Cybersecurity Updates For Week 9 of 2022

DORA’s Global Reach and Why Enterprises Need to Prepare

A new cybersecurity regulation is coming to the European financial services sector, and its authority will be felt worldwide.

Read more:

Shadowserver Special Reports – Cyclops Blink

On 2022-03-03 we sent out a second special report with an additional 673 IPs likely infected with Cyclops Blink, observed on 2022-02-24.

Read more:

Free HermeticRansom Ransomware Decryptor Released

A free decryptor is out to unlock a ransomware found piggybacking on the HermeticWiper data wiper malware that ESET and Broadcom’s Symantec discovered targeting machines at financial, defense, aviation and IT services outfits in Ukraine, Lithuania and Latvia last week.

Read More:

Other news worth mentioning:

Conti Ransomware Group Diaries, Part I: Evasion
Conti Ransomware Group Diaries, Part II: The Office
Conti Ransomware Group Diaries, Part III: Weaponry
Russia Releases List of IPs, Domains Attacking Its Infrastructure with DDoS Attacks

Your WordPress installation can be used in Denial of Service attacks

One of our employees at Basefarm, Senghan Bright, is the System Manager for WordPress here at Basefarm. Here is some information from him:

Due to a setting that is enabled by default on WordPress, there’s an exploit that can be used to send a request to a target domain using the WordPress site as a proxy.
With enough WordPress installations at your disposal, scripted requests from them collectively is enough to perform a denial of service.

Whilst this is not a new vulnerability, the amount of media attention this exploit has got in recent days brought it to my attention, and the raised awareness means the likelihood of this being used in the wild will have substantially increased:

These two sites go into a little more detail on how to the API is used to perform the exploit:

I’ve tested some proof-of-concept code on a few test WordPress installations, and observed the API successfully send requests out to a target site, with the source appearing to be thetest WordPress installation with its IP.
There are various methods to disable the exploit. Being that the API has a lot of perfectly valid functionality that customers may use on their sites, the least destructive method is to install the following WordPress plugin:

This disables the specific exploitable function, whilst leaving the rest of the API working as normal.