Security researchers at F5 Networks constantly monitor web traffic at various locations throughout the world. This allows us to detect current “in the wild” malware, and to get an insight into a threat actor’s attack pattern. So, what did we see in March 2019?
Over the course of the month, we detected 11 new attack campaigns:
- Two campaigns targeting Wordpress installations with the vulnerable SiteGround SG Optimizer plugin were detected. The vulnerability was published recently, and according to the article, around 300,000 websites are vulnerable.
- Three new campaigns targeting ThinkPHP servers with a Remote Code Execution (RCE) vulnerability were detected. The exploit was first published in December 2018 and is still a common attack vector.
- Other notable campaigns included:
- Exploitation of Apache Struts2 Jakarta Multipart Parser vulnerability (CVE-2017-5638)
- Oracle WebLogic WLS Security Component RCE vulnerability (CVE-2017-10271)
- ElasticSearch Remote Code Execution Vulnerability (CVE-2015-1427)
- SiteGround SG Optimizer insecure plugin vulnerability.
WordPress Easy WP SMTP Plugin Authentication Bypass
WordPress is a free and open-source content management system (CMS) based on PHP and MySQL. Used by more than 60 million websites, including 30.6%1, 2 of the top 10 million websites as of April 2018, WordPress is the most popular website management system in use.
WordPress’ plugin architecture allows users to extend the features and functionality of a website or blog. Easy WP SMTP is a popular WordPress plugin which allows the site administrator to configure and send all outgoing emails via an SMTP server. This prevents emails from going into recipients’ junk/spam folders. According to WordPress, Easy WP SMTP has over 300,000 active installations. Figure 1 shows some download statistics:
A zero-day vulnerability was published3 in version 1.3.9 of the Easy WP SMTP plugin a couple of weeks ago.
The vulnerability exists in the administration page—specifically, the admin_init function for the plugin. The administration page allows a user to specify data necessary for SMTP configuration. Using the administration page, a user can also import and export configuration data.
Based on the changeset for version 1.3.9.1 (shown in Figure 2), we can see that the added code contains a check for the current user’s capabilities. This indicates that in version 1.3.9, the capabilities of the current user were not checked, and any unauthenticated user could import/export configuration data.