Ransomware, WordPress Plugin Vulnerability, and network compromise. This week’s cyber news update is all over the place.

Honing Cybersecurity Strategy When Everyone’s a Target for Ransomware

These days, ransomware is seemingly ubiquitous. No longer just a discussion topic for cybersecurity professionals and researchers, these days it seems like rarely a week goes by when it’s not in the mainstream media.

It’s rapidly become a commonplace word, and in some respects, this increased visibility is a positive development. While it’s not good that everyone’s talking about it in connection with recent attacks, what is good is that awareness (hopefully) is also increasing. Because in today’s world, essentially everyone is a potential target for ransomware – and that means security pros have their work cut out for them.

Increased Vulnerability Overall

Even the most avowed Luddites among us probably have at least a tiny digital footprint, whether they know it or not. If you buy groceries with a debit card, visit a doctor or pay taxes, there is personal information about you in a digital format somewhere. And that’s just to name a few examples.

That means the mentality of “Oh, I don’t have anything cybercriminals would be interested in” needs to be set aside for good. Yes, you do, and even if you don’t think you do directly, you’re probably connected to someone else with more valuable digital assets – and bad actors will try to use you as a pathway. And as security professionals, we need to make everyone understand this.

The explosion of attacks is the result of threat actors picking the lowest-hanging fruit with incredibly powerful digital “pickers” and scalable resources – including automated approaches and machine learning. For example, consider how they are using spear-phishing through weaponized machine learning to target executives. It also means that now low-security IoT devices, unpatched system updates, and more can all be detected more easily and efficiently than ever.

The Lowest-Hanging Fruit Isn’t Always the Best Target

While not all hackers are out for the money, if they are, they become particularly crafty at plying their trade. What malicious actors are often looking for are the “keys to the kingdom” — the most lucrative mission-critical information, passwords, contacts or accounts — which is usually found within the C-suite. And not only do C-suite targets have the most valuable organizational data, but they are also the decision-makers of whether to pay a ransom.

This creates two situations that put executives under even greater threat. First, it makes a ransomware attack on a C-suite decision maker incredibly efficient, which achieves maximum ROI for threat actors. Second, it makes a C-suite executive’s personal communications incredibly valuable and particularly vulnerable. The tighter cybercriminals can twist the screws with embarrassing business and private communications threatened for release, the greater their chances for payment – and often, the more they can demand.

The sad reality is that the majority of executives, and particularly their direct reports, are incredibly soft targets. Cybercriminals today have increasingly sophisticated technology. When tools like AI-generated deep fake technology are used, ransomware’s simplicity is deceptive in more ways than one. When threat actors gain access to personal communications, it is ridiculously easy to use AI to mirror the tone and style of people you’d never suspect – not just another member of the C-suite or a business leader, but a close friend, a spouse or a family member.

More Cybersecurity Training is Needed

Social-engineering schemes such as phishing attacks continue to be one of the most common vectors for ransomware and other cybersecurity attacks. And while many organizations are allegedly doing training for employees, those workers are apparently not retaining what they’ve been taught.

A recent report by Cloudian found that phishing attacks succeeded even though 54 percent of all respondents – and 65 percent of those who reported it as the entry point of a ransomware attack – had conducted anti-phishing training for employees.

Greater awareness is the fundamental principle on which a strong cybersecurity strategy is based. Although many organizations focus on the daily end-user cyber awareness training, they should also consider the value of training their security and network professionals.

To maximize investments and enhance cybersecurity, cyber-awareness training should ensure that technical security professionals gain the knowledge required to optimize solution deployments for enhanced security. By taking steps to prioritize cybersecurity awareness training, organizations and their employees can get ahead of threats before they can make an impact.

At the same time, cybersecurity training needs to be conducted across the board – that includes executives, who can’t be overlooked, given the access they have and the huge targets on their backs. 

Don’t Discriminate – Educate

Ransomware doesn’t discriminate. Today, everyone is a potential target. If you have even the smallest of digital footprints, you face the risk of ransomware and other types of attacks. That’s even truer for the C-suite, who have access to more sensitive data. Given this reality, organizations need to extend cyber-awareness training across the entire enterprise. No employee is too big or too small for this type of education. In a world where everyone’s at risk, it makes sense to equip every employee with the information they need to help defeat cybercrime.

source: threatpost.com

XSS vulnerability in popular WordPress plugin SEOPress could enable complete site takeover

A cross-site scripting (XSS) vulnerability in a popular WordPress plugin could allow an attacker to completely take over a website, researchers have warned.

