Connect with us

Security

WordPress shopping sites under attack

Published

on

WordPress-based shopping sites are under attack from a hacker group abusing a vulnerability in a shopping cart plugin to plant backdoors and take over vulnerable sites.

Attacks are currently ongoing, according to Defiant, the company behind Wordfence, a firewall plugin for WordPress sites.

Hackers are targeting WordPress sites that use the “Abandoned Cart Lite for WooCommerce,” a plugin installed on over 20,000 WordPress sites, according to the official WordPress Plugins repository.

How the vulnerability works

These attacks are one of those rare cases where a mundane and usually harmless cross-site scripting (XSS) vulnerability can actually lead to serious hacks. XSS flaws are rarely weaponized in such a dangerous manner.

These hacks are occurring because of the plugin and vulnerability’s mode of operation, both of which combine to create the perfect storm.

The plugin, as its name implies, allows site administrators to view abandoned shopping carts –what products users added in their carts before they suddenly left the site. Site owners use this plugin to infer a list of potentially popular products that a store might want to have on stock in the future.

These lists of abandoned carts are only accessible in the WordPress site’s backend, and usually only to admins or other users with high-privileged accounts.

How hackers are exploiting the flaw

According to a report from Defiant security researcher Mikey Veenstra, hackers are automating operations against WordPress WooCommerce-based stores to generate shopping carts that contain products with malformed names.

They add exploit code in one of the shopping cart’s fields, then leave the site, an action that ensures the exploit code gets stored in the shop’s database.

When an admin accesses the shop’s backend to view a list of abandoned carts, the hackers’ exploit code is executed as soon as a particular backend page is loaded on the user’s screen.

Veenstra said that Wordfence has detected several exploitation attempts against using this technique in the past few weeks.

The attacks the company spotted used exploit code that loaded a JavaScript file from a bit.ly link. This code tried to plant two different backdoors on sites running the vulnerable plugin.

The first backdoor takes the form of a new admin account that hackers create on the site. This new admin user is named “woouser,” is registered with the “woouser401a@mailinator.com” email address, and uses a password of “K1YPRka7b0av1B”.

The second backdoor is very clever, and is a technique that’s been rarely seen. Veenstra told ZDNet the malicious code lists all the site’s plugins and looks for the first one that’s been disabled by the site admin.

Hackers don’t re-enable it, but instead, they replace the content of its main file with a malicious script that works as a backdoor for future access. The plugin will remain deactivated, but since its files are still on disk and reachable by web requests, the hackers can send malicious instructions to this second backdoor in case site owners remove the “woouser” account.

Bit.ly link stats

Image: ZDNet

The bit.ly link used for this campaign has been accessed more than 5,200 times, suggesting that the number of infected sites is most likely in the thousands.

However, the 5,200+ number isn’t entirely accurate. Veenstra explains.

“The Bit.ly stats can be misleading because one infected site can source that link several times if the XSS payload stays in the abandoned cart dashboard and the admin frequents it,” Veenstra told ZDNet in an interview.

“It’s also hard to tell how many successful XSS injections are sitting around waiting for an admin to open that page for the first time,” the researcher also added, suggesting that many sites might have already attacked, but a backdoor has yet to be deployed on them, and hence the bit.ly link has not yet been loaded.

Right now, Veenstra and the rest of the Defiant staff can’t say for sure what hackers are trying to achieve by hacking into all these WordPress-based shopping carts.

“We don’t have a lot of data about successful exploits because our WAF stopped any of our active users from getting compromised,” Veenstra said.

Hackers could be using these sites for anything from SEO spam to planting card skimmers.

The “Abandoned Cart Lite for WooCommerce” plugin received a fix for the XSS attack vector hackers are exploiting during these recent attacks in version 5.2.0, released on February 18.

WordPress shopping sites owners using the plugin are advised to update their sites and review their control panel’s admin account list for suspicious entries. The “woouser” might not be present, but hackers could have also changed it to something else.

More vulnerability reports:

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Security

Managing Vulnerabilities in a Cloud Native World

Published

on

This free 1-hour webinar from GigaOm Research brings together experts in Cloud Native Vulnerability Management, featuring analyst Iben Rodriguez and special guest from Palo Alto Networks, John Morello. The discussion will focus on optimizing cloud security posture and integration with enterprise tool sets.

We will review platforms delivering Security Posture Management and Workload Protection for Microservice based and Hybrid Cloud Workloads.

