RISKS
What happened
Users of the WordPress plugin, BackupBuddy, are being advised to upgrade to the latest version (8.7.5 released 09/02/22) after a zero-day exploit was discovered by the Wordfence Threat Intelligence team.
BackupBuddy was designed to allow users to easily back up their entire WordPress installation from within the dashboard and featured the ability to store back-up files in multiple different locations, such as Google Drive and OneDrive. The ability to also store back-up downloads locally via the ‘Local Directory Copy’ option, unfortunately, was insecurely implemented making it possible for unauthenticated users to download any file stored on the server.
According to plugin developer iThemes, “This vulnerability could allow an attacker to view the contents of any file on your server that can be read by your WordPress installation. This could include the WordPress wp-config.php file and, depending on your server setup, sensitive files like /etc/passwd.”
The exploit was discovered on September 2, 2022 but after reviewing historical data Wordfence determined that attackers started targeting this vulnerability on August 26, 2022, and that they have blocked close to 5 million attacks targeting the vulnerability since that time.
The top 10 Attacking IP Addresses, according to Wordfence, are as follows: 1) 195.178.120.89 (with 1,960,065 attacks blocked), 2) 51.142.90.255 (482,604), 3) 51.142.185.212 (366,770), 4) 52.229.102.181 (344,604), 5) 20.10.168.93 (341,309), 6) 20.91.192.253 (320,187), 7) 23.100.57.101 (303,844), 8) 20.38.8.68 (302,136), 9) 20.229.10.195 (277,545), 10) 20.108.248.76 (211,924).
A majority of the attacks observed are attempting to read the following files:
- /etc/passwd
- /wp-config.php
- my.cnf
- .accesshash
This is not the first time a plugin flaw has been disclosed in WordPress environments, in fact thousands of flaws have been disclosed in recent years, mostly involving plugins.
According to Dark Reading, “A quick scan of the National Vulnerability Database (NVD) by Dark Reading showed that several dozen vulnerabilities impacting WordPress sites have been disclosed so far in the first week of September alone.”
Why is this important?
Plugins are necessary components to your organization’s website to enhance the capabilities of the site, but they are yet another piece of software that can be hacked, which can give hackers access to your data.
What does this mean to me?
It’s difficult yet important to current on all software and technology components and react quickly to update those components when a vulnerability or a zero-day exploit is identified. Out of date software is one of the easiest exploits that hackers can use to get access to your data.
APPROACHES
Helpful Controls
Application Security Monitoring
Application Security Architecture Review
Patch Management
• Identify sources for patch and vulnerability information
• Monitor for patch release
Commonality of attack
High
Article on story
HALOCK Security Briefing Archives: Updates on cybersecurity trends, threats, legislation, reasonable security, duty of care, key acts and laws, and more that impact your risk management program.
SCHEDULE YOUR FULL HALOCK SECURITY BRIEFING
