Shearwater Security Report | September 2019

Current Threats and Exploits

· WordPress Plugin Vulnerabilities

WordPress Plugin-Vulnerabilities 

Vulnerable plugins are one of the top methods used by attackers to gain access to WordPress sites. 

Once again we’ve seen evidence of a malicious WordPress plugin that encrypts user blog posts with AES (Advanced Encryption Standard). AES is a method for encrypting text, often used by the US Government. It offers a way to protect classified information and is implemented in both software and hardware throughout the world to encrypt sensitive data by rendering it unreadable.

This latest malicious plugin, known as “WP Security”, uses AES to encrypt the contents of blog posts. Only the body of the post is encrypted, with all other attributes left unaltered.

As we go to press, there is no evidence of ransom demands being made to decrypt the content. However, the attackers could potentially demand ransoms in the future.

Shearwater recommends improving your WordPress plugin security by following these best-practice steps:

  1. Use Plugins Sparingly – The fewer Plugins you have, the less chance one of them could have vulnerabilities that pose a risk to your site.
  2. Download Plugins from Reputable Sites – Try to restrict the Plugins you use to those available from the official directory. These Plugins have been widely used, so it is more likely that any vulnerabilities have already been identified and patched.
  3. Remove any Unused Plugins – When you make updates to your site and no longer require certain Plugins, make sure you delete them.
  4. Update Plugins Regularly – In our experience, many attackers target sites that are not updated with the latest versions of a Plugin. In fact, it is often the case that attackers seek to exploit old vulnerabilities that have been known for some time. Ensuring you update your Plugins on a regular basis to protect yourself with the latest security fixes is one of the easiest ways to stop attackers.
  5. Consider a WordPress Firewall – A Web Application Firewall or WAF can help protect you from zero-day exploits in which an attacker has discovered a new vulnerability that doesn’t yet have a patch available. A WAF can examine traffic to your site, helping you identify and filter out malicious requests.


· Beware of Worms 


A “wormable” exploit not only breaks into, and infects, one computer. It subsequently spreads itself onwards to infect other vulnerable computers as well. That’s why they have the potential to be so pernicious.

Wormable exploits, such as WannaCry (2017) and BlueKeep (2019), have the potential to inflict devastating damage because once introduced, they can propagate and spread without any further human interaction.

So, when Microsoft recently identified two potentially wormable vulnerabilities in its software, alarm bells began ringing loudly.

Remote Desktop Services (RDS) is the Microsoft software that enables a user, such as a network administrator, to take control of a remote computer (i.e. a computer they don’t have physical access to) via a network connection. This is made possible through Remote Desktop Protocol (RDP) messaging.

It was while hardening RDS software last month, that Microsoft discovered the two vulnerabilities.

These could be exploited without any user interaction, simply by sending specially crafted RDP messages to computers running RDS software.

Once in, an attacker could install programs, change or delete data, create new accounts with full user rights, and more.

Identified as CVE-2019-1181 and 1182, Microsoft warned these vulnerabilities affect more Windows versions than BlueKeep, including:

· Windows 7 SP1
· Windows 8.1
· Windows 10
· Windows Server 2008 R2 SP1
· Windows Server 2012
· Windows Server 2012 R2
· Windows Server 2016
· Windows 2019

According to Microsoft, these vulnerabilities haven’t yet been exploited in the wild, but urged customers to get ahead of the game by patching quickly.

CVE-2019-1181 Patch can be found here

CVE-2019-1182 Patch can be found here


· Password Security 


For many people, keeping up to date with dozens of passwords, across multiple devices, can be a real headache. Passwords need updating on a regular basis, and we’re told using the same password for all our logins is a major security risk.

That’s why password management software has become increasingly popular in recent years.

Products like Trend Micro’s “Password Manager” offers users the ability to sync passwords across Windows, macOS, iOS, and Android devices. It captures and replays login credentials, can identify weak and duplicate passwords and auto-complete web forms.

But, what happens when the password management software is found to be vulnerable? The risk of significant data breach is enormous.

Two serious security flaws were recently discovered in the 2019 version of Trend Micro’s “Password Manager” product, as well as its anti-malware products “Maximum Security” and “Premium Security” for Windows devices.

These vulnerabilities would allow an attacker to load an arbitrary file with malicious code into the software and have it executed on the host.

As Trend Micro products operate with the highest available privileges on a device, once the software has been exploited, a low privileged user could run malicious code as a system administrator, giving them complete control over the host.

If you use Trend Micro products, it’s essential to ensure your systems are updated with the latest patches. Users who have signed up for automatic updates will already be patched. For others, the patch can be accessed manually by clicking here.


· Google Calendar Phishing

Where would we be without the G-Suite? Gmail, Google Docs and Google Calendar have become almost ubiquitous. They offer tremendous convenience. But with such widespread usage comes increased risk. If a vulnerability can be detected in these popular apps, attackers could cause widespread havoc.

Recently, just such a vulnerability was discovered in Google Calendar. The intuitive app scans a user’s Gmail account for upcoming events, such as booked flights, restaurant reservations or movie tickets. It then automatically adds these to the user’s Google Calendar.