Registrants will learn how new customers can benefit from Prisma Cloud to better secure their complex multi-cloud environments. Existing customers will learn about new features they can take advantage of and how to optimize their limited resources.

Register now to join GigaOm and Palo Alto Networks for this free expert webinar.

The post Managing Vulnerabilities in a Cloud Native World appeared first on Gigaom.

Continue Reading

Security

Security Tools Help Bring Dev and Security Teams Together

Published

on

Software development teams are increasingly focused on identifying and mitigating any issues as quickly and completely as possible. This relates not only to software quality but also software security. Different organizations are at different levels when it comes to having their development teams and security teams working in concert, but the simple fact remains that there are far more developers out there than security engineers.

Those factors are leading organizations to consider security tooling and automation to proactively discover and resolve any software security issues throughout the development process. In the recent report, “GigaOm Radar for Developer Security Tools,” Shea Stewart examines a roundup of security tools aimed at software development teams.

Stewart identified three critical criteria to bear in mind when evaluating developer security tools. These include:

  • Vendors providing tools to improve application security can and should also enhance an organization’s overall security posture.
  • The prevailing “shift-left” mindset doesn’t necessarily mean the responsibility for reducing risk should shift to development, but instead focusing on security earlier in the process and continuing to do so throughout the development process will reduce risk and the need for extensive rework.
  • Security throughout the entire software development lifecycle (SDLC) is critical for any organization focused on reducing risk.

Figure 1. How Cybersecurity Applies Across Each Stage of the Software Development Lifecycle *Note: This report focuses only on the Developer Security Tooling area

Individual vendors have made varying levels of progress and innovation toward enhancing developer security. Following several acquisitions, Red Hat, Palo Alto Networks, and Rapid7 have all added tooling for developer security to their platforms. Stewart sees a couple of the smaller vendors like JFrog and Sonatype as continuing to innovate to remain ahead of the market.

Vendors delving into this category and moving deeper into “DevSecOps” all seem to be taking different approaches to their enhanced security tooling. While they are involving security in every aspect of the development process, some tend to be moving more quickly to match the pace of the SDLC. Others are trying to shore up existing platforms by adding functionality through acquisition. Both infrastructure and software developers are now sharing toolsets and processes, so these development security tools must account for the requirements of both groups.

While none of the 12 vendors evaluated in this report can provide comprehensive security throughout the entire SDLC, they all have their particular strengths and areas of focus. It is therefore incumbent upon the organization to fully and accurately assess its SDLC, involve the development and security teams, and match the unique requirements with the functionality provided by these tools. Even if it involves using more than one at different points throughout the process, focus on striking a balance between stringent security and simplifying the development process.

Read more: Key Criteria for Evaluating Developer Security Tools, and the Gigaom Radar for Developer Security Tool Companies.

The post Security Tools Help Bring Dev and Security Teams Together appeared first on Gigaom.

Continue Reading

Security

Key Criteria for Evaluating User and Entity Behavior Analytics (UEBA)

Published

on

Cybersecurity is a multidisciplinary practice that not only grows in complexity annually but evolves nearly as quickly. A survey of the security landscape today would reveal concerns ranging from the classic compromised servers to the relatively new DevSecOps practices aimed at securing the rapid deployment of new code and infrastructure. However, some things remain constant no matter how much change is introduced. While technology evolves and complexity varies, there is almost always a human component in
risks presented to an organization.

User Behavior Analysis (UBA) was designed to analyze the actions of users in an organization and attempt to identify normal and abnormal behaviors. From this analysis, malicious or risky behaviors can be detected. UBA solutions identify events that are not detectable using other methods because, unlike classic security tools (an IDS or SIEM for example), UBA does not simply pattern match or apply rule sets to data to identify security events. Instead, it looks for any and all deviations from baseline user activity.

As technology advanced and evolved, and the scope of what is connected to the network grew, the need to analyze entities other than users emerged. In response, entity analysis has been added to UBA to create UEBA or User and Entity Behavior Analysis. The strategy remains the same, but the scope of analysis has expanded to include entities involving things like daemons, processes, infrastructure, and so on.

How to Read this Report

This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding consider reviewing the following reports:

Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.

GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.

Solution Profile: An in-depth vendor analysis that builds on the framework developed in the Key Criteria and Radar reports to assess a company’s engagement within a technology sector. This analysis includes forward-looking guidance around both strategy and product.

The post Key Criteria for Evaluating User and Entity Behavior Analytics (UEBA) appeared first on Gigaom.

Continue Reading

Trending