Episode 113: An Unprecedented FBI Operation Removes Webshells from Infected Exchange Servers

An FBI initiative began remotely removing webshells from infected Microsoft Exchange servers. WordPress 5.7.1 was released with a few security patches. Over 15 Elementor add on plugins were found to have vulnerabilities similar to those found in the main Elementor plugin; these additional plugin vulnerabilities affected over 3.5 million sites with over 100 vulnerable endpoints. Google Chrome was found to have two 0-day vulnerabilities. The US and UK blame Russian intelligence service hackers for the ongoing attack campaign against SolarWinds.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:18 WordPress 5.7.1 Released
3:02 Recent Patches Rock the Elementor Ecosystem
7:07 FBI launches operation to remove backdoors from hacked Microsoft Exchange servers
14:30 Second Google Chrome zero-day exploit dropped on Twitter this week
17:14 SolarWinds: US and UK blame Russian intelligence service hackers for major cyber attack

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 113 Transcript

Ram:
Welcome to Think Like a Hacker, the podcast about WordPress, security, and innovation. I am Ram Gall, Threat Analyst at Wordfence, and with me is Director of Marketing Kathy Zant. Let’s get started. What’s up first, Kathy?

Kathy:
Well, I think what’s up first is, first of all I need to ask how caffeinated are you? How’s the Moccamaster going?

Ram:
It is amazing. I absolutely needed it this morning, because I was looking at the WordPress core release pretty late last night, since that happened in the evening my time. And-

Kathy:
It was late night my time so I was just vegging and watching you guys pick apart this WordPress Core 5.7.1 release, it was pretty late on the night of April 14th that they released this. What did you find?

Ram:
Actually, Chloe and Matt Rusnake our Lead QA Engineer found a couple of issues. It did include a couple of security patches, one of them, and the one that they back ported all the way to version 4.7 was an issue where anyone with access to the post editor could read other people’s protected posts if they were password-protected.

Kathy:
So even a contributor?

Ram:
Yeah. Like if you have a website and you’ve written a password-protected post that you don’t want anyone to read, unless they have the password, then a contributor on that site could read that post.

Kathy:
Okay. So not real dangerous, but still-

Ram:
Yeah couldn’t be used for like site takeover or anything.

Kathy:
Okay. But still a security issue that needed to be handled and they did?

Ram:
Yep. And there was another patch which was a little more worrying. It was only basically WordPress 5.6 and 5.7 reintroduced a really old vulnerability from like 2012. And this only happened for sites running PHP 8, and it could only happen for people that were allowed to upload files or import media files, basically the identifier tags, the ID3 tags that you used to see who the author and the album is on a song or something, those could be used to load external XML entities. And basically what happened is that WordPress… PHP 8 supposedly made the function that loads that safe, except the way that WordPress loads those tags specifically was in an unsafe way, even in PHP 8. So they actually had to turn back on the function that they’re not supposed to use in PHP 8 anymore to make it safe again. Anyways, this isn’t going to hit a lot of people. Again, you have to be on PHP 8, WordPress 5.6 or 5.7 to be vulnerable to this. And it would have to be someone who could already upload files.

Kathy:
Most sites are still on PHP 7.

Ram:
7.3, 7.4, yeah. I suspect that anyone who’s running PHP 8 is probably also auto-updating core just because they’d like to be at the bleeding edge. We do have mitigations in place for this type of issue.

Kathy:
Okay. Good to know. All right. So WordPress 5.7.1 is available, if your site is set to auto update it probably already has nothing major in terms of security patches, but there are a couple. What’s our next story? It looks like you… I know the story because you have been so busy over what like the last month going over so many plugins in the Elementor ecosystem. Tell us more.

Ram:
Yeah. More than 15 plugins, I say more than 15 because we actually reported 17 in the article, but there’s some that are still patching, installed on like three and a half million sites. We found more than 100 vulnerable endpoints. Basically any plugin that added on additional widgets to Elementor allowed contributors, anyone able to access the Elementor editor, to add cross-site scripting or malicious JavaScript to a post.

Kathy:
And this was within Elementor. Elementor has all of these like little widget elements that you can add, and within there it was a contributor could have added a malicious script that could have caused anyone else who looked at that post in the editor to be vulnerable, right?

