Project mission is to crowdsource the indexing and curating of plugin bug data

Adam Bannister 12 September 2022 at 11:04 UTC

Project mission is to crowdsource the indexing and curating of plugin bug data

An open source project designed to help security researchers fingerprint WordPress Plugins is seeking feedback and contributors.

Currently in beta mode, WPHash is a free-to-use web service that helps security professionals identify installed plugins and whether they contain security vulnerabilities.

To this end, it indexes 75 million SHA256 hashes for WordPress plugins – covering the vast majority available on the WordPress marketplace, along with their various versions.

The project mission is “to crowd-source the indexing and curating of WordPress plugin vulnerability data”.

**Enumeration and fingerprinting**

“WPHash’s main purpose is to provide security researchers with additional tooling in the form of a web service, which helps them in the enumeration and fingerprinting of installed WordPress plugins,” Dave Miller, WPHash architect and security engineer at Swiss IT security company Cyllective, tells The Daily Swig.

The WPHash website comprises an alphabetical index of hashes, a search function for this index, an experimental OpenAPI spec for looking up hashes and filepaths, and FAQs. Both original and normalized SHA256 checksums are indexed.

Catch up with the latest WordPress security news

“Researchers can query WPHash for known filepaths of the plugin they’re after,” says Miller. “Then, they request these filepaths on the target and calculate the SHA256 hash, which they then use to lookup plugin metadata on WPHash. This process allows them to determine exact plugin versions, and with further investigation determine if the plugin is vulnerable.”

Indexed vulnerabilities can be queried via WPHash or in researchers’ own tooling by using the raw data available on the WPHash GitHub repo.

Miller has said on Reddit that WPHash is not intended to be a direct competitor to Automattic WordPress security scanner WPScan, whose vulnerability data and tooling he concedes is currently “more curated and more complete”.

Nevertheless, WPScan fulfils Miller’s preference for freely accessing crowdsourced vulnerability information “in my own tooling without being stuck with API rate limits”.

**Call for contributors**

The scope of future development for WPHash partly hinges on the level of community support Miller can attract. At the very least, he is “dedicated to keep operating WPHash for free and try to keep improving both the REST API as well as the data behind it”.

A number of retweets on Twitter and upvotes on Reddit have signalled support for the project, suggests Miller, who hopes to enlist some co-contributors from the open source community “once people start playing around with WPHash and its data. I think I need to make it easier and start writing contribution guides to get more people involved.”

Anyone who wishes to contribute, field questions, or offer feedback to WPHash can do so by contacting Miller via his Twitter account.

Cyllective, which published a blog post documenting its research into plugin vulnerabilities in May, is sponsoring the project.

RECOMMENDED Graph-based JavaScript bug scanner discovers more than 100 zero-day vulnerabilities in Node.js libraries

WordPress project WPHash harvests 75 million hashes for detecting vulnerable plugins

The critical flaw in BackupBuddy is one of thousands of security issues reported in recent years in products that WordPress sites use to extend functionality.

Attackers are actively exploiting a critical vulnerability in BackupBuddy, a WordPress plug-in that an estimated 140,000 websites are using to back up their installations.

The vulnerability allows attackers to read and download arbitrary files from affected websites, including those containing configuration information and sensitive data such as passwords that can be used for further compromise.

WordPress security vendor Wordfence reported observing attacks targeting the flaw beginning Aug. 26, and said it has blocked close to 5 million attacks since then. The plug-in's developer, iThemes, issued a patch for the flaw on Sept. 2, more than one week after the attacks began. That raises the possibility that at least some WordPress sites using the software were compromised before a fix became available for the vulnerability.

**A Directory Traversal Bug**

In a statement on its website, iThemes described the directory traversal vulnerability as impacting websites running BackupBuddy versions 8.5.8.0 through 8.7.4.1. It urged users of the plug-in to immediately update to BackupBuddy version 8.75, even if they are not currently using a vulnerable version of the plug-in.

