Sunday, September 25, 2022
HomeCyber SecurityAttackers Exploit Zero-Day WordPress Plug-in Vulnerability in BackupBuddy

Attackers Exploit Zero-Day WordPress Plug-in Vulnerability in BackupBuddy



Attackers are actively exploiting a vital vulnerability in BackupBuddy, a WordPress plug-in that an estimated 140,000 web sites are utilizing to again up their installations.

The vulnerability permits attackers to learn and obtain arbitrary recordsdata from affected web sites, together with these containing configuration data and delicate information equivalent to passwords that can be utilized for additional compromise.

WordPress safety vendor Wordfence reported observing assaults concentrating on the flaw starting Aug. 26, and mentioned it has blocked shut to five million assaults since then. The plug-in’s developer, iThemes, issued a patch for the flaw on Sept. 2, a couple of week after the assaults started. That raises the likelihood that not less than some WordPress websites utilizing the software program have been compromised earlier than a repair turned obtainable for the vulnerability.

A Listing Traversal Bug

In an announcement on its web site, iThemes described the listing traversal vulnerability as impacting web sites operating BackupBuddy variations 8.5.8.0 by way of 8.7.4.1. It urged customers of the plug-in to instantly replace to BackupBuddy model 8.75, even when they aren’t at the moment utilizing a susceptible model of the plug-in.

“This vulnerability may enable an attacker to view the contents of any file in your server that may be learn by your WordPress set up,” the plug-in maker warned.

iThemes’ alerts offered steering on how website operators can decide if their web site has been compromised and steps they will take to revive safety. These measures included resetting the database password, altering their WordPress salts, and rotating API keys and different secrets and techniques of their site-configuration file.

Wordfence mentioned it had seen attackers utilizing the flaw to attempt to retrieve “delicate recordsdata such because the /wp-config.php and /and so on/passwd file which can be utilized to additional compromise a sufferer.”

WordPress Plug-in Safety: An Endemic Downside

The BackupBuddy flaw is only one of 1000’s of flaws which have been disclosed in WordPress environments — nearly all of them involving plug-ins — lately.

In a report earlier this 12 months, iThemes mentioned it recognized a complete of 1,628 disclosed WordPress vulnerabilities in 2021 — and greater than 97% of them impacted plug-ins. Practically half (47.1%) have been rated as being of excessive to vital severity. And troublingly, 23.2% of susceptible plug-in had no recognized repair.

A fast scan of the Nationwide Vulnerability Database (NVD) by Darkish Studying confirmed that a number of dozen vulnerabilities impacting WordPress websites have been disclosed to date within the first week of September alone.

Susceptible plug-ins aren’t the one concern for WordPress websites; malicious plug-ins are one other problem. A big-scale examine of over 400,000 web sites that researchers on the Georgia Institute of Expertise carried out uncovered a staggering 47,337 malicious plug-ins put in on 24,931 web sites, most of them nonetheless lively.

Sounil Yu, CISO at JupiterOne, says the dangers inherent in WordPress environments are like these current in any atmosphere that leverages plug-ins, integrations, and third-party purposes to increase performance.

“As with smartphones, such third-party parts prolong the capabilities of the core product, however they’re additionally problematic for safety groups as a result of they considerably improve the assault floor of the core product,” he explains, including that vetting these merchandise can also be difficult due to their sheer quantity and lack of clear provenance.

“Safety groups have rudimentary approaches, most frequently giving a cursory take a look at what I name the three Ps: recognition, goal, and permissions,” Yu notes. “Just like app shops managed by Apple and Google, extra vetting must be accomplished by the marketplaces to make sure that malicious [plug-ins, integrations, and third-party apps] don’t create issues for his or her prospects,” he notes.

One other drawback is that whereas WordPress is broadly used, it usually is managed by advertising and marketing or Internet-design professionals and never IT or safety professionals, says Bud Broomhead, CEO at Viakoo.

“Putting in is straightforward and eradicating is an afterthought or by no means accomplished,” Broomhead tells Darkish Studying. “Identical to the assault floor has shifted to IoT/OT/ICS, menace actors intention for techniques not managed by IT, particularly ones which might be broadly used like WordPress.”

Broomhead provides, “Even with WordPress issuing alerts about plug-ins being vulnerabilities, different priorities than safety might delay the removing of malicious plug-ins.”

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments