BF-SIRT Newsletter 2014-12

Welcome to another edition of the newsletter! We have some interesting stories this week, such as how Authorities arrest infamous hacker “Diabl0” in Bangkok and 25,000 UNIX servers hijacked by backdoor Trojan. We also have some posts of our own, one being how Your WordPress installation can be used in Denial of Service attacks, and the other one about the important iOS 7.1 Update.

Top 5 Security links
Authorities arrest infamous hacker “Diabl0” in Bangkok
Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records
BAE System Publishes White Paper on “Snake” Cyber Espionage Campaign
Kick us as hard as you like, RIGHT IN THE CYBERS, says Japan
25,000 UNIX servers hijacked by backdoor Trojan

Top 5 Business Intelligence links
Techniques used in high-profile data breaches
Twelve million hit as Korea suffers ANOTHER massive data breach
Fraudulent tax returns net nearly $4 billion for cybercriminals
83% of businesses are not prepared for an online security incident
20% of all malware ever created appeared in 2013

Basefarm Posts
Your WordPress installation can be used in Denial of Service attacks
iOS 7.1 Update

iOS 7.1 Update

Apple released an update to their iOS, 7.1.
This update contains a lot of security updates, so it’s recommended to update your devices as soon as possible.

More information:
http://support.apple.com/kb/HT6162

Your WordPress installation can be used in Denial of Service attacks

One of our employees at Basefarm, Senghan Bright, is the System Manager for WordPress here at Basefarm. Here is some information from him:

Due to a setting that is enabled by default on WordPress, there’s an exploit that can be used to send a request to a target domain using the WordPress site as a proxy.
With enough WordPress installations at your disposal, scripted requests from them collectively is enough to perform a denial of service.

Whilst this is not a new vulnerability, the amount of media attention this exploit has got in recent days brought it to my attention, and the raised awareness means the likelihood of this being used in the wild will have substantially increased:
http://blog.sucuri.net/2014/03/more-than-162000-wordpress-sites-used-for-distributed-denial-of-service-attack.html

These two sites go into a little more detail on how to the API is used to perform the exploit:
http://blog.spiderlabs.com/2014/03/wordpress-xml-rpc-pingback-vulnerability-analysis.html
http://www.pentestgeek.com/2013/01/03/wordpress-pingback-portscanner-metasploit-module/

I’ve tested some proof-of-concept code on a few test WordPress installations, and observed the API successfully send requests out to a target site, with the source appearing to be thetest WordPress installation with its IP.
There are various methods to disable the exploit. Being that the API has a lot of perfectly valid functionality that customers may use on their sites, the least destructive method is to install the following WordPress plugin:

http://wordpress.org/plugins/disable-xml-rpc-pingback/

This disables the specific exploitable function, whilst leaving the rest of the API working as normal.

BF-SIRT Newsletter 2014-10

The newsletter will take a break next week due to vacations, see you next time on week 12!

Top 5 Security links
Hackers churning out 55,000 malware variants every day
Tor Network Used to Hide 900 Botnets and Darknet Markets, Says Kaspersky Lab
New approach to SQL injection detection
GNUTLS Certificate verification flaw exposes Linux distros, Apps to attack
Pre-installed Malware Turns Up on New Phones

Top 5 Business Intelligence links
Cyber battle apparently under way in Russia-Ukraine conflict
Team Cymru spots 300,000 compromised SOHO gateways
Zeus retrieves attack list hidden in sunset and cat images
Is This Russia’s Stuxnet? Security Firm Spots Suspicious ‘Uroburos’ Rootkit
China Ramps Up Cybersecurity Efforts, Strives to Become “Internet Power”