BLOG

Cloudflare[.]Solutions WordPress Keylogger Malware Is Back With A Vengeance

Towards the end of last year, thousands of WordPress sites were discovered to be infected with a nasty bit of malware that included a keylogger and cryptocurrency miner. The malware relied on a server located at the fake cloudflare.solutions domain, which was quickly taken down, stopping it from sending data to the people behind the attack.

But, it appears the same malware is back, infecting WordPress sites and communicating its payload via various new domains. It should be understood that the domains the malware is using have nothing to do with the real Cloudflare. Since the proliferation of top-level domains over the last few years, it’s straightforward for an attacker to register a domain similar to the existing domain of a prominent company. On a cursory glance, an inexperienced site owner is likely to overlook code using domains that they associate with a legitimate business whose services they may use.

At the time of writing, it appears that several thousand WordPress sites have been infected, so, if you use our Virtual Private Server or Dedicated Server hosting platform to host a WordPress site, it’s worth taking a moment to make sure that it isn’t infected.

The malware has two roles: firstly, it logs keystrokes entered into form fields on a WordPress site and, secondly, it loads cryptomining code in the browsers of site visitors.

The keylogger is dangerous, particularly on WordPress sites that ask users to enter identifying or otherwise sensitive data. Ordinarily, that type of data is encrypted as it travels over the web so that an eavesdropper can’t intercept it. But, in this case, the malicious code is part of the site itself and can access the data directly.

The cryptomining scripts can cause problems for site visitors. Cryptocurrencies are created by a process called mining, which is essentially running lots of hard math on a computer’s CPU or GPU. Once enough processing work is done, the miner gets a coin.

Because lots of computer power is needed to generate even a small number of coins, one solution is to distribute the work among lots of low-power computers, which is exactly what the cryptomining malware does. The attacker gains cryptocurrency without having to invest in expensive hardware to do the work. Cryptomining malware consumes resources, including power, which is not something any site owner should inflict on their users, especially those using mobile devices.

It’s not clear how the malware infects WordPress sites in the first place, but the usual suspects are probably to blame: outdated WordPress sites with known vulnerabilities that haven’t been patched. Keep your WordPress sites up-to-date, folks!

To find out if your site is infected with this or other common WordPress malware, you can use a free online scanning tool like Sucuri Sitecheck or WordFence’s Gravity Scan.

If your site is infected, the most certain and effective way to remove malware is to reinstall WordPress and restore files and the database from a recent backup you’re sure in uninfected. If that’s not an option for you, Sucuri has an excellent guide to removing malware from a hacked WordPress site.

Supply-Chain Attack Infects Thousands Of Government Sites With Cryptominer Malware

A few months ago, I wrote about a report that claimed 77% of web applications use at least one JavaScript library with a known vulnerability. In most cases, those sites are pulling in a JavaScript file from the project’s repositories, but there is another vector that site owners should be aware of.

Earlier this month, it was reported that over 4,200 government and commercial sites in the US and UK were infected with cryptomining malware. The sites hadn’t been compromised by attacks on their servers or content management systems. Instead, Browsealoud, a utility used by all affected sites was targeted. Browsealoud is an accessibility tool that gives websites the ability to read content out loud.

At the time of writing, it isn’t clear how the malicious code found its way into Browsealoud, but once it was injected, every visitor to sites that used Browsealoud — it is to be found on many government and corporate sites — downloaded and executed the code.

In this case, the malicious code loaded Coinhive’s Monero miner, which uses the resources of site visitors’ machines to mine for the Monero cryptocurrency. Mining cryptocurrency at scale usually requires a large investment in high-power hardware. An alternative to buying expensive mining machines is to distribute the work among thousands of lower-powered machines, which is exactly what the Browsealoud attackers hoped to achieve.

Having your computer’s resources wasted to fill an attacker’s Monero wallet isn’t good, but the malware payload could have been much worse. The same technique can be used to inject malvertising, keyloggers, spyware, botnet software, and anything else the attackers deem useful.

Today’s web wouldn’t function without code from third-parties. The vast majority of the sites you visit pull in code from content distribution networks, analytics platforms, and a multitude of other sources. Popular projects like Browsealoud are prime targets for online criminals: compromise one project and you gain access to thousands or millions of users.

Unfortunately, it’s next to impossible for site owners to thoroughly vet every line of code their sites rely on. However, there are security precautions that will reduce the chance of a successful supply-chain attack. Subresource Integrity (SRI) is a security feature built into browsers that sites can use to check the authenticity of code they load from third-party sources.

To use SRI, site owners provide a cryptographic hash of the file to be fetched by the browser. The browser generates a hash of the fetched file and compares it to the hash provided by the site; if the hashes match, the content can’t have been tampered with. None of the sites affected by the Browsealoud attack used SRI.

As site owners become more security conscious, we can expect to see more attacks focused on open source and commercial projects that are integrated into popular sites. That includes operating systems, software packages, libraries, JavaScript tools, and anything else that allows an attacker to run their malicious code on as many machines as possible.

January 2018’s Best Open Source, Cybersecurity, and Web Development Content

We’re officially well into 2018! All of our resolutions and strategies are set in action and it’s time to check in to see how you’re doing so far. From Burger King explaining Net Neutrality to the Linux, Meltdown and Spectre battle, this month has been interesting thus far.  If you’re looking for some inspiration or just good content, check out our first 2018 round up! If you enjoy this collection of the web’s top articles, feel free to follow us over on Facebook, Twitter, and Google+ for the same great content the rest of the year.

Open Source and Linux

The Linux vs Meltdown and Spectre Battle Continues

The Linux developers has made a lot of progress in dealing with the Meltdown and Spectre, but there’s a lot of work left to be done.

What Happens When You Want to Create a Special File with All Special Characters in Linux?

Learn how to handle creation of a special file filled with special characters.

Does DevOps Plus Open Source Equal Security?

Many IT organizations are now moving to DevOps simply because they’re being instructed to do so by the business or because this is the answer they get from their peers and the market.

Free Linux Tool Monitors Systems for Meltdown Attacks

Check out a a free Linux tool that can detect Meltdown vulnerability exploitation attempts.

A Look Inside Facebook’s Open Source Program

Find out how open source helps Facebook to share insights and boost innovation.

Rethinking Your Open Source Use Policy

Open source is an amazing asset that is putting everyone on an even playing field and is allowing all companies to become flourishing tech companies.

 

Design & Development

The (Obvious and Overlooked) Importance of User Testing

Find out why user testing is important.

The Top JavaScript Trends to Watch in 2018

Grow as a developer this year, here’s your guide to your master plan.

12 Design Trends To Integrate Into Your Web Development And Marketing

Take a look at these popular design trends and how you can integrate those trends into your branding.

Will Machine Learning and AI Change Responsive Web Design?

Web developers have streamlined and added features in web design to customize websites for users, but AI and machine learning will further the user experience in web design.

A Reading List for WordPress Web Designers in 2018

If one of your resolutions this year is to read more, you’re in luck! Check out this reading list for WordPress web designers.

Cybersecurity

Doh!!! The 10 Most Overlooked Security Tasks

Here’s a list of mistakes that often slip past overburdened security pros, don’t let it pass you by!

6 Tips for Building a Data Privacy Culture

Experts say it’s not enough to just post data classification guidelines and revisit the topic once a year. Companies have to build in privacy by design.

The Moving Target of IoT Security

As the explosive growth of IoT continues, businesses, vendors and consumers all have to confront the issue that the world is more connected than ever before, with potentially gigantic consequences.

Will 2018 Be The Year We Say Goodbye To Passwords?

Users choose passwords poorly. Explore other alternatives for security, other than a bad password.

Wi-Fi security overhaul coming with WPA3

Under WPA3, security will be baked deeper into wireless configuration, making it harder to misconfigure or to avoid.

Interesting Technology Posts

Keylogger Campaign Returns, Infecting 2,000 WordPress Sites

Over 2,000 WordPress sites are infected with a malicious script that can deliver both a keylogger and the in-browser cryptocurrency miner CoinHive.

Burger King Deviously Explains Net Neutrality by Making People Wait Longer for Whoppers

Net neutrality is a complicated topic to explain, which is where Burger King came in with a meaty metaphor.

Smut site fingered as ‘source’ of a million US net neutrality comments

An analysis of comments submitted to the U.S. FCC’s consultation on the future of the nation’s net neutrality rules has shown the whole process of public comments was fatally flawed.

Senate Democrats Push for a Net Neutrality Vote. Do They Have a Chance?

Senate Democrats announced that they were one supporter away from winning a vote to restore the so-called net neutrality rules, but they have a long way to go before they are able to reinstate rules.

WebAssembly Is Now Supported In All Major Browsers

In the summer of 2016, I published an article called Will Anyone Be Writing Javascript In A Couple Of Years? My answer was this: yes, we’ll still be writing Javascript, but over time it may be superseded by other languages that compile to Javascript. Today, of course, Javascript is still everywhere, but, apart from an unfortunate focus on CoffeeScript, I wasn’t completely off in my prediction: many developers write TypeScript rather than plain old Javascript, and Elm, ClojureScript, PureScript, and other languages that compile to Javascript are coming along nicely.

Popular WordPress Captcha Plugin Contains Backdoor

The Captcha plugin, which is owned by developer “simplywordpress” is infected with a backdoor that gives administrator access to the plugin’s current owner. Over 300,000 WordPress sites have installed the Captcha plugin, which can no longer be installed from the WordPress Plugin Repository. We recommend that WordPress site owners who have installed this plugin remove it immediately.

Which PHP Framework Is Best For Web Development?

If you’re planning to get into PHP web development, you can save yourself a lot of time (not to mention more than a few headaches) by working with a development framework. Designed to reduce development overhead and dial down complexity in the development process, a framework includes a series of tools, pre-built components, and code samples that you can use to eliminate a lot of the redundant legwork when it comes to web development.

Protecting Yourself Against The Wild West of Cybercrime  – Three Things You’ll Need

“Today, a single person can perpetrate a multi-million dollar cybercrime with impunity. Activists, hacktivists, nation states, organized crime and rogue individuals are making careers as cyber thieves.”  

The above quote is from cybersecurity expert Lynn Mattice, who in 2012 referred to cybercrime – and the digital realm by association – as the new Wild West. The similarities are pretty striking if you sit down to look at it. And I’d go so far as to argue that her analogy still holds true today.

A New Year Server Security Checklist

 

Fireworks, New YearI’m not a big fan of New Year’s Resolutions, especially when server security is involved. Security should be a constant concern for anyone doing business on the web. But, as a new year begins, it is a good time for server hosting clients to review the security policies and the systems they have in place. It’s empowering to start the new year confident that everything is working as it should.

December 2017’s Best Open Source, Cybersecurity, and Web Development Content

It’s time to say goodbye to 2017 and hello to 2018. As we wrap up the end of this year, we take a look at AI finding its way in cybersecurity, the FCC killing net neutrality, and someone accessing internet connection with wet string. Whatever 2018 has to throw upon us, stay ahead of the curve, check out this roundup and enjoy the rest of December’s best content! If you enjoy this collection of the web’s top articles, feel free to follow us over on Facebook, Twitter, and Google+ for the same great content the rest of the year.