"This vulnerability could allow an attacker to view the contents of any file on your server that can be read by your WordPress installation," the plug-in maker warned.

iThemes' alerts provided guidance on how site operators can determine if their website has been compromised and steps they can take to restore security. These measures included resetting the database password, changing their WordPress salts, and rotating API keys and other secrets in their site-configuration file.

Wordfence said it had seen attackers using the flaw to try to retrieve "sensitive files such as the /wp-config.php and /etc/passwd file which can be used to further compromise a victim."

**WordPress Plug-in Security: An Endemic Problem**

The BackupBuddy flaw is just one of thousands of flaws that have been disclosed in WordPress environments — almost all of them involving plug-ins — in recent years.

In a report earlier this year, iThemes said it identified a total of 1,628 disclosed WordPress vulnerabilities in 2021 -- and more than 97% of them impacted plug-ins. Nearly half (47.1%) were rated as being of high to critical severity. And troublingly, 23.2% of vulnerable plug-in had no known fix.

A quick scan of the National Vulnerability Database (NVD) by Dark Reading showed that several dozen vulnerabilities impacting WordPress sites have been disclosed so far in the first week of September alone.

Vulnerable plug-ins are not the only concern for WordPress sites; malicious plug-ins are another issue. A large-scale study of over 400,000 websites that researchers at the Georgia Institute of Technology conducted uncovered a staggering 47,337 malicious plug-ins installed on 24,931 websites, most of them still active.

Sounil Yu, CISO at JupiterOne, says the risks inherent in WordPress environments are like those present in any environment that leverages plug-ins, integrations, and third-party applications to extend functionality.

"As with smartphones, such third-party components extend the capabilities of the core product, but they are also problematic for security teams because they significantly increase the attack surface of the core product," he explains, adding that vetting these products is also challenging because of their sheer number and lack of clear provenance.

"Security teams have rudimentary approaches, most often giving a cursory look at what I call the three Ps: popularity, purpose, and permissions," Yu notes. "Similar to app stores managed by Apple and Google, more vetting needs to be done by the marketplaces to ensure that malicious \[plug-ins, integrations, and third-party apps\] do not create problems for their customers," he notes.

Another problem is that while WordPress is widely used, it often is managed by marketing or Web-design professionals and not IT or security professionals, says Bud Broomhead, CEO at Viakoo.

"Installing is easy and removing is an afterthought or never done," Broomhead tells Dark Reading. "Just like the attack surface has shifted to IoT/OT/ICS, threat actors aim for systems not managed by IT, especially ones that are widely used like WordPress."

Broomhead adds, "Even with WordPress issuing alerts about plug-ins being vulnerabilities, other priorities than security may delay the removal of malicious plug-ins."

Attackers Exploit Zero-Day WordPress Plug-in Vulnerability in BackupBuddy

A zero-day flaw in a WordPress plugin called BackupBuddy is being actively exploited, WordPress security company Wordfence has disclosed.
"This vulnerability makes it possible for unauthenticated users to download arbitrary files from the affected site which can include sensitive information," it said.
BackupBuddy allows users to back up their entire WordPress installation from within the

A zero-day flaw in a WordPress plugin called BackupBuddy is being actively exploited, WordPress security company Wordfence has disclosed.

"This vulnerability makes it possible for unauthenticated users to download arbitrary files from the affected site which can include sensitive information," it said.

BackupBuddy allows users to back up their entire WordPress installation from within the dashboard, including theme files, pages, posts, widgets, users, and media files, among others.

The plugin is estimated to have around 140,000 active installations, with the flaw (CVE-2022-31474, CVSS score: 7.5) affecting versions 8.5.8.0 to 8.7.4.1. It's been addressed in version 8.7.5 released on September 2, 2022.

The issue is rooted in the function called "Local Directory Copy" that's designed to store a local copy of the backups. According to Wordfence, the vulnerability is the result of the insecure implementation, which enables an unauthenticated threat actor to download any arbitrary file on the server.

Additional details about the flaw have been withheld in light of active in-the-wild abuse and its ease of exploitation.

"This vulnerability could allow an attacker to view the contents of any file on your server that can be read by your WordPress installation," the plugin's developer, iThemes, said. "This could include the WordPress wp-config.php file and, depending on your server setup, sensitive files like /etc/passwd."

