Apr 18 2024
2024 WordPress Vulnerability Report Shows Errors Sites Keep Making via @sejournal, @martinibuster

WordPress security scanner WPScan’s 2024 WordPress vulnerability report calls attention to WordPress vulnerability trends and suggests the kinds of things website publishers (and SEOs) should be looking out for.

Some of the key findings from the report were that just over 20% of vulnerabilities were rated as high or critical level threats, with medium severity threats, at 67% of reported vulnerabilities, making up the majority. Many regard medium level vulnerabilities as if they are low-level threats but they’re not and should be regarded as deserving attention.

The WPScan report advised:

“While severity doesn’t translate directly to the risk of exploitation, it’s an important guideline for website owners to make an educated decision about when to disable or update the extension.”

WordPress Vulnerability Severity Distribution

Critical level vulnerabilities, the highest level of threat, represented only 2.38% of vulnerabilities, which is (essentially good news for WordPress publishers. Yet as mentioned earlier, when combined with the percentages of high level threats (17.68%) the number or concerning vulnerabilities rises to almost 20%.

Here are the percentages by severity ratings:

  • Critical 2.38%
  • Low 12.83%
  • High 17.68%
  • Medium 67.12%

Authenticated Versus Unauthenticated

Authenticated vulnerabilities are those that require an attacker to first attain user credentials and their accompanying permission levels in order to exploit a particular vulnerbility. Exploits that require subscriber-level authentication are the most exploitable of the authenticated exploits and those that require administrator level access present the least risk (although not always a low risk for a variety of reasons).

Unauthenticated attacks are generally the easiest to exploit because anyone can launch an attack without having to first acquire a user credential.

The WPScan vulnerability report found that about 22% of reported vulnerabilities required subscriber level or no authentication at all, representing the most exploitable vulnerabilities. On the other end of the scale of the exploitability are vulnerabilities requiring admin permission levels representing a total of 30.71% of reported vulnerabilities.

Permission Levels Required For Exploits

Vulnerabilities requiring administrator level credentials represented the highest percentage of exploits, followed by Cross Site Request Forgery (CSRF) with 24.74% of vulnerabilities. This is interesting because CSRF is an attack that uses social engineering to get a victim to click a link from which the user’s permission levels are acquired. If they can trick an admin level user to follow a link then they will be able to assume that level of privileges to the WordPress website.

The following is the percentages of exploits ordered by roles necessary to launch an attack.

Ascending Order Of User Roles For Vulnerabilities

  • Author 2.19%
  • Subscriber 10.4%
  • Unauthenticated 12.35%
  • Contributor 19.62%
  • CSRF 24.74%
  • Admin 30.71%

Most Common Vulnerability Types Requiring Minimal Authentication

Broken Access Control in the context of WordPress refers to a security failure that can allow an attacker without necessary permission credentials to gain access to higher credential permissions.

In the section of the report that looks at the occurrences and vulnerabilities underlying unauthenticated or subscriber level vulnerabilities reported (Occurrence vs Vulnerability on Unauthenticated or Subscriber+ reports), WPScan breaks down the percentages for each vulnerability type that is most common for exploits that are the easiest to launch (because they require minimal to no user credential authentication).

The WPScan threat report noted that Broken Access Control represents a whopping 84.99% followed by SQL injection (20.64%).

The Open Worldwide Application Security Project (OWASP) defines Broken Access Control as:

“Access control, sometimes called authorization, is how a web application grants access to content and functions to some users and not others. These checks are performed after authentication, and govern what ‘authorized’ users are allowed to do.

Access control sounds like a simple problem but is insidiously difficult to implement correctly. A web application’s access control model is closely tied to the content and functions that the site provides. In addition, the users may fall into a number of groups or roles with different abilities or privileges.”

SQL injection, at 20.64% represents the second most prevalent type of vulnerability, which WPScan referred to as both “high severity and risk” in the context of vulnerabilities requiring minimal authentication levels because attackers can access and/or tamper with the database which is the heart of every WordPress website.

