Important Vulnerability on Advanced Custom Fields Plugin for WordPress

As database infections become an increasingly popular attack vector, ensuring their protection is more critical than ever. We are thrilled to announce the latest update to our Malware Database Scanner (MDS). Our enhanced MDS now features a more user-friendly interface and improved functionality, making it easier and more efficient to detect and eliminate threats in your databases.

These changes will be included in the following packages: aibolit-32.1.11 and av-7.14.0.

On April 1st, Google will implement a new pricing model that will significantly reduce the free tier usage of reCAPTCHA and introduce new prices for the reCAPTCHA Enterprise service. Although reCAPTCHA offers decent bot protection, it is not without its flaws, yet remains quite effective. However, we at Imunify360 have decided to discontinue its use within our protection suite. This decision stems not solely from the new costs associated with its use, but more importantly, because we have developed our own bot protection technology, SplashScreen, which our recent research has shown to be as effective as Google’s reCAPTCHA.

UPD: WebShield 1.25.0 was first released to Beta on March 26 with included updates DEF-27382 PoC for the Get rid of reCaptcha epic/DEF-27508 Test&merge get rid of reCaptcha to master.
Starting from WebShield the 1.25.0 release, the Imunify360 JS challenge is used for the requests from the IPs that were graylisted.

The recent cyber attack found by Patchstack researcher Rafie Muhammad on the "Advanced Custom Fields" plugin for WordPress is a stark reminder of how vulnerable websites can be to hackers. In this case, over two million users were at risk of cyberattacks due to a vulnerability (a flaw, tracked as CVE-2023-30777) that allowed miscreants to inject malicious code into webpages and potentially hijack administrative accounts.

With Apple’s recent release of a security update for the iPhone, iPad, and Mac, it brings attention to the critical importance of regular software updates. We’re going to explore the significance of staying up-to-date with the latest security patches and highlight the efforts of Imunify360 in enhancing their update process to deliver faster and safer protection for servers.

In December 2022, hackers broke into the FBI’s 80,000-member Infragard database posing as the CEO of a financial institution. InfraGard is an outreach program that keeps public officials and private sector actors informed of national security and cybersecurity threats that could impact critical US infrastructure. 

Once inside the database, the hacker communicated directly with members in an attempt to gain personal information. Although the FBI hasn’t offered specifics on how the hacker was able to manipulate the system, we do know they had some key pieces of personal information for the person they were impersonating.

The recent news about the security incident at GoDaddy is not limited to GoDaddy. The attack is multi-year and affects hundreds of thousands, or even millions, of accounts across multiple hosting providers. The criminals are deploying redirects and other malicious payloads. We at Imunify have observed and combated this widespread issue and have been addressing it through our Imunify360 security solution.

Despite the fact that the festive season already starts in December, this month was busy for the Imunify Security team. Keep on reading to find out more about the latest package updates and some tips on how to stay secure. Stay safe and hopefully 2021 will bring you a lot of joy and pleasant moments!

 

This week, the Imunify360 security team was informed of a new kind of attack, one that our customers told us caused these problems:

• Inoperable firewall
• High CPU resource consumption
• Log entries such as: im360.plugins.client360: Cannot connect the Server (imunify360.cloudlinux.com) [[Errno -2] Name or service not known]

When we investigated, we saw that these issues were caused by a SaltStack authorization bypass vulnerability (CVE References: CVE-2020-11651, CVE-2020-11652). This vulnerability enables remote command execution as root, on both the master and all minions that connect to it. It affects SaltStack Salt before 2019.2.4, and 3000 before 3000.2.

When it comes to building and managing professional-quality web sites, content management systems have become the default way to do that. WordPress is by far the most popular CMS: it’s used to build and manage around six out of every 10 sites.

The popularity of WordPress makes it a prime target for hackers. In one of our regular investigations, we recently encountered a particular strain of malware that targeted it. Here’s an analysis of that malware that we’d like to pass on to sysadmins.