Wordfence noted that the targeting of CVE-2022-31474 commenced on August 26, 2022, and that it has blocked nearly five million attacks in the intervening time period. Most of the intrusions have attempted to read the below files -

*   /etc/passwd
*   /wp-config.php
*   .my.cnf
*   .accesshash

Users of the BackupBuddy plugin are advised to upgrade to the latest version. Should users determine that they may have been compromised, it's recommended to reset the database password, change WordPress Salts, and rotate API keys stored in wp-config.php.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Exploit Zero-Day in WordPress BackupBuddy Plugin in ~5 Million Attempts

A slew of Microsoft Exchange vulnerabilities (including ProxyLogon) fueled a surge in attacks targeting software flaws in 2021, but the trend has continued this year.

Breaches involving phishing and credential compromise have received a lot of attention in recent years because of how frequently threat actors have employed the tactics in executing both targeted and opportunistic attacks. But that doesn't mean that enterprise organizations can afford to lessen their focus on vulnerability patching one bit.

A report from Kaspersky this week identified more initial intrusions last year resulting from exploitation of vulnerabilities in Internet-facing applications than breaches involving malicious emails and compromised accounts _combined_. And data the company has collected through the second quarter of 2022 suggests the same trend might be playing out this year as well.

Kaspersky's analysis of its 2021 incident-response data showed that breaches involving vulnerability exploits surged from 31.5% of all incidents in 2020 to 53.6% in 2021. Over the same period, attacks associated with the use of compromised accounts to gain initial access declined from 31.6% in 2020 to 17.9% last year. Initial intrusions resulting from phishing emails decreased from 23.7% to 14.3% during the same period.

**Exchange Server Flaws Fuel the Exploit Frenzy**

Kaspersky attributed the surge in exploit activity last year as likely tied to the multiple critical Exchange Server vulnerabilities that Microsoft disclosed, including a set of four zero-days in March 2021 known as the ProxyLogon flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065). When chained together they allowed attackers to gain complete remote control over on-premises Exchange Servers. 

Attackers — which included organized criminal gangs and state-sponsored groups from China — quickly exploited tens of thousands of vulnerable Exchange Server systems and dropped Web shells on them before Microsoft could issue a patch for the flaws. The vulnerabilities evoked considerable concern because of their ubiquity and severity. They even prompted the US Department of Justice to authorize the FBI to take the unprecedented step of proactively removing ProxyLogon Web shells from servers belonging to hundreds of organizations — in most cases, without any notification.

Also driving the exploit activity in 2021 was another trio of Exchange Server vulnerabilities collectively labeled ProxyShell (CVE-2021-31207, CVE-2021-34473, CVE-2021-34523) that attackers used extensively to drop ransomware and in business email compromise (BEC) attacks.

More than a year later, the ProxyLogon and ProxyShell vulnerabilities continue to be targets of heavy exploit activity, says Konstantin Sapronov, head of Kaspersky's Global Emergency Response Team. One of the most severe of these flaws (CVE-2021-26855) has also been the most targeted. Kaspersky observed the vulnerability — part of the ProxyLogon set — being exploited in 22.7% of all incidents involving vulnerability exploits that it responded to in 2021, and the flaw continues to be a favorite among attackers this year as well, according to Sapronov.

**Same Exploitation Trend Likely Playing Out in 2022**

Even though several serious vulnerabilities have surfaced this year — including the ubiquitous Apache Log4j vulnerability (CVE-2021-44228) — the most exploited vulnerabilities of 2021 remain very prevalent in 2022 as well, Sapronov says, even beyond the Exchange server bugs. For instance, Kaspersky identified a flaw in Microsoft's MSHTML browser engine (CVE-2021-40444, patched last September) as the most heavily attacked vulnerability in the second quarter of 2022.

"Vulnerabilities in popular software such as MS Exchange Server and library Log4j have resulted in a huge number of attacks," Sapronov notes. "Our advice to enterprise customers is to pay close attention to patch management issues."