Ram:
Yeah. And since contributor posts have to be reviewed by higher-privileged users, it’d be pretty easy for a contributor to add JavaScript to a post or page and then when an administrator reviewed that it would run on their browser, do stuff as them. Could be used to add a webshell or add a new malicious administrator. I mean like this isn’t the kind of thing that you’d expect to see exploited in bulk because it would require a somewhat privileged user. But it is the kind of thing that would be very useful for like a targeted attack. And realistically, the main thing that was interesting about this is that we found it in just so many plugins. Now I think part of that is that Elementor has some pretty good developer documentation with a lot of examples. And unfortunately some of those examples use the insecure coding styles, so.

Kathy:
Okay. And then, because things were being validated on the browser side of things rather than on the server, is that right?

Ram:
Yeah. So it didn’t actually check that if you add like a title element or something it lets you choose if you want a heading an h5 tag or like a larger heading an h2 or h1 tag. But it turns out you get to intercept that request in a script tag instead, and it wouldn’t get caught.

Kathy:
Wow. This is like it might seem somewhat of an edge case, but these are the types of things that hackers, when they know that one of these vulnerabilities exist and they get into a site, it’s something that they can really use to sort of escalate their privileges in a very targeted type of attack, right?

Ram:
Yeah. And I guess you could also say that like the PHP 8 thing is kind of in a similar boat. It’s just that the types of long established sites that are going to have a lot of users on them, aren’t as likely to be using PHP 8. But it is still sort of in the same boat as in this. This is still something to be aware of, not necessarily to actively worry, but definitely to get patched.

Kathy:
Definitely. And this is one of the reasons why I like WordPress so much, is that not only does the core team take contributor-level vulnerabilities very seriously and ensure those get patched. But everyone in the WordPress space… Wordfence, we take these type of vulnerabilities very seriously as well. And it just makes the entire WordPress space much safer because these things are caugh,t patched, and go on to the next vulnerability that we discovered. But this open source system where everybody is kind of contributing their knowledge about, well, what can happen with this? Just makes the entire WordPress space safer as a whole. So I’m happy you do the work you do.

Ram:
Thank you.

Kathy:
So if you are curious about any of the specific plugins that were affected by this, head over to the blog post that Ram, posted this week, links will be in the show notes and you can see the 15+ plugins that were affected by this very similar vulnerability and ensure that you update. Now, it looks like somebody else wants to update things but this-

Ram:
I’m kind of glad that they didn’t do any more than removing the webshells.

Kathy:
So what’s the story? Who’s doing updates, and what are they doing that’s very unusual?

Ram:
Well first, attackers were doing unauthorized updates on exchange servers by adding webshells, taking advantage of a few vulnerabilities we discussed in our previous podcast. And now, the FBI is also… Basically the FBI is going around and using the webshells to delete the webshells.

Kathy:
Interesting. Okay. So these Exchange servers had vulnerability that we reported on, hackers are getting into Exchange servers. They’re putting webshells, ASP webshells, on these Exchange servers and so now the FBI is coming in and using the webshell to go in and delete that webshell. But the webshell is just sort of like a backdoor it’s not necessarily doing anything malicious by being there. It’s just kind of like an open door, right?

Ram:
Yeah. It’s basically like having a vulnerability that takes a lot less technical know-how to exploit, at least if it’s not password-protected, which if the FBI was able to access it, seems like it probably wasn’t.

Kathy:
Okay. And it looks like Hafnium is the state-sponsored hacking group from China that’s targeting Exchange servers using this particular backdoor?

Ram:
Yes. That’s the other thing. It looks like the webshells they added, it looks like a number of other groups were also using the webshells they left behind on those Exchange servers. So…

Kathy:
Okay. So this was starting to get out of control it looked like, and it looks like the FBI has come in and started using the webshell to clean up the webshell. And this is a little unprecedented, isn’t it?

Ram:
Yeah. It makes me a little bit nervous. There’s a number of other things that various governing bodies have done in the past, taking control of botnet C2 infrastructure to shut down botnets or seizing infected systems because they’re evidence of a crime. But this is kind of I want to say the first time they’ve done something like this en masse, remotely and taken control of someone else’s system remotely in order to do this. Or it’s someone who’s not-a-criminal’s system remotely in order to do this, at least. It’s a little worrying.

Kathy:
Yeah. It is a little worrying, especially when it’s the government doing something like this, because when the government shows up and say, “Hey, we’re here to help. And we’re just going to like coming into your private server and do this thing on your server.” It’s kind of like the cops coming to your house and saying, a criminal has left a key under the mat and we’re going to take that key. It’s just a little unnerving, I suppose. But I mean, if somebody is running an Exchange server, I expect… I have this expectation of a company running an Exchange server to have some kind of security protocols in place that that server gets updated and checked for malware.

