Important Vulnerability on Advanced Custom Fields Plugin for WordPress

Last week the Imunify360 Operations Team spotted some malware embedded in a WordPress plugin. On Thursday, they reported it to the WordPress Plugin Review Team, who closed that plugin the very next day. 

We’d like to share with you what our Operations Team saw, so you know more about how malicious plugins work, and how you can avoid them. Additionally, read our website hosting security article and learn how to keep your website secure in 2021.

We at Imunify Security are excited to announce that the new version of cPanel & WHM, version 88, bundles ImunifyAV as its default antivirus solution.

ImunifyAV is Linux server antivirus provided free of charge. It features a highly efficient malware detection engine that finds most types of malware without stressing your system. With the ImunifyAV+ premium edition of antivirus for linux server, malware is easy to remove with just one click. 

 

This week, the Imunify360 security team was informed of a new kind of attack, one that our customers told us caused these problems:

• Inoperable firewall
• High CPU resource consumption
• Log entries such as: im360.plugins.client360: Cannot connect the Server (imunify360.cloudlinux.com) [[Errno -2] Name or service not known]

When we investigated, we saw that these issues were caused by a SaltStack authorization bypass vulnerability (CVE References: CVE-2020-11651, CVE-2020-11652). This vulnerability enables remote command execution as root, on both the master and all minions that connect to it. It affects SaltStack Salt before 2019.2.4, and 3000 before 3000.2.

 

If you’re running Imunify360 on your servers, you should enable real-time scanning. Why and how should you do that? Find out below. 

 

WP-VCD is a hacking campaign that’s responsible for the vast majority of WordPress malware infections. It has launched massive campaigns that have been very effective. Conducted on weekends, when many security staff are off the job, its campaigns have infected around two million WordPress sites. 

 

Imunify360 has six core components: Web Application Firewall, Linux Malware Scanner, Proactive Defense, IDS/IPS, WebShield, and Cloud-Based Security. The last component, Cloud-Based Security, runs according to what we call heuristics. 

In Imunify360, heuristics are a set of rules based on information coming in from thousands of Imunify-protected servers all over the world. These servers send threat information to the Imunify cloud server, where it’s automatically processed by dozens of scripts. It’s also manually processed by our Analytics team. 

At 11am EST on Friday 3 April, we’ll be conducting a live webinar on the new features and updates of Imunify360. Sign up and join the conversation on what’s new with our automated server protection suite.

The recording of the webinar is available here.

If you’re using Imunify360 on your servers, you’ve got a powerful system for cleaning up malware that’s also safe. If you use the recommended default settings, the sites you host will stay up and running. 

Your backups will be easy and reliable as well. That’s because Imunify360 is integrated with popular backup services, and makes sure that all of your backup files are malware-free. Let’s examine Imunify360’s linux malware scanner and malware cleanup capabilities in detail. In addition, Imunify360 prepared an article about 360 clean up in Imunify Security Suite covering how to remove malicious code.

 

Some Imunify360 customers don’t use the Auto Cleanup option because they’re afraid that it will break client web sites. They’re afraid that if a WordPress index.php file gets infected, for instance, the file will be blocked by Malware Scanner for Linux servers, and the web site will go down.

These fears are unfounded. Malware Scanner removes malicious code that’s been injected into a file, while leaving the rest of the file intact. It also removes malicious files that have been included into other files. Enabling Auto Cleanup is completely safe and effective.

In version 4.5, Imunify360 introduced a new way to prevent brute-force attacks against mail accounts: a PAM module extension that integrates with cPanel to block attacks that target the Exim and Dovecot bundle.

Let’s explore the problems that this new PAM module extension solves, examine how it works, and learn how to use it.