The flaw made it possible for an attacker to inject arbitrary web scripts on a vulnerable site, which would execute anytime a user accessed the ‘All Posts’ page.

The vulnerable plugin, SEOPress, is installed on more than 100,000 websites.

One of the features available in SEOPress is the ability to add an SEO title and description to posts, which can be done while saving edits to a post or via a newly introduced REST-API endpoint, Chamberlain explains.

“Unfortunately, this REST-API endpoint was insecurely implemented,” the researcher wrote.

“The permissions_callback for the endpoint is only verified if the user had a valid REST-API nonce in the request.

“A valid REST-API nonce can be generated by any authenticated user using the rest-nonce WordPress core AJAX action.

“This meant that any authenticated user, like a subscriber, could call the REST route with a valid nonce, and update the SEO title and description for any post.”

source: portswigger.net

Decade-long vulnerability in multiple routers could allow network compromise

UPDATED A 12-year-old authentication bypass vulnerability that could allow attackers to compromise networks and devices has been discovered in at least 20 router models, potentially affecting millions of users.

Discovered by Evan Grant of Tenable, the critical path traversal flaw is tracked as CVE-2021–20090, with a CVSS of 9.8, and is exploitable by unauthenticated, remote attackers.

Grant found the issue, which has been present for at least 12 years, in Buffalo routers, specifically the Arcadyan-based web interface software.

Bug hunting

In a blog post, the researcher explained that one of the first things he looks at while analyzing any web application or interface is how it handles authentication.

Grant found that the feature bypass_check() was only checking as many bytes as are in bypass_list strings.

Grant wrote: “This means that if a user is trying to reach http://router/images/someimage.png, the comparison will match since /images/ is in the bypass list, and the URL we are trying to reach begins with /images/.

“The bypass_check() function doesn’t care about strings which come after, such as ‘someimage.png’.

“So what if we try to reach /images/../<somepagehere>? For example, let’s try /images/..%2finfo.html. The /info.html URL normally contains all of the nice LAN/WAN info when we first login to the device, but returns any unauthenticated users to the login screen.”

Grant was able to exploit this vulnerability to bypass authentication, allowing unauthenticated users to access pages they shouldn’t be able to.

Two other vulnerabilities, CVE-2021-20091 and CVE-2021-20092, were found that currently are only known to affect specific Buffalo routers.

Grant told The Daily Swig: “CVE-2021-20091 would allow an authenticated attacker (or one leveraging the aforementioned authentication bypass) to gain root access to the device by injecting a line into the router’s configuration file, which enables the telnet service upon reboot.

“CVE-2021-20092 allows unauthenticated attackers to read sensitive configuration settings including, for certain models, the admin password to the web interface.”

The issue has since been patched in Buffalo WSR-2533DHPL2 devices, prior to and including firmware version 1.02, and WSR-2533DHP3 prior to and including version 1.24.

More vulnerable devices

After confirming the vulnerability was present in the Buffalo router, Grant said that he discovered it also affected at least 20 other models.

“This [vulnerability] appears to be shared by almost every Arcadyan-manufactured router/modem we could find, including devices which were originally sold as far back as 2008,” wrote Grant.

Grant said this latest discovery sparks concern around the risk of supply chain attacks, an ever-increasing and serious threat to organizations and technology users.

“There is a much larger conversation to be had about how this vulnerability in Arcadyan’s firmware has existed for at least 10 years and has therefore found its way through the supply chain into at least 20 models across 17 different vendors,” Grant wrote.

He told The Daily Swig that the vulnerabilities were “fairly easy to discover” and “trivial to exploit.

“Consequently, we were surprised they hadn’t been discovered and fixed by the manufacturer or vendors who are selling affected devices over the past decade,” Grant added.

“The authentication bypass vulnerability exists due to a list of folders which fall under a ‘bypass list’ for authentication, and improper validation of the paths being provided, leading to the path traversal.

“For most of the devices listed, that means that the vulnerability can be triggered by multiple paths.

“The severity of the flaw depends on other vulnerabilities within the device, such as CVE-2021-20091 present in the Buffalo router that grants the root access.

“At least two different vendors were found to have other vulnerabilities unique to their own devices that an attacker could potentially daisy-chain for further exploitation.”

The researcher also noted that this latest disclosure is “an important lesson in how one should approach research on consumer electronics”.

He added: “The vendor selling you the device is not necessarily the one who manufactured it, and if you find bugs in a consumer router’s firmware, they could potentially affect many more vendors and devices than just the one you are researching.”

source: portswigger.net