These are the percentages:

  • Broken Access Control 84.99%
  • SQL Injection 20.64%
  • Cross-Site Scripting 9.4%
  • Unauthenticated Arbitrary File Upload 5.28%
  • Sensitive Data Disclosure 4.59%
  • Insecure Direct Object Reference (IDOR) 3.67%
  • Remote Code Execution 2.52%
  • Other 14.45%

Vulnerabilities In The WordPress Core Itself

The overwhelming majority of vulnerability issues were reported in third-party plugins and themes. However, there were in 2023 a total of 13 vulnerabilities reported in the WordPress core itself. Out of the thirteen vulnerabilities only one of them was rated as a high severity threat, which is the second highest level, with Critical being the highest level vulnerability threat, a rating scoring system maintained by the Common Vulnerability Scoring System (CVSS).

The WordPress core platform itself is held to the highest standards and benefits from a worldwide community that is vigilant in discovering and patching vulnerabilities.

Website Security Should Be Considered As Technical SEO

Site audits don’t normally cover website security but in my opinion every responsible audit should at least talk about security headers. As I’ve been saying for years, website security quickly becomes an SEO issue once a website’s ranking start disappearing from the search engine results pages (SERPs) due to being compromised by a vulnerability. That’s why it’s critical to be proactive about website security.

According to the WPScan report, the main point of entry for hacked websites were leaked credentials and weak passwords. Ensuring strong password standards plus two-factor authentication is an important part of every website’s security stance.

Using security headers is another way to help protect against Cross-Site Scripting and other kinds of vulnerabilities.

Lastly, a WordPress firewall and website hardening are also useful proactive approaches to website security. I once added a forum to a brand new website I created and it was immediately under attack within minutes. Believe it or not, virtually every website worldwide is under attack 24 hours a day by bots scanning for vulnerabilities.

Read the WPScan Report:

WPScan 2024 Website Threat Report

Featured Image by Shutterstock/Ljupco Smokovski

Ecommerce MGMT 0 Comments
Apr 10 2024
WordPress Discovers XSS Vulnerability – Recommends Updating To 6.5.2 via @sejournal, @martinibuster

WordPress announced the 6.5.2 Maintenance and Security Release update that patches a store cross site scripting vulnerability and fixes over a dozen bugs in the core and the block editor.

The same vulnerability affects both the WordPress core and the Gutenberg plugin.

Cross Site Scripting (XSS)

An XSS vulnerability was discovered in WordPress that could allow an attacker to inject scripts into a website that then attacks site visitors to those pages.

There are three kinds of XSS vulnerabilities but the most commonly discovered in WordPress plugins, themes and WordPress itself are reflected XSS and stored XSS.

Reflected XSS requires a victim to click a link, an extra step that makes this kind of attack harder to launch.

A stored XSS is the more worrisome variant because it exploits a flaw that allows the attacker to upload a script into the vulnerable site that can then launch attacks against site visitors. The vulnerability discovered in WordPress is a stored XSS.

The threat itself is mitigated to a certain degree because this is an authenticated stored XSS, which means that the attacker needs to first acquire at least a contributor level permissions in order to exploit the website flaw that makes the vulnerability possible.

This vulnerability is rated as a medium level threat, receiving a Common Vulnerability Scoring System (CVSS) score of 6.4 on a scale of 1 – 10.

Wordfence describes the vulnerability:

“WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.”

WordPress.org Recommends Updating Immediately

The official WordPress announcement recommended that users update their installations, writing:

“Because this is a security release, it is recommended that you update your sites immediately. Backports are also available for other major WordPress releases, 6.1 and later.”

Read the Wordfence advisories:

WordPress Core < 6.5.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Avatar Block

Gutenberg 12.9.0 – 18.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Avatar Block

Read the official WordPress.org announcement:

WordPress 6.5.2 Maintenance and Security Release

Featured Image by Shutterstock/ivan_kislitsin

Ecommerce MGMT 0 Comments
Apr 2 2024
XSS Vulnerability Affects Beaver Builder WordPress Page Builder via @sejournal, @martinibuster

The popular Beaver Builder WordPress Page Builder was found to contain an XSS vulnerability that can allow an attacker to inject scripts into the website that will run when a user visits a webpage.

Beaver Builder

Beaver Builder is a popular plugin that allows anyone to create a professional looking website using an easy to use drag and drop interface. Users can start with a predesigned template or create a website from scratch.

