Application Security Weekly Review, Week 5 2019
Eavesdropping bug in Apple’s FaceTime, a zero-day vulnerability in abandoned WordPress plugin, Manic Menagerie attack on Australian web hosting, and more.
It’s the end of the week and here we are with our weekly roundup of the most interesting news from the cybersecurity industry, including an eavesdropping bug in Apple’s FaceTime, a zero-day vulnerability in abandoned WordPress plugin, Manic Menagerie attack on Australian web hosting, and more.
Apple FaceTime bug lets silently spy on others
Probably one of the most significant news of this week is about a glitch in Apple FaceTime video calling platform that let callers watch and listen in on other users during unanswered calls via FaceTime. To exploit the bug, one needs just to add their own phone number to an already initiated FaceTime call and voilà – the caller can hear the audio coming from recipient’s iPhone.
Furthermore, it was also found that if the person presses the Power button from the Lock screen, their video is also sent to the caller. The bug affects iPhones and iPads running on iOS 12.1 or later, and Macs with an OS that supports Group FaceTime.
Apple has acknowledged the problem and said that the bug will be fixed in the next software release for iOS. For the moment, vendor temporarily addressed the issue by turning off Group FaceTime calls server side.
Zero-day vulnerability in Total Donations WordPress plugin actively exploited in cyberattacks
The commercial plugin Total Donations for WordPress contains design flaws in it’s code that allow attackers to gain an unauthorized access to websites that using it. Over past week security experts from Defiant detected several attacks leveraging this vulnerability. The flaw in question is an AJAX endpoint in one of the plugin’s files, which can be queried by any remote unauthenticated user. As a result, a malicious actor can perform various actions, for example, modify settings of any WordPress site, change plugin-related settings, retrieve Mailchimp mailing lists and etc.
The most worrisome fact is that disabling the plugin won't help as an attacker could simply call the file directly, so to eliminate the threat to their sites site owners need to remove the plugin completely. The researchers tried to contact the creator of Total Donations, CodeCanyon, but all of their attempts were unsuccessful. It seems that developer abandoned plugin in May 2018, leaving many WordPress websites open for takeover.
Australian web hosting providers compromised in a Manic Menagerie attack
At least eight Australian web hosting providers were compromised in an extensive malicious campaign that was dubbed Operation Manic Menagerie by security researchers. According to the report of the Australian Cyber Security Centre, cybercriminals were using the hacked servers for cryptocurrency mining (namely Monero), to place the ads on the websites, and to support SEO optimisation for other sites.
The campaign was active since at least November 2017. Attackers exploited vulnerabilities in web applications to gain initial access to web servers and then installed different types of malware, including infostealers and Gh0st RAT. It is worth noting that criminals used publicly available proof-of-concept codes for privilege escalation on the targeted systems and quickly added new PoC exploits to their arsenal.
LocalBitcoins got hacked via third-party software
A popular peer-to-peer cryptocurrency exchange service LocalBitcoins had to temporarily disable its forum and the ongoing transactions due to a security breach. The attack lasted for nearly five hours, and during that period users were redirected on the page mimicking an official LocalBitcoins login form letting the criminals to collect users credentials. Attackers then used that data to gain access to users accounts and steal money. It appears that hackers managed to steal around 8 bitcoins from five victims.
According to LocalBitcoins, attackers compromised one of the forum widgets and implanted malicious code, which redirected users on the phishing page.
The majority of Fortune 100 companies are still using the vulnerable app that led to the 2017 Equifax breach
The majority of Fortune 100 companies are still using the flawed version of Apache Struts, which is believed the main culprit of the Equifax’s massive data breach that affected more than 145 million consumers. As the recent Sonatype’s research shows, in the last six months of 2018 more than 60% of Fortune 100 companies downloaded a vulnerable version of Apache Struts, although since the Equifax incident development team released several Apache Struts patches (the most recent one was delivered earlier this year). Sonatype didn’t reveal the names of the companies that had downloaded the vulnerable version of framework, but said that the list included firms in the financial, energy, healthcare and technology sectors.