**Time to Prioritize Patching**

Others have noted a similar spike in vulnerability exploit activity. In April, researchers from Palo Alto Networks' Unit 42 threat research team noted how 31%, or nearly one in three incidents, they had analyzed up to that point in 2022 involved vulnerability exploits. In more than half (55%) of those, threat actors had targeted ProxyShell. 

Palo Alto researchers also found threat actors typically scanning for systems with a just-disclosed flaw literally minutes after the CVE is announced. In one instance, they observed an authentication bypass flaw in an F5 network appliance (CVE-2022-1388) being targeted 2,552 times in the first 10 hours after vulnerability disclosure.

**Post-Exploitation Activity is Tough to Spot**

Kaspersky's analysis of its incident-response data showed that in nearly 63% of cases, attackers managed to stay unnoticed in a network for more than a month after gaining initial entry. In many cases, this was because the attackers used legitimate tools and frameworks such as PowerShell, Mimikatz, and PsExec to collect data, escalate privileges, and execute commands. 

When someone did quickly notice a breach, it was typically because the attackers had created obvious damage, such as during a ransomware attack. "It's easy to detect a ransomware attack when your data is encrypted, as services are unavailable, and you have a ransom note on your monitor," Sapronov says.

But when the target is a company’s data, attackers need more time to roam around the victim’s network to collect necessary information. In such cases, attackers act more stealthily and cautiously, which makes these kinds of attacks harder to detect. "To detect such cases, we suggest employing a security tool stack with extended detection and response (EDR)-like telemetry and implement rules for detection of pervasive tools used by adversaries," he says.

Mike Parkin, senior technical engineer at Vulcan Cyber, says the real takeaway for enterprise organizations is that attackers will take any opportunity they can to breach a network. 

"With a range of exploitable vulnerabilities, it’s not a surprise to see an uptick," he says. Whether the numbers are higher for vulnerabilities over socially engineered credential attacks, is hard to say, he notes. 

"But the bottom line is threat actors will use the exploits that work. If there's a new remote code exploit on some Windows service, they’ll flock to it and breach as many systems as they can before the patches come out or firewall rules get deployed," he says.

The real challenge is the long-tail vulnerabilities: The ones that are older, like ProxyLogon, with vulnerable systems that have been missed or are ignored, Parkin says, adding that patching must be a priority.

Vulnerability Exploits, Not Phishing, Are the Top Cyberattack Vector for Initial Compromise

Nagios XI before v5.8.7 was discovered to contain a cross-site scripting (XSS) vulnerability via the ajax.php script in CCM 3.1.5.

CVE-2022-38254: Nagios XI Change Log - Nagios

WordPress BackupBuddy plugin versions 8.5.8.0 through 8.7.4.1 suffer from an arbitrary file read and download vulnerability.

    Description: Arbitrary File Download/ReadAffected Plugin: BackupBuddyPlugin Slug: backupbuddyPlugin Developer: iThemesAffected Versions: 8.5.8.0 – 8.7.4.1CVE ID: CVE-2022-31474CVSS Score: 7.5 (High)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NFully Patched Version: 8.7.5The BackupBuddy plugin for WordPress is designed to make back-up management easy for WordPress site owners. One of the features in the plugin is to store back-up files in multiple different locations, known as Destinations, which includes Google Drive, OneDrive, and AWS just to name a few. There is also the ability to store back-up downloads locally via the ‘Local Directory Copy’ option. Unfortunately, the method to download these locally stored files was insecurely implemented making it possible for unauthenticated users to download any file stored on the server.More specifically the plugin registers an admin_init hook for the function intended to download local back-up files and the function itself did not have any capability checks nor any nonce validation. This means that the function could be triggered via any administrative page, including those that can be called without authentication (admin-post.php), making it possible for unauthenticated users to call the function. The back-up path is not validated and therefore an arbitrary file could be supplied and subsequently downloaded.Due to this vulnerability being actively exploited, and its ease of exploitation, we are sharing minimal details about this vulnerability.Indicators of CompromiseThe Wordfence firewall has blocked over 4.9 million exploit attempts targeting this vulnerability since August 26, 2022, which is the first indication we have that this vulnerability was being exploited. We are seeing attackers attempting to retrieve sensitive files such as the /wp-config.php and /etc/passwd file which can be used to further compromise a victim.The top 10 Attacking IP Addresses are as follows:- 195.178.120.89 with 1,960,065 attacks blocked- 51.142.90.255 with 482,604 attacks blocked- 51.142.185.212 with 366770 attacks blocked- 52.229.102.181 with 344604 attacks blocked- 20.10.168.93 with 341,309 attacks blocked- 20.91.192.253 with 320,187 attacks blocked- 23.100.57.101 with 303,844 attacks blocked- 20.38.8.68 with 302,136 attacks blocked- 20.229.10.195 with 277,545 attacks blocked- 20.108.248.76 with 211,924 attacks blockedA majority of the attacks we have observed are attempting to read the following files:- /etc/passwd- /wp-config.php- .my.cnf- .accesshashWe recommend checking for the ‘local-download’ and/or the ‘local-destination-id’ parameter value when reviewing requests in your access logs. Presence of these parameters along with a full path to a file or the presence of ../../ to a file indicates the site may have been targeted for exploitation by this vulnerability. If the site is compromised, this can suggest that the BackupBuddy plugin was likely the source of compromise.ConclusionIn today’s post, we detailed a zero-day vulnerability being actively exploited in the BackupBuddy plugin that makes it possible for unauthenticated attackers to steal sensitive files from an affected site and use the information obtained in those files to further infect a victim. This vulnerability was patched yesterday and we strongly recommend updating to the latest version of the plugin, currently version 8.7.5, right now since this is an actively exploited vulnerability.All Wordfence customers, including Wordfence Premium, Wordfence Care, Wordfence Response, and Wordfence Free users, have been, and will continue to be, protected against any attackers trying to exploit this vulnerability due to the Wordfence firewall’s built-in directory traversal and file inclusion firewall rules.If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected, as this is a serious vulnerability that is actively being exploited in the wild.We will continue to monitor the situation and follow up as more information becomes available.

WordPress BackupBuddy 8.7.4.1 Arbitrary File Read

Squiz Matrix CMS 6.20 is vulnerable to an Insecure Direct Object Reference caused by failure to correctly validate authorization when submitting a request to change a user's contact details.

**Blogs & Stories**

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

During a recent engagement, Trustwave SpiderLabs discovered an Indirect Object Reference (IDOR) vulnerability within Squiz Matrix CMS which would allow any low privileged user to change the contact details of any other user on a Squiz Matrix instance (including administrators).

As organizations go about their regular routine of finding and adding new technologies to help increase their overall success, each organization must keep in mind the security implications of each move, along with the fact that much of their current technology stack has to be maintained with a well-thought out and quickly implemented patching program.

Oracle Communications Session Border Controller (SBC) is one of the most popular products worldwide that helps service providers deliver trusted, carrier-grade, real-time communications such as VoLTE, VoIP, video conferencing and calling, presence, IM, and IPTV.

Observing the ongoing conflict between Russia and Ukraine, we can clearly see that cyberattacks leveraging malware are an important part of modern hybrid war strategy.

For the price of a Starbuck’s Caramel Frappuccino Grande and a cheese Danish, about $8, a cybercriminal can obtain all the information needed to max out a person’s stolen credit card and possibly steal their identity.

We have observed more than 3,000 emails containing phishing URLs that have utilized IPFS for the past 90 days and it is evident that IPFS is increasingly becoming a popular platform for phishing websites.

Everyone loves buzz words, no? Red team is the newest (well... not that new) coolest thing on the streets of information security city and many cybersecurity pros want to jump right in and become involved in Red team activities at their company.

Trustwave team believed this was a suitable time to take a minute and review some of the watershed moments that had a major impact on cybersecurity between 2011 and 2021.

This blog post describes an authentication bypass within one such device, that allows an attacker with access to the IP network the ability to capture and subsequently replay discrete device commands, which allows for the switching on and off the physical relays on the device.