Stored Cross Site Scripting (XSS) Vulnerability

Security researchers at Wordfence published an advisory about an XSS vulnerability affecting the page builder plugin. An XSS vulnerability is typically found in a part of a theme or plugin that allows user input. The flaw arises when there is insufficient filtering of what can be input (a process called input sanitization). Another flaw that leads to an XSS is insufficient output escaping, which is a security measure on the output of a plugin that prevents harmful scripts from passing to a website browser.

This specific vulnerability is called a Stored XSS. Stored means that an attacker is able to inject a script directly onto the webs server. This is different from a reflected XSS which requires a victim to click a link to the attacked website in order to execute a malicious script. A stored XSS (as affects the Beaver Builder), is generally considered to be more dangerous than a reflected XSS.

The security flaws that gave rise to an XSS vulnerability in the Beaver Builder were due to insufficient input sanitization and output escaping.

Wordfence described the vulnerability:

“The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s Button Widget in all versions up to, and including, 2.8.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.”

The vulnerability is rated 6.4, a medium level threat. Attackers must gain at least contributor-level permission levels in order to be able to launch an attack, which makes this vulnerability a little harder to exploit.

The official Beaver Builder changelog, which documents what’s contained in an update, notes that a patch was issued in version 2.8.0.7.

The changelog notes:

“Fix XSS issue in Button & Button Group Modules when using lightbox”

Recommended action: It’s generally a good practice to update and patch a vulnerability before an attacker is able to exploit it. It’s a best-practice to stage the site first before pushing an update live in case that the updated plugin conflicts with another plugin or theme.

Read the Wordfence advisory:

Beaver Builder – WordPress Page Builder <= 2.8.0.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Button

See also:

Featured Image by Shutterstock/Prostock-studio

Ecommerce MGMT 0 Comments
Feb 12 2024
WordPress Backup Plugin DoS Vulnerability Affects +200,000 Sites via @sejournal, @martinibuster

A popular WordPress backup plugin installed in over 200,000 websites recently patched a high severity vulnerability that could lead to a denial of service attack. Wordfence assigned a CVSS severity level rating of High, with a score of 7.5/10, indicating that plugin users should take note and update their plugin.

Backuply Plugin

The vulnerability affects the Backuply WordPress backup plugin. Creating backups is a necessary function for every website, not just WordPress sites, because backups help publishers roll back to a previous version should the server fail and lose data in a catastrophic failure.

Website backups are invaluable for site migrations, hacking recovery and failed updates that render a website non-functional.

Backuply is an especially useful plugin because it backup data to multiple trusted third party cloud services and supports multiple ways to download local copies in order to create redundant backups so that if a cloud backup is bad the site can be recovered from another backup stored locally.

According to Backuply:

“Backuply comes with Local Backups and Secure Cloud backups with easy integrations with FTP, FTPS, SFTP, WebDAV, Google Drive, Microsoft OneDrive, Dropbox, Amazon S3 and easy One-click restoration.”

Vulnerability Affecting Backuply

The United States Government National Vulnerability Database warns that Backuply up to and including version 1.2.5 contains a flaw that can lead to denial of service attacks.

The warning explains:

“This is due to direct access of the backuply/restore_ins.php file and. This makes it possible for unauthenticated attackers to make excessive requests that result in the server running out of resources.”

Denial Of Service (DoS) Attack

A denial of service (DoS) attack is one in which a flaw in a software allows an attacker to make so many rapid requests that the server runs out of resources and can no longer process any further requests, including serving webpages to site visitors.

A feature of DoS attacks is that it is sometimes possible to upload scripts, HTML or other code that can then be executed, allowing the attacker to perform virtually any action.

Vulnerabilities that enable DoS attacks are considered critical, and steps to mitigate them should be taken as soon as possible.

Backuply Changelog Documentation

The official Backuply changelog, which announces the details of every update, notes that a fix was implemented in version of 1.2.6. Backuply’s transparency and rapid response is responsible and a sign of a trustworthy developer.

According to the Changelog:

“1.2.6 (FEBRUARY 08 2024)
[Security-Fix] In some cases it was possible to fill up the logs and has been fixed. Reported by Villu Orav (WordFence)”

Recommendations

In general it is highly recommended that all users of the Backuply plugin update their plugin as soon as possible in order to prevent an unwanted security event.