Ram:
Yeah. Like an Exchange server it’s not like a cat blog. It’s not like not having a security system on your house. It’s more like if you have like a storefront and not having a locked safe in that storefront.

Kathy:
Yeah. It’s much more of a commercial type of enterprise and there’s various expectations of what happens there. But the government doing this for the first… This is like the first time they’ve done it, and what do you think about having the FBI do this kind of thing?

Ram:
Pretty much the only thing I can really say is that it’s better that the FBI is doing it in the open than the NSA doing it in the shadows. Because you wouldn’t actually know if the NSA did it. In this way, at least this kind of thing can be like challenged. It does set a precedent and that runs the risk of normalizing this kind of thing but at the same time, the fact that we know that it happened means that it can be challenged. That’s the only really positive takeaway I have from it. I’m not going to say that someone didn’t need to clean those webshells up, but it would have been ideal if it had been the people that own the servers to actually do the cleanup.

Kathy:
Yeah. And that kind of brings me to, there’s a number of security solutions in the WordPress space. And some of those solutions actually just go in and remove the malware. We do not. We basically give you a tool that lets you know the malware is there and then helps you make good decisions about what’s happening on your site, whether it’s a plugin update or an infected file. You make the decision to clean that up because it’s your website. We don’t have automatic malware removal, also I mean you could have your wp-config file, which is very important for the operation of your site, have malware within it, would you rather have that cleaned by knowing what’s happening with it or automatically deleted by some service that comes through and automatically deletes anything that looks like malware. I mean, obviously some very specific decisions need to be made in those types of cases. But our sort of take on things is like if your site is infected one, yes, it needs to be cleaned, but it also investigation needs to happen of like, how did this happen and what kind of evidence has been left behind. And if all of that is just wiped out, it doesn’t empower. What the FBI is doing here does not empower the owners of these Exchange servers to get better at security, in my opinion, and that needs to happen. That needs to be sort of like the primary thing that happens in this case.

Ram:
I completely agree. Like I have seen so many instances with tools that automatically clean up malware where they’ll just keep on cleaning the same malware day after day after day, because the place where it’s getting in never gets fixed. The site just keeps on getting reinfected. Yeah. There’s not a meaningful difference in a lot of cases and realistically clean up is the kind of tasks that in a lot of cases does need human intelligence. Just because it’s so easy to either clean the wrong parts of the thing or clean the wrong thing entirely and damage a site component. So it is definitely the kind of task that needs human intelligence to be done right.

Kathy:
Yeah, it does, in my opinion. And that goes for exchange servers and WordPress and your computer. Any system that gets any kind of malware on it should have some kind of human intervention in my opinion.

Ram:
I feel like it’s especially the case for something like a WordPress, which is written in a language like PHP where you can add malicious content to an existing file instead of having to like actually tamper with a binary which is a bit trickier or having a standalone malicious binary, you know attackers can actually inject malicious code right in the middle of benign code and on a WordPress site. And that’s the kind of thing where you want to be careful and use a scalpel to clean it up rather than just trashing the whole thing in a lot of cases, or replacing it if you can.

Kathy:
Yeah. Scalpel rather than a sledgehammer.

Ram:
Yeah.

Kathy:
Yeah. All right. So we’ll keep watching that story because I’m sure that we’ll learn more about that as it evolves, just like this Google Chrome zero-day that… It looks like 2021 is what? The year of Chrome zero-days.

Ram:
It is the year of Chrome zero-days. It looks like this is the second one this week. There’s not a ton of info on this one other than the traditional proof of concept video, which caught in this case, they use it to open Windows’ Notepad, which either Notepad or the Calculator, or like the traditional here, I can do remote code execution via your browser. So it looks like it wasn’t capable of escaping the Chromium Sandbox feature. But honestly, if that’s the case, I’m not sure how they got Notepad open. Anyways, update Chrome, please update Chrome like asap.

Kathy:
And Microsoft Edge or any other Chromium-based browser that you’re using. We know one browser that is not affected, which one is that that uses…

Ram:
That one would be Firefox. And honestly, I’m a die hard Firefox fan boy, but I know that their market share is tiny. And that’s probably most of why we’re not seeing all these in Firefox. But part of me wants to speculate that the fact that Firefox tries to do as many things with Rust, which is a memory safe programming language, for this kind of thing is much harder to pull off. I kind of feel like the fact that Firefox tries to do as many things with Rust as possible is maybe part of why we’re not seeing as many of these in Firefox. But that’s just speculation. You can’t prove a negative.