Facebook Messenger is one of the most popular messaging platform in the world, amassing 988 million monthly active users as of January 2022 according to Statista.

When CVE-2022-21662 (https://nvd.nist.gov/vuln/detail/CVE-2022-21662) came out there wasn’t a much-published material regarding this vulnerability. I want to take some time to explain the importance of using a white-box approach when testing applications for vulnerabilities.

This post will look to illuminate how one tiny legacy protocol, namely "ModBus" could help to understand just how straight forward this could be.

A zero-day vulnerability has been re-disclosed that is very similar to the Follina zero-day announced last week and is actively being tracked by Trustwave SpiderLabs.

People commonly think that any “Internet Connection” is exactly the same, or they may be vaguely aware that some connections are faster than others. However, there are significant differences between the connections. While these differences may not matter to someone who just wants to browse websites and read email, they can be significant or even showstoppers for more advanced users or cybersecurity teams remotely conducting vulnerability and security scan s. This is especially true for anyone looking to do security testing or vulnerability scanning.

Trustwave SpiderLabs is tracking the critical-rated zero-day vulnerability CVE-2022-30190. Threat actors are reported to be actively exploiting this vulnerability in the wild. Microsoft disclosed and issued guidance for CVE-2022-30190 on May 30.

Trustwave SpiderLabs is tracking the critical-rated zero-day vulnerability CVE-2022-26134. Threat actors are reported to be actively exploiting this vulnerability in the wild. Atlassian disclosed and issued guidance for CVE-2022-26134 on June 2.

Trustwave SpiderLabs in early April observed a Grandoreiro malware campaign targeting bank users from Brazil, Spain, and Mexico. The campaign exploits the tax season in target countries by sending out tax-themed phishing emails.

The Trustwave SpiderLabs Email Security team identified a phishing campaign pretending to be a missed package from DHL. What’s interesting about this campaign is that clicking on the link leads to a chatbot that discusses the missed package, provides pictures of it, and guides the potential victim through providing their credit card information and user credentials.

So, what is PwnFox? To put it simply, it’s a BurpPro extension that works with Firefox. It accomplishes two things. First, it helps containerize up to eight (yes, that’s right… eight!) different sessions within one browser and secondly, it organizes all your proxied traffic in Burp BY COLOR!

Trustwave SpiderLabs is tracking a new critical-rated vulnerability (CVE-2022-1388) affecting F5 BIG-IP network devices. Threat actors are reported to be actively exploiting this vulnerability in the wild. F5 disclosed and issued a patch for CVE-2022-1388 on May 4.

**Stay Connected**

**Subscribe**

Sign up to receive the latest security news and trends from Trustwave.

**Trending Topics**

*   All Trending
*   ModSecurity
*   Application Security
*   Malware
*   Penetration Testing
*   MAPP
*   Advisories
*   Spam

CVE-2022-32277: SpiderLabs Blog

This is the fourth DeadBolt campaign this year against QNAP customers, but it differs from previous attacks in exploiting an unpatched bug instead of a known vulnerability.

A critical zero-day security vulnerability in QNAP's network-attached storage (NAS) devices has been actively exploited in the wild to deliver the DeadBolt ransomware variant.

The vendor warned that the exploitation was first spotted over the weekend, and that "the campaign appears to target QNAP NAS devices running Photo Station with internet exposure." Photo Station allows users to centrally store and manage full resolution photos across devices via QNAP NAS.

QNAP is keeping the details of the bug under wraps for now, but it did recommend in its advisory that users disable the port forwarding function on the router to help mitigate their risk (along with applying strong passwords and performing regular data backups).

The discovery also prompted the company to push out an emergency firmware fix. The updated versions are:

*   QTS 5.0.1: Photo Station 6.1.2 and later
*   QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later
*   QTS 4.3.6: Photo Station 5.7.18 and later
*   QTS 4.3.3: Photo Station 5.4.15 and later
*   QTS 4.2.6: Photo Station 5.2.14 and later

The DeadBolt gang has been hammering QNAP NAS hard this year; this is only the latest campaign using bugs in the system to infect devices. Previous waves of exploitation were seen in May using known vulnerabilities, and twice in June.