Read the National Vulnrability Database description of the vulnerability:

CVE-2024-0842

Read the Wordfence Backuply vulnerability report:

Backuply – Backup, Restore, Migrate and Clone <= 1.2.5 – Denial of Service

Featured Image by Shutterstock/Doppelganger4

Ecommerce MGMT 0 Comments
Dec 6 2023
Mozilla VPN Security Risks Discovered via @sejournal, @martinibuster

Mozilla published the results of a recent third-party security audit of its VPN services as part of it’s commitment to user privacy and security. The survey revealed security issues which were presented to Mozilla to be addressed with fixes to ensure user privacy and security.

Many search marketers use VPNs during the course of their business especially when using a Wi-Fi connection in order to protect sensitive data, so the  trustworthiness of a VNP is essential.

Mozilla VPN

A Virtual Private Network (VPN), is a service that hides (encrypts) a user’s Internet traffic so that no third party (like an ISP) can snoop and see what sites a user is visiting.

VPNs also add a layer of security from malicious activities such as session hijacking which can give an attacker full access to the websites a user is visiting.

There is a high expectation from users that the VPN will protect their privacy when they are browsing on the Internet.

Mozilla thus employs the services of a third party to conduct a security audit to make sure their VPN is thoroughly locked down.

Security Risks Discovered

The audit revealed vulnerabilities of medium or higher severity, ranging from Denial of Service (DoS). risks to keychain access leaks (related to encryption) and the lack of access controls.

Cure53, the third party security firm, discovered and addressed several risks. Among the issues were potential VPN leaks to the vulnerability of a rogue extension that disabled the VPN.

The scope of the audit encompassed the following products:

  • Mozilla VPN Qt6 App for macOS
  • Mozilla VPN Qt6 App for Linux
  • Mozilla VPN Qt6 App for Windows
  • Mozilla VPN Qt6 App for iOS
  • Mozilla VPN Qt6 App for Androi

These are the risks identified by the security audit:

  • FVP-03-003: DoS via serialized intent
  • FVP-03-008: Keychain access level leaks WG private key to iCloud
  • VP-03-010: VPN leak via captive portal detection
  • FVP-03-011: Lack of local TCP server access controls
  • FVP-03-012: Rogue extension can disable VPN using mozillavpnnp (High)

The rogue extension issue was rated as high severity. Each risk was subsequently addressed by Mozilla.

Mozilla presented the results of the security audit as part of their commitment to transparency and to maintain the trust and security of their users. Conducting a third party security audit is a best practice for a VPN provider that helps assure that the VPN is trustworthy and reliable.

Read Mozilla’s announcement:
Mozilla VPN Security Audit 2023

Featured Image by Shutterstock/Meilun

Ecommerce MGMT 0 Comments
Jul 12 2023
Microsoft Mitigates Hacker Access To Government Email Accounts via @sejournal, @kristileilani

Microsoft announced that it recently blocked a group of hackers, which it labeled Storm-0558, that accessed email accounts belonging to around 25 organizations, including government agencies.

How Hackers Gained Access To Email Accounts

In a blog post, Microsoft said it began investigating abnormal activity in some email accounts on June 16 after being notified by customers.

Its investigation revealed that beginning May 15, the hacking group exploited a vulnerability to forge authentication tokens and gain entry into organizations’ Microsoft 365 accounts.

Using a compromised Microsoft consumer account signing key, the hackers could impersonate users and access email accounts through services like Outlook Web Access and Outlook.com.

According to a recent joint advisory from the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, the federal agency observed suspicious activity in its Microsoft 365 logs.

This led to the discovery that advanced persistent threat actors had accessed and exfiltrated data from some Exchange Online Outlook accounts.

What Is Storm-0558?

According to Microsoft’s actor profile of Storm-0558, the description of the group is as follows:

Storm-0558 (DEV-0558) is a nation-state activity group based out of China. They focus on espionage, data theft, and credential access. They are also known to use custom malware that Microsoft tracks as Cigril and Bling, for credential access.

How The Issue Was Resolved

CISA and the FBI advised organizations using Exchange Online to implement enhanced monitoring and logging to detect similar attacks.

Their recommendations include enabling advanced audit logging features and gaining visibility into standard cloud traffic patterns.

Microsoft claims it has fully resolved the issue and blocked the hackers’ access. It is working with impacted customers and has notified them ahead of its public disclosure.

The company said it had found no evidence the hackers remained in any corporate systems.