Kathy:
Everybody always wants to go after the biggest kid on the block and that seems to be Chrome these days, everybody’s using Chrome. Just like WordPress. And which is why you need to, if you’re using Chrome, Chrome hygiene is really important. It’s important to always… Every few days, like once a week, check and make sure that it is updated, it will have a little update in the upper right-hand corner. But you can also go into settings and just do a security check. Also, good to check your extensions there, like plugins in your browser and if the plug in-

Ram:
There have been malicious ones.

Kathy:
There have been malicious ones.

Ram:
There’s a market for malicious ones. People have bought malicious Chrome extensions and added malware to them just like they did for WordPress plugins.

Kathy:
Oh, fun. Yeah. So always check your extensions, make sure that anything that’s in there is something that you’re actively using. And if anything looks like it’s something you’re not sure what it is, make sure you delete those. Browser extensions are like plugins and you just… It’s really important to be aware of what’s happening because that’s sort of like your digital life in your browser. We all live in our browser so much.

Ram:
We do. The final item on our list has nothing to do with browsers, though it does have to do with the NSA and the FBI.

Kathy:
It does.

Ram:
Yeah. Anyway, you know the SolarWinds thing that was the only security thing that anyone could talk about for like two months?

Kathy:
Yeah. It was pretty huge.

Ram:
And it’s still being attacked. Anyways, it looks like Cozy Bear has been officially blamed.

Kathy:
Yes. And not just by the U.S. Government apparently the UK NCSC is accusing Cozy Bear of these campaigns against SolarWinds, the Russian foreign intelligence service or the SVR is apparently exploiting, according to the FBI NSA, yada, yada. There are actively exploiting five publicly known vulnerabilities. There are these actors known as APT29, Cozy Bear and The Dukes, that was new to me. So it looks like SolarWinds has now become what we know it was kind of going there, that it was going to become political. Yeah. Which means we have nothing more to say about it, but we’ll keep watching these attacks and see what’s happening because it’s scary to me that these vulnerabilities are still being exploited, that there are still unpatched systems that can be exploited. It’s like the biggest story.

Ram:
There are always unpatched systems that can be exploited.

Kathy:
That’s the thing with security is like you can inform people day in, day out and it could be the number one story on the news. It could be… You put up billboards, you can knock on people’s doors and say, “SolarWinds! Are you patched?!” But there’s still going to be people who don’t patch and do not secure their system.

Ram:
Which is understandable if it’s a cat blog but you know, SolarWinds is kind of in the category of Exchange servers, but more. It’s not like having a storefront without a safe, it’s like having like a chain of franchises where you have a policy to not have a safe. That’s a pretty bad analogy, but like, yeah.

Kathy:
Well, it kind of drives it home, but just it seems like… This is the world we now live in, security touches each and every one of us. We try to help you stay safe, not only with what you’re doing with your browsers, but also what you’re doing with your WordPress site. We’ll report on any story that we think is relevant to you in order for that you stay safe. You just have to be aware. You have to patch your systems whether it’s your computer or your WordPress site and just be aware and we’re so grateful that you listen in to Think Like a Hacker and visit us on Wordfence Live so that we can share all of these scary stories with you. And-

Ram:
Scary stories. And we would like you to help us help you by-

Kathy:
And the world…

Ram:
And the world by joining us and coming to work with us, we are hiring for a SecOps role, PHP Developer role, we also have a new QA role if you would like to test our products and possibly break them, which is how I started here. We have a website performance researcher role, and we have an instructional designer role if you or anyone you know has created like educational content or coursework, send us some samples let us see what you got.

Kathy:
Yeah. Especially if you’re interested in security, if you have done coursework for security even more interesting, we’d love to talk to you. We have a number of things in the hopper that we’re cooking up. Because we see how important it is that education and security, they kind of go hand in hand and we want to make sure that everybody has the tools and knowledge that they need in order to live in this digital world. And with that, I think that’s our episode this week.

Ram:
I think that’s a wrap. Thank you and I’ll see you next week.

Kathy:
See you next week. Thanks for listening, bye.

Ram:
Bye.

You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

The post Episode 113: An Unprecedented FBI Operation Removes Webshells from Infected Exchange Servers appeared first on Wordfence.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Call Now ButtonTap To Call