Attackers exploit flaw in GDPR-themed WordPress plugin to hijack websites
Source: Vistar Communications for ESET Middle East , Author: Tomas Foltyn
Posted: Sat December 8, 2018 12:33 pm

UAE. Attackers have been exploiting a security weakness in a GDPR compliance plugin for WordPress to seize control of vulnerable websites, according to a blog post by Defiant, which makes Wordfence security plugins for the web publishing platform.

Importantly, the developer behind the plugin, which is called WP GDPR Compliance, has issued a patch fixing the critical flaw. Its users are, therefore, strongly advised to upgrade to version 1.4.3. Alternately, the tool may be disabled or uninstalled.

Used by more than 100,000 websites seeking compliance with the European Union’s General Data Protection Regulation (GDPR), the plugin was pulled from the WordPress plugin repository after news of the flaw broke, but was reinstated quickly with the release of the version that plugs the hole.

Two in one
If left unplugged, the privilege escalation hole enables attackers to take over impacted sites and use them for a range of further villainous actions. This is not merely a hypothetical threat, as attackers were found to have been compromising vulnerable websites for around three weeks.

In fact, the plugin was affected by two distinct bugs. However, “with potential exploits living in the same block of code and executed with the same payload, we’re treating this as a single privilege escalation vulnerability”, reads the blog post. The researchers spotted two kinds of attacks leveraging the security hole: a simpler and a more complex one.

As their follow-up blog post explains, the first – and more common – scenario involves attackers abusing the user registration system on a targeted website in order to create new administrator accounts, which then gives them carte blanche vis-à-vis the site.

As part of the malicious routine, the attackers “close the doors behind themselves” by reversing the changes in settings that let them in and by disabling user registration. This is presumably intended to avoid raising alarms and to lock out competing ne’er-do-wells. A few hours later, the attackers are back – logging in with their admin access and installing backdoors.

In the second – and perhaps more discreet – kind of attack, the malefactors leverage the bug in order to abuse WordPress’s task scheduler called WP-Cron. The long and the short of it is that they inject malicious actions into the task scheduler in order to ultimately establish persistent backdoors.

It’s unclear at this point how the attackers ultimately aim to take advantage of the hijacked websites. At any rate, the potential harmful actions run the gamut and include hosting phishing sites and spewing out spam.

Photo Caption: Tomas Foltyn, security writer at ESET

 

MIDDLE EAST BUSINESS COMMENT & ANALYSIS

date:Posted: December 13, 2018
UAE. Data scientists are brought in by businesses to find solutions to their problems but both sides need to be prepared for failures and hidden opportunities along the way.
date:Posted: December 12, 2018
UAE. Latest ESRA detected incumbent email security systems are leaving organizations vulnerable.
date:Posted: December 12, 2018
UAE. Less than 15% of shoppers completely trust retailers to protect personal data.
dhgate