WordPress 5.0.0 Serious Vulnerability Found

Vulnerability allows to execute arbitrary code on the server, having the privileges of the Author 
20 February 2019   427

Simon Scannell has published information about the vulnerability in the WordPress, which allows to execute arbitrary code on the server, having the privileges of the Author of publications on the site. In WordPress 4.9.9 and 5.0.1 updates, partial protection was added to block the attack in the core WordPress code, but the problem remains completely unresolved and in the current release of WordPress 5.0.3 it can be exploited through additional errors in the plugins (it is noted that manifested in some popular plugins with millions of active installations).

The vulnerability was caused by two problems - the ability to override metadata in the database and errors in the processing of file paths. The first problem allows to override in the database the value of the post with the image parameters in the wp_postmeta table.

To solve the problem of transmitting PHP code under the guise of an image, the Imagick PHP extension feature is used, which, after editing, leaves the contents of EXIF ​​metadata unchanged, i.e. in the resulting image remain the same EXIF ​​parameters as in the original. Placing the PHP code instead of the EXIF ​​block, you can achieve its execution when you try to connect a specific theme template. When used to convert images to the PHP GD extension, the attack becomes more complicated, since GD clears EXIF ​​and a special selection of pixel values ​​is needed to execute the code, which, after being processed in GD, forms a PHP code.

Chinese Hackers to Infect Servers With Hidden Miners

According to the research, 50k MS-SQL and PHPMyAdmin Windows servers around the world are infect with hidden miners by APT campaign
31 May 2019   244

The Chinese APT group injects cryptocurrency miners and rootkits into MS-SQL and PHPMyAdmin Windows servers around the world. According to specialists from Guardicore Labs, since February 2019, attackers have been able to compromise more than 50,000 servers.

Number of Infections Over Time - The Nansh0u Campaign
Number of Infections Over Time - The Nansh0u Campaign

The malicious campaign was named Nansh0u. The attackers hack Windows MS-SQL and PHPMyAdmin servers using brute-force, and then infect them with malware. Experts found 20 versions of malicious modules.

To prevent the completion of the process, the expired digital certificate of the dummy company Hangzhou Hootian Network Technology, issued by Verisign certification center, was used.

Nansh0u Campaign Attack Flow
Nansh0u Campaign Attack Flow

This campaign demonstrates once again that common passwords still comprise the weakest link in today’s attack flows. Seeing tens of thousands of servers compromised by a simple brute-force attack, we highly recommend that organizations protect their assets with strong credentials as well as network segmentation solutions.

Guardicore Team

Specialists from Guardicore Labs note that servers with unreliable credentials are in the first place at risk. To check the system for the presence of malware, experts recommend using a free script.