Mitigating Future Cyberattacks

This latest activity comes as cyberattacks continue to increase against organizations worldwide.

United States Senator Mark R. Warner, Chairman of the Senate Select Committee on Intelligence, expressed concern over reports of the latest cyberattack and what would be needed to prevent future incidents.

“The Senate Intelligence Committee is closely monitoring what appears to be a significant cybersecurity breach by Chinese intelligence. It’s clear that the PRC is steadily improving its cyber collection capabilities directed against the U.S. and our allies. Close coordination between the U.S. government and the private sector will be critical to countering this threat.”

Microsoft plans to keep improving security around account keys and tokens to stay ahead of evolving cyber risks.

It emphasized the need for continued collaboration and transparency to strengthen defenses across the tech industry against sophisticated hacking campaigns.

Featured image: Koshiro K/Shutterstock

Ecommerce MGMT 0 Comments
May 18 2023
Google To Remove Inactive Accounts via @sejournal, @brookeosmundson

Google updated its inactivity policy for personal Google accounts.

It’s important to note how this could affect business protocols when using a Google account.

Read on to understand the new policy and any measures you should take.

The Policy Update Explained

According to the policy, accounts that haven’t been used or signed in for two years will be deemed an “inactive account.”

Why does this matter?

With the updated Inactive Accounts policy, Google can delete the account and any/all of its contents. This may include:

  • Gmail
  • Docs
  • Drive
  • Meet
  • Calendar
  • YouTube
  • Google Photos

It’s important to note that the policy change pertains to personal Google accounts only. Any accounts that are used for businesses or organizations will not be affected.

While the policy takes effect immediately, Google will not delete inactive accounts until December 2023.

Google will start deleting created and never used accounts before moving to other inactive accounts.

Google also noted that it would send multiple notices via email to both the account email address and the recovery email.

Why The Change?

Online security threats continue to be a big issue. While Google invests in technology to protect from account exposure or phishing scams, nothing is foolproof.

Accounts that haven’t been active for extended periods are more vulnerable to being compromised or hijacked. Per Google, these types of funds are more likely to be compromised if:

  • Old or re-used passwords have been used
  • Two-factor authentication hasn’t been set up
  • Fewer security checks by the account owner

With the policy change, Google will start deleting inactive accounts to reduce a user’s risk of account compromise.

Additionally, deleting inactive accounts reduces the amount of personal information Google retains on users, further securing individuals.

So, what is considered an active account?

Google considers an account active if any of the following actions are taken:

  • Reading or sending an email through Gmail
  • Using Google Drive
  • Watching YouTube videos
  • Downloading an app on Google Play Store
  • Using Google Search (while logged into a Google account)
  • Signing into a third-party app via “Sign in with Google.”

What Businesses Need To Know

Many marketers set up Google accounts to tie third-party tools to an account, such as Looker Studio or other reporting tools. These accounts may not be set up as business accounts, which is why this policy update is important.

Here are some helpful tips that marketers can take action on now to ensure a Google account stays active:

  • Take inventory of any shared Google accounts used and document them (especially for agencies)
  • Log into any Google account and set up two-factor authentication
  • Document the dedicated recovery email set up for each account
  • Ensure all account settings are up-to-date

This ensures that all necessary information is in place, especially if there is turnover at a business or agency. The accounts can be used over the long term and reduce the impact of setting up new accounts due to a lack of shared internal information.

Summary

A standard process and documentation for accounts are vital for workplace (and personal) security.

Reduce the risk of dealing with an inactive account, or worse – a compromised account – by taking the actions above to ensure any pertinent Google accounts stay active and secure.

Featured Image: Iana Alter/Shutterstock

Ecommerce MGMT 0 Comments
Apr 26 2023
Google Strikes Back: A Legal Victory Against CryptBot Malware Distributors via @sejournal, @MattGSouthern

Google is ramping up its efforts to combat cybercrime, as the tech giant recently announced a legal victory against the distributors of the notorious CryptBot malware.

Crackdown On Cybercriminals

In the latest move in its ongoing campaign against cybercriminals, Google has successfully filed a civil action against malware distributors responsible for CryptBot, a type of malicious software designed to steal sensitive information from users’ computers.

Google estimates that CryptBot has infected approximately 670,000 computers in the past year alone, primarily targeting users of Google Chrome.