DeadBolt stands apart from other NAS-focused ransomware families, researchers noted earlier this year, because it deploys a multitiered scheme aimed at both the vendors and their victims, and offering multiple cryptocurrency payment options.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Critical QNAP NAS Zero-Day Bug Exploited to Deliver DeadBolt Ransomware

QNAP has issued a new advisory urging users of its network-attached storage (NAS) devices to upgrade to the latest version of Photo Station following yet another wave of DeadBolt ransomware attacks in the wild by exploiting a zero-day flaw in the software.
The Taiwanese company said it detected the attacks on September 3 and that "the campaign appears to target QNAP NAS devices running Photo

QNAP has issued a new advisory urging users of its network-attached storage (NAS) devices to upgrade to the latest version of Photo Station following yet another wave of DeadBolt ransomware attacks in the wild by exploiting a zero-day flaw in the software.

The Taiwanese company said it detected the attacks on September 3 and that "the campaign appears to target QNAP NAS devices running Photo Station with internet exposure."

The issue has been addressed in the following versions -

*   QTS 5.0.1: Photo Station 6.1.2 and later
*   QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later
*   QTS 4.3.6: Photo Station 5.7.18 and later
*   QTS 4.3.3: Photo Station 5.4.15 and later
*   QTS 4.2.6: Photo Station 5.2.14 and later

Details of the flaw remain unclear at the moment, with the company advising users to disable port forwarding on the routers, prevent NAS devices from being accessible on the Internet, upgrade NAS firmware, apply strong passwords for user accounts, and take regular backups to prevent data loss.

The latest development marks the fourth round of DeadBolt attacks aimed at QNAP appliances since January 2022, followed by similar incursions in May and June.

"QNAP NAS should not be directly connected to the Internet," the company said. "We recommend users to make use of the myQNAPcloud Link feature provided by QNAP, or enable the VPN service. This can effectively harden the NAS and decrease the chance of being attacked."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

QNAP Warns of New DeadBolt Ransomware Attacks Exploiting Photo Station Flaw

Categories: Exploits and vulnerabilities
Categories: News
The Google Chrome Team recently issued a fix for the CVE-2022-3075 zero-day.



(Read more...)




The post Zero-day puts a dent in Chrome's mojo appeared first on Malwarebytes Labs.

On Friday, Google announced the release of a new version of its Chrome browser that includes a security fix for a zero-day tracked as CVE-2022-3075. As with previous announcements, technical details about the vulnerability won't be released until a certain number of Chrome users have already applied the patch.

Google is urging its Windows, Mac, and Linux users to update Chrome to version **105.0.5195.102**.

CVE-2022-3075 is described as an "\[i\]nsufficient data validation in Mojo". According to Chromium documents, Mojo is "a collection of runtime libraries” that facilitates interfacing standard, low-level interprocess communication (IPC) primitives. Mojo provides a platform-agnostic abstraction of these primitives, which comprise most of Chrome's code.

An anonymous security researcher is credited for discovering and reporting the flaw.

CVE-2022-3075 is the sixth zero-day Chrome vulnerability Google had to address. The previous ones were:

*   CVE-2022-0609, a Use-after-Free (UAF) vulnerability, which was patched in February
*   CVE-2022-1096, a "Type Confusion in V8" vulnerability, which was patched in March
*   CVE-2022-1364, a flaw in the V8 JavaScript engine, which was patched in April
*   CVE-2022-2294, a flaw in the Web Real-Time Communications (WebRTC), which was patched in July
*   CVE-2022-2856, an insufficient input validation flaw, which was patched in August

Google Chrome needs minimum oversight as it updates automatically. However, if you're in the habit of not closing your browser or have extensions that may hinder Chrome from automatically doing this, please check your browser every now and then.

Once Chrome notifies you of an available update, don't hesitate to download it. The patch is applied once you relaunch the browser.

Stay safe!

Tag

#zero_day