Nov 14

Threat Intelligence: Microsoft Zero-day Patched

Researchers have discovered a zero-day vulnerability (CVE-2018-8589) within win32k.sys affecting 32-bit versions of Windows 7. The vulnerability was reported to Microsoft on October 17th and is a privilege escalation vulnerability. It exists due to “improper locking of messages sent synchronously between threads.” If exploited successfully, it could allow an attacker to view or alter data, install programs, or create new user accounts by “running arbitrary code in the context of the local system.” At the time of writing this article, the delivery method remains unknown, however according to researchers, “the exploit was executed by the first stage of a malware installer, in order to gain the necessary privileges for persistence on the victim’s system.” The zero-day is currently being used by at least one APT actor but if an attacker attempts to exploit the zero-day on machines that are up to date with security updates, the system will crash.

read more →
Nov 13

Threat Intelligence: WordPress Zero-day

A zero-day vulnerability has been discovered affecting WP GDPR Compliance. WP GDPR Compliance is a WordPress plugin that aids website owners become GDPR compliant. The plugin is one of the more popular GDRP plugins available with over 100,000 active installations.

First seen roughly three weeks ago, the vulnerability used to gain access to WordPress sites and install backdoors. The plugin was removed earlier last week, however it was reinstated on November 7th after the release of version 1.4.3, which contained a patch for the vulnerability.

Attackers are actively exploiting the vulnerability for anyone running version 1.4.2 and older. According to researchers, “attackers are targeting a WP GDPR Compliance bug that allows them to make a call to one of the plugin's internal functions and change settings for both the plugin, but also for the entire WordPress CMS.” At the time of writing this article, there are two techniques using the vulnerability.

In the first, the attacker uses the vulnerability to open the website’s registration system and will reset the default role for new accounts to administrator. The attacker will then create a new account that has usually been seen as “t2trollherten” and set back default user role for new accounts to subscriber. Public registration is then disabled and the attacker logs into their new account to install a backdoor on the site titled “wp-cache.php.” The backdoor contains a file manager, PHP eval() runner, and a terminal emulator.

The second technique is quieter and involves using the GDPR compliance vulnerability. It’s used to add a new task to WP-Cron, which is the built-in task scheduler. The attacker will download and install the plugin, which is later used to upload another backdoor on the site. This backdoor is also named wp-cahe.php, but is different than the previous one. Even though the second scenario is supposed to be quieter, it actually caused the zero-day to be discovered. This is because on some sites, the attacker’s exploitation routine failed to delete the plugin and site owners saw that a new plugin appeared.

read more →