A Southern District of New York federal judge unsealed the civil action. It represents Google’s continued commitment to disrupting cybercriminal ecosystems that seek to exploit online users.

This follows Google’s success last year in holding operators of the Glupteba botnet accountable.

Understanding CryptBot Malware

CryptBot, classified as an “infostealer,” can identify and extract sensitive data from victims’ computers, including authentication credentials, social media account logins, cryptocurrency wallets, and more.

The stolen data is then harvested and sold to bad actors for use in data breach campaigns.

Cybercriminals distributing CryptBot have been offering maliciously modified versions of popular software packages, such as Google Earth Pro and Google Chrome, to unsuspecting users.

The malware is designed to target users of Google Chrome, prompting Google’s CyberCrimes Investigations Group (CCIG) and Threat Analysis Group (TAG) to take action against the distributors.

Legal Strategy & Disruption

Google’s litigation targeted several major distributors of CryptBot, believed to be based in Pakistan and operating a worldwide criminal enterprise.

The legal complaint includes claims of computer fraud and abuse and trademark infringement.

To hinder the spread of CryptBot, the court granted a temporary restraining order that allows Google to take down current and future domains associated with the malware’s distribution.

This measure is expected to slow new infections and decelerate the growth of CryptBot while establishing legal precedent and placing those profiting from criminal activities under scrutiny.

Protecting Against Malware

As part of its efforts to protect users from cyber threats, the Cybercrime Support Network recommends several steps that individuals can take to safeguard themselves against malware like CryptBot:

  • Download from trusted sources, such as official websites or app stores, and heed Chrome Safe Browsing warnings.
  • Conduct research and read reviews before downloading any software.
  • Consistently update your operating system and any software you use, including installing security patches and fixing bugs.

A Glimpse Into What’s Next

Google’s recent lawsuit against the distributors of CryptBot malware marks a meaningful stride toward bringing cybercriminals to justice.

By taking legal action against both those who operate botnets and those who financially benefit from spreading malware, Google is working to improve the security of internet users.

Google has voiced its dedication to this objective and intends to continue these efforts.

Featured Image: Eviart/Shutterstock

Source: Google

Ecommerce MGMT 0 Comments
Dec 4 2022
Rackspace Hosted Exchange Outage Due to Security Incident via @sejournal, @martinibuster

Rackspace hosted Exchange suffered a catastrophic outage beginning December 2, 2022 and is still ongoing as of 12:37 AM December 4th. Initially described as connectivity and login issues, the guidance was eventually updated to announce that they were dealing with a security incident.

Rackspace Hosted Exchange Issues

The Rackspace system went down in the early morning hours of December 2, 2022. Initially there was no word from Rackspace about what the problem was, much less an ETA of when it would be resolved.

Customers on Twitter reported that Rackspace was not responding to support emails.

A Rackspace customer privately messaged me over social media on Friday to relate their experience:

“All hosted Exchange clients down over the past 16 hours.

Not sure how many companies that is, but it’s significant.

They’re serving a 554 long delay bounce so people emailing in aren’t aware of the bounce for several hours.”

The official Rackspace status page offered a running update of the outage but the initial posts had no information other than there was an outage and it was being investigated.

The first official update was on December 2nd at 2:49 AM:

“We are investigating an issue that is affecting our Hosted Exchange environments. More details will be posted as they become available.”

Thirteen minutes later Rackspace began calling it a “connectivity issue.”

“We are investigating reports of connectivity issues to our Exchange environments.

Users may experience an error upon accessing the Outlook Web App (Webmail) and syncing their email client(s).”

By 6:36 AM the Rackspace updates described the ongoing problem as “connectivity and login issues” then later that afternoon at 1:54 PM Rackspace announced they were still in the “investigation phase” of the outage, still trying to figure out what went wrong.

And they were still calling it “connectivity and login issues” in their Cloud Office environments at 4:51 PM that afternoon.

Rackspace Recommends Migrating to Microsoft 365

Four hours later Rackspace referred to the situation as a “significant failure”and began offering their customers free Microsoft Exchange Plan 1 licenses on Microsoft 365 as a workaround until they understood the problem and could bring the system back online.

The official guidance stated:

“We experienced a significant failure in our Hosted Exchange environment. We proactively shut down the environment to avoid any further issues while we continue work to restore service. As we continue to work through the root cause of the issue, we have an alternate solution that will re-activate your ability to send and receive emails.

