In This Issue:
In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.
- WordPress 5.0 Patched to Fix Serious Bugs
- Logitech Keystroke Injection Flaw
- Three Question Quiz Scam
- Beware of Threads By E-Mail
- Phish Tale of the Week
- How can Netizen help?
WordPress 5.0 Patched to Fix Serious Bugs
WordPress recently updated to 5.0.1 after a serious number of bugs were reported with the recently released WordPress 5.0. WordPress is an open-source content management system used to create websites such as blogs, media galleries, forums, and online stores using PHP and MySQL. The update addresses several flaws with the initial 5.0 release.
- Sensitive Data Exposure: The most serious of the bugs allowed the WordPress “user activation screen” to be indexed by Google and other search engines, leading to the possible public exposure of email addresses and in some rare cases, the default generated passwords.
- PHP Object Injection: Contributors could craft metadata in a certain way that can result in PHP object injection. The vulnerability allows an author to assign an arbitrary file path that uses a PHAR stream wrapper from a previously uploaded attachment which leads to the object injection. These PHAR file types store serialized objects in the metadata of the PHAR file.
- Unauthorized Post Creation: Authors of a site could create posts of unauthorized post types with specially crafted input. The attacker would need at least ‘author’ level privilege to be able to perform the attack.
- Privilege Escalation/Cross-site Scripting: Contributors could edit new comments from higher-privileged users, potentially leading to a cross-site scripting vulnerability. This is another vulnerability that requires a higher-level user role, making the likelihood of widespread exploitation quite low. WordPress addressed this issue by removing the <form> tag from their HTML white-list.
- Unauthorized File Deletion: Author-level users could alter metadata to delete files that they weren’t authorized to modify. This issue stems from the two arbitrary file delete vulnerabilities fixed in WordPress 4.9.6.
Sites on WordPress 5.0 should update to version 5.0.1 as soon as possible. Those with automatic updates enabled for WordPress core should have already been updated, but given the nature of the vulnerabilities, we recommend you check your sites manually just in case. Sites running WordPress 4.x versions should update to version 4.9.9 as soon as possible.
Logitech Keystroke Injection Flaw
Logitech’s ‘Options’ application, which allows users to customize the functionality and behavior of their mice, keyboards & trackpads, still has a vulnerability that allows an attacker to perform keystroke injection attacks more than three months after being alerted by a bug report from Google’s Project Zero.
Google security researcher Tavis Ormandy first discovered that the app was opening a WebSocket server on user’s machines back in September. The server in question featured support for a number of intrusive commands and used a registry key to auto-start on each system boot. Ormandy detailed how the software bug allowed someone to take control of a user’s system in the report:
“The only ‘authentication’ is that you have to provide a PID [process ID] of a process owned by your user but you get unlimited guesses so you can bruteforce it in microseconds. After that, you can send commands and options, configure the ‘crown’ to send arbitrary keystrokes, etc, etc.,”
Logitech has released two updates to the application since being informed, but it appears that the issue still persists.
If you are using the Logitech Options application, disable it until a fix has been released.
Three Questions Quiz Scam
An estimated 78 brands have been impersonated over the last year in what can be described as a well-organized online phishing scheme. Users are tricked into releasing personal information to the threat actor of a malicious website, apparently after winning a prize for answering three questions.
The phishing campaign targeted four separate industries: airline travel, retail, food, and entertainment; airline travel was the largest targeted industry at 32.34 percent of malicious domains, targeting 23 companies. A handful of the companies impersonated include Kroger, Dunkin’ Donuts, United Airlines, JetBlue, Target, Outback Steakhouse, and Disneyland.
While each phish attempt is tailored to a particular organization, each phish does contain some similarities. For instance, like many phishing emails, they try to rush the user by employing urgent language (“This offer will expire soon!”). They will also try to lace the email with social media profiles for legitimacy; other “winners” of the quiz.
After completion of the quiz, the user is told they will win a prize (plane ticket, gift card, etc.) but they need to divulge some information about themselves and to share the link to the quiz, help to propagate the scam across the internet.
The “Quiz” has also evolved to allow for automatic translation capabilities and the creation of new fake social media profiles. It is likely this method of phishing will be used in the future.
Anything unsolicited should always be suspect, but our phishing recommendations at the bottom of this bulletin highlight ways to recognize and verify scams like this one.
Beware of Threats By E-Mail
In a return to some older tactics and plays, new extortion emails are not threatening your computer data with ransomware, they are threatening you — a new wave of emails playing out which demand payments in bitcoin claim to have planted a bomb in your office or facility. This may come from a “disgruntled employee” or be a random message. Other variations are more personal, threatening the use of acid.
Ensure your employees are aware of what to do in case of a bomb or personal threat within your facility, and awareness of these types of threats which while they cannot be ignored completely, do warrant a level of review, especially the more personal threats to ensure the safety of the people.
Phish Tale of the Week
Netizen captures many phishes each month, which we feature here. This week one of our users was sent an email claiming to be from the IRS with an attached voicemail. The “voicemail”, as it turns out, goes to some unknown link. The overall format and sender makes this email less than reputable.
A phishing email will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers. A legitimate company already has this sensitive information and would not ask for it again, especially via email.
- Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
- Verify that the sender is actually from the company sending the message.
- Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.
- Do not give out personal or company information.
- Review both signature and salutation.
- Do not click on attachments.
- Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
- Be wary of poor spelling, grammar, and formatting. As can be seen with the with this email, there are multiple spelling, grammar, and formatting errors, leading us to believe that the message is illegitimate. If an email is visually unprofessional, the sender is likely not who they say they are.
Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management) certified company.