A vulnerability was uncovered when one person forwarded an email to a colleague containing details of an upcoming flight they’d booked for themselves. Google Calendar erroneously thought the booking was for the colleague and added the flights to the colleague’s schedule. The colleague did not have to do anything to approve the addition of these flights to their Calendar.

This opens all kinds of potential phishing vulnerabilities. If ways can be found to automatically add events to users’ Google Calendars, these events could conceivably contain malicious links to further details about the supposed event.

Busy people will be more likely to click on such a link to obtain further information. Once the link is clicked, dangerous malware could easily be installed.

Furthermore, with the G-Suite products all linked, an attacker could easily gain access to sensitive documents stored in Google Docs, along with full access to the user’s Gmail account.

While many people have become accustomed to identifying phishing emails, they are unlikely to have observed phishing within their Google Calendar before. They are therefore more likely to be successfully phished.

When training people in your organisation regarding the risks of phishing, it is important to raise awareness that phishing attacks can come in a variety of formats. Certainly, email phishing is a major concern, but malware can also be delivered via SMS and now even through Google Calendar events.


Recent Breaches

· Web Hosting Breach 


Hostinger is a web hosting company that is owned by its employees. Founded in 2004, it now boasts more than 25 million users worldwide, located in more than 178 countries. The company offers shared web hosting in which multiple websites live on a shared server. This results in cheaper web hosting solutions.

During August, millions of Hostinger customers started receiving emails bearing bad news: their passwords required resetting following a major data breach.

According to Hostinger, 14 million customers were affected by the reset. This follows attackers gaining access to an API server on 23 August 2019. The database contained details of customer accounts, including usernames, email addresses, first names, IP addresses, and hashed passwords. 

While Hostinger is adamant that account passwords were hashed, they did not specify how this was done. It was subsequently discovered that Hostinger hashed the passwords using “Secure Hash Algorithm 1” (SHA-1). This is a cryptographic function which takes an input (in this case a password) and produces a 160-bit hash value known as a message digest. The password is then rendered as a 40-digit long number.

The problem with SHA-1 encryption is that it has been subject to many collision attacks in recent years. A collision attack is an attempt to find two input strings of a hash function that produce the same hash result. When two separate inputs produce the same hash output, it is called a collision. This collision can then be exploited by any application that compares two hashes together. As computational power increases, SHA-1 encryption will become even more vulnerable to cracking.

This is why big internet companies have readied SHA-1 for the scrapheap.

Belatedly, Hostinger announced plans to investigate the origins of the latest incident with a view to improving security. The lesson for users is to check that service providers use stronger encryption methods, such as SHA-256, which offer far more security.


Other News

· Cryptomining Worm 


Cryptocurrency mining, or cryptomining, is the legitimate way cryptocurrencies are generated. It involves the use of computational processing power to solve complex mathematical problems. Those who successfully resolve the complex problems are rewarded with a small amount of the cryptocurrency.

It is an essential step in ensuring the validity of the currency, with no one able to use the same money twice.

However, cryptomining is a long process, requiring large amounts of computational processing power, for relatively little reward. Unscrupulous individuals try to find ways to turn cryptomining into a much more profitable enterprise by hacking into other people’s computers, infecting them with malware and using their computers’ processing power without their knowledge. This is when cryptomining becomes illegal.

Retadup was one such malware. First seen in 2017, it is believed it had infected over 850,000 computers, mostly in Latin America. The cryptomining worm could self-propagate without the need for human involvement. Apart from being able to collect data from infected computers, Retadup was also running the Monero cryptocurrency miner. 

An investigation by antivirus maker Avast, discovered a vulnerability in Retadup’s communications protocol that could allow them to instruct the malware to delete itself. This paved the way for French law-enforcement to take down the backend infrastructure of the Retadup malware gang. It also enabled them to disinfect over 850,000 Windows systems without users having to do anything.

Remember, protecting yourself from malware, including worms such as Retadup, you need to be vigilant with file-sharing networks and avoid clicking on any suspicious attachments or links. You should also maintain up-to-date antivirus protection, preferably with a firewall.


To stay secure, you need to be proactive.

Cybercriminals are constantly looking for ways to exploit vulnerabilities and will use any opportunity to circumvent your security systems.

Keep on top of the latest advances in cybersecurity and ensure your organisation stays ahead of the threats with Shearwater’s team of expert consultants.

Together, we’ll develop a comprehensive security roadmap for your organisation that takes into account your specific needs and circumstances.

Take the first step towards enhancing your security and speak with us today.


· WordPress Plugin Vulnerabilities –
· Beware of Worms –
· Password Security –—threats/trend-micro-patches-privilege-escalation-bug-in-its-password-manager/d/d-id/1335525
· Google Calendar Phishing –
· Web Hosting Breach –
· Cryptomining Worm –


This Information Security Report is brought to you by Shearwater Solutions

The Information Security Report is a monthly summary, compiled by Shearwater’s experienced cybersecurity professionals, to highlight the vulnerabilities and new attack vectors in some of the latest active threats, exploits and breaches and share recommendations to help you protect your data and stay a step ahead.

Whatever your Information Security challenge, we’re here to help you find the right solution.