At no cost to you, we will be providing you access to Microsoft Exchange Plan 1 licenses on Microsoft 365 until further notice.”

Rackspace Hosted Exchange Security Incident

It was not until nearly 24 hours later at 1:57 AM on December 3rd that Rackspace officially announced that their hosted Exchange service was suffering from a security incident.

The announcement further revealed that the Rackspace technicians had powered down and disconnected the Exchange environment.

Rackspace posted:

“After further analysis, we have determined that this is a security incident.

The known impact is isolated to a portion of our Hosted Exchange platform. We are taking necessary actions to evaluate and protect our environments.”

Twelve hours later that afternoon they updated the status page with more information that their security team and outside experts were still working on solving the outage.

Was Rackspace Service Affected by a Vulnerability?

Rackspace has not released details of the security event.

A security event generally involves a vulnerability and there are two severe vulnerabilities currently in the wile that were patched in November 2022.

These are the two most current vulnerabilities:

  • CVE-2022-41040
    Microsoft Exchange Server Server-Side Request Forgery (SSRF) Vulnerability
    A Server Side Request Forgery (SSRF) attack allows a hacker to read and change data on the server.
  • CVE-2022-41082
    Microsoft Exchange Server Remote Code Execution Vulnerability
    A Remote Code Execution Vulnerability is one in which an attacker is able to run malicious code on a server.

An advisory published in October 2022 described the impact of the vulnerabilities:

“An authenticated remote attacker can perform SSRF attacks to escalate privileges and execute arbtirary PowerShell code on vulnerable Microsoft Exchange servers.

As the attack is targeted against Microsoft Exchange Mailbox server, the attacker can potentially gain access to other resources via lateral movement into Exchange and Active Directory environments.”

The Rackspace outage updates have not indicated what the specific problem was, only that it was a security incident.

The most current status update as of December 4th stated that the service is still down and customers are encouraged to migrate to the Microsoft 365 service.

Rackspace posted the following on December 4, 2022 at 12:37 AM:

“We continue to make progress in addressing the incident. The availability of your service and security of your data is of high importance.

We have committed extensive internal resources and engaged world-class external expertise in our efforts to minimize negative impacts to customers.”

It’s possible that the above noted vulnerabilities are related to the security incident affecting the Rackspace Hosted Exchange service.

There has been no announcement of whether customer information has been compromised. This event is still ongoing.

Featured image by Shutterstock/Orn Rin

Ecommerce MGMT 0 Comments
Nov 30 2022
Google Shares New Info About Vulnerabilities Found In Chrome via @sejournal, @MattGSouthern

Google security researchers are sharing new information about vulnerabilities detected in Chrome, Firefox, and Windows.

In a blog post, Google and Threat Analysis Group (TAG) detail steps taken since discovering a commercial spyware operation with ties to Variston IT.

Based in Barcelona, Spain, Variston IT claims to provide custom security solutions. However, the company is connected to an exploitation framework called “Heliconia.”

Heliconia works in three ways:

  • It exploits a Chrome renderer bug to run malware on a user’s operating system.
  • It deploys a malicious PDF document containing an exploit for Windows Defender.
  • It utilizes a set of Firefox exploits for Windows and Linux machines.

The Heliconia exploit was used as early as December 2018 with the release of Firefox 64.

New information released by Google reveals Heliconia was likely used in the wild as a zero-day exploit.

Heliconia poses no risk to users today, as Google says it cannot detect active exploitation. Google, Mozilla, and Microsoft fixed the bugs in early 2021 and 2022.

Although Heliconia is patched, commercial spyware is a growing problem, Google says:

“TAG’s research underscores that the commercial surveillance industry is thriving and has expanded significantly in recent years, creating risk for Internet users around the globe. Commercial spyware puts advanced surveillance capabilities in the hands of governments who use them to spy on journalists, human rights activists, political opposition and dissidents.”

To protect yourself against Heliconia and other exploits like it, it’s essential to keep your internet browsers and operating system up to date.

TAG’s research into Heliconia is available in Google’s new blog post, which Google is publishing to raise awareness about the threat of commercial spyware.

Source: Google

Featured Image: tomfallen/Shutterstock

Ecommerce MGMT 0 Comments