Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Active Exploitation of WordPress Plugin

Specialist WordPress security firm Wordfence has reported on active exploitation of an unpatched privilege escalation vulnerability in Ultimate Member, a plugin installed on over 200,000 WordPress sites. The vulnerability has not been properly patched in version 2.6.6, the latest version of the plugin, and Wordfence recommend uninstalling the plugin until a complete patch becomes available.

The Ultimate Member plugin is intended to add easy registration and account management on WordPress sites. Unfortunately, the registration form component performs inadequate sanitization of form keys, making it possible for users to register and set arbitrary metadata on their account - including the wp_capabilities meta value which, if set to 'administrator', blesses an attacker with full capabilities on the site. Although a series of updates have attempted to block this by including a predefined list of banned metadata keys, attackers have found a number of simple ways to bypass this, such as varying the case, including slashes, and URL-encoding the keys.

The result is CVE-2023-3460, which garners a CVSS score of 9.8 (Critical). Wordfence's advisory provides indicators of compromise, and the company has released a firewall rule for their products which will protect customers against exploitation.

Chamberland, Chloe, PSA: Unpatched Critical Privilege Escalation Vulnerability in Ultimate Member Plugin Being Actively Exploited, blog post, 29 June 2023. Available online at https://www.wordfence.com/blog/2023/06/psa-unpatched-critical-privilege-escalation-vulnerability-in-ultimate-member-plugin-being-actively-exploited/.

Avast Releases Akira Decryptor

Anti-malware firm Avast has released a decryptor for the Akira ransomware which appeared in March 2023 and has gone on to attack a variety of industries including education, finance and real estate. Akira's approach to file encryption is interesting - its authors favouring a lightweight, fast approach (using Dan Bernstein's Chacha 2008 stream cipher) that only partially encrypts files in order to render them unusable, rather than performing full encryption. In most respects, it is similar to the earlier Conti ransomware, suggesting a link of some kind between the authors.

For files of 2,000,000 bytes and smaller, the ransomware encrypts the first half of the file, while for larger files, it encrypts four blocks interspersed within the file. In both cases, the encryption uses a random key, and Akira appends a structure which contains the original file size, the malware version number, the type of encryption performed and the random key, encrypted using RSA public-key crypto with a 4096-bit modulus. The extension .akira is then appended to the filename, and an akira_readme.txt ransom note is dropped into each folder.

In order to use Avast's decryptor, a victim must find a matched pair of files - one encrypted, one the pre-ransom unencrypted version - that are as large as possible. The decryption tool will examine these and attempt to extract the decryption key. Once this is found, the decryptor tool can proceed to decrypt all the files on drive, optionally saving backups as it goes (highly recommended).

The Avast researchers do not describe how their key-cracking process works, but I have my suspicions (and my former cryptography students should be able to guess, too 😉).

Of course, the decryptor tool cannot provide any protection against any consequences of information exfiltration threatened in the Akira ransom note - it can only recover lost files.

Avast Threat Research Team, Decrypted: Akira Ransomware, blog post, 29 June 2023. Available online at https://decoded.avast.io/threatresearch/decrypted-akira-ransomware/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.