Hacker Returns: A Backdoor Edition at Sucuri Blog.

Fake SSO Used In Multi-Email Provider Phishing

Single sign-on (SSO) allows users to sign into a single account (e.g Google) and access other services like YouTube or Gmail without authenticating with a separate username and password. This feature also extends to third party services such as the popular Dropbox file sharing application, which offers users the option to access their account using Google’s authentication from their sign in page. Malicious Pages Mimic Popular Login Workflows SSO is very convenient for most users. Continue reading Fake SSO Used In Multi-Email Provider Phishing at Sucuri Blog.

Fake Human Verification Spam

We recently released an update to our Labs Knowledgebase for new plugins that had been targeted during the month of July 2019. One of these newly targeted plugins was Advanced Booking Calendar — and it didn’t take long before we were receiving clean up requests for websites that had already been exploited through this plugin. Malicious Payload in Appointment Booking Plugin After our investigation, we discovered that the malicious payload was similar to the one listed in our July 2019 Labs Knowledgebase post. Continue reading Fake Human Verification Spam at Sucuri Blog.

Misuse of WordPress update_option() function Leads to Website Infections

In the past four months, Sucuri has seen an increase in the number of plugins affected by the misuse of  WordPress’ update_option() function. This function is used to update a named option/value in the options database table. If developers do not implement the permission flow correctly, attackers can gain admin access or inject arbitrary data into any website. Note: The WordPress update_option() function cannot be used maliciously if the developer correctly implements it in their code. Continue reading Misuse of WordPress update_option() function Leads to Website Infections at Sucuri Blog.

Dissecting the WordPress 5.2.3 Update

Last week, WordPress released version 5.2.3 which was a security and maintenance update, and as such, contained many security fixes. Part of our day to day work is to analyse these security releases, discover what security issue it is fixing and come up with a Proof of Concept for further internal testing. Based on our analysis, none of the vulnerabilities fixed in this release are major. They all require some level of privileged-user interaction or access to high-privilege accounts. Continue reading Dissecting the WordPress 5.2.3 Update at Sucuri Blog.

How to Audit & Cleanup WordPress Plugins & Themes

In an interview with Smashing Magazine our CoFounder (now Head of Security Products at GoDaddy) Tony Perez was asked the following question. What Makes WordPress Vulnerable? “Here’s the simple answer. Old versions of WordPress, along with theme and plugin vulnerabilities, multiplied by the CMS’ popularity, with the end user thrown into the mix, make for a vulnerable website.” – Tony Perez The most common threats to any CMS are associated with vulnerabilities that have been introduced by third-party modules, plugins, themes and extensions. Continue reading How to Audit & Cleanup WordPress Plugins & Themes at Sucuri Blog.

Throwback Threat Thursday: Joomla GoogleMaps Plugin SEO Spam Injection

When our tools don’t automatically detect and clean malicious code, that’s when we start our investigation process—and the majority of these research findings end up on the blog or as a Labs note. However, other times we update our tools to automatically detect and remediate the malware, then stash the code sample in our zoo along with some research notes… And there it stays, gathering dust, spiderwebs, and other nasty stuff. Revisiting those old notes and malicious code samples to re-evaluate them is not only a good research exercise, but also interesting to share. Continue reading Throwback Threat Thursday: Joomla […]

What is Cryptocurrency Mining Malware?

Before we get into the details of “Cryptocurrency Mining Malware”, we need to understand first what cryptocurrency is and what miners are. What is Cryptocurrency? Cryptocurrency is best thought of as digital currency  and it only exists on computers. It is transferred between peers (there is no middleman like a bank). Transactions are then recorded on a digital public ledger called the “blockchain”. Transaction data and the ledger are encrypted using cryptography (which is why it is called “crypto” “currency”). Continue reading What is Cryptocurrency Mining Malware? at Sucuri Blog.

TimThumb Attacks: The Scale of Legacy Malware Infections

These days, we consider a malware campaign massive if it affects a couple thousand websites. However, back in the day when Sucuri first started its operations, the scale of infections was significantly larger — and it was quite typical to see hundreds of thousands of websites affected by the same malware. This was mostly because early versions of CMS’ were not very secure but already popular enough to power millions of websites. Extension developers also didn’t bother much about security. Continue reading TimThumb Attacks: The Scale of Legacy Malware Infections at Sucuri Blog.