Social Warfare 3.5.0 Exploit
Martez Fields
On 21 March, researchers disclosed two vulnerabilities in Social Warfare, a very popular plugin in WordPress which adds social share buttons to a website or blog. One vulnerability is a Stored Cross-site Scripting Attack (XSS) vulnerability and the other is a remote code execution (RCE) vulnerability, both are tracked by CVE-2019-9978. Both vulnerabilities are present in versions 3.5.0-3.5.2 of Social Warfare: a fix was released on 21 March and is in version 3.5.3. Approximately 60,000 active installations were found at the time of writing which are potentially vulnerable until they update to 3.5.3. An attacker can use these vulnerabilities to run arbitrary PHP code and control the website and the server without authentication. The attackers may use the compromised sites to perform digital coin mining or host malicious exploit code. Unit 42 researchers found five compromised sites actively used for hosting malicious exploit code, which allows the attackers to control more websites.
In this blog post we provide new details on the root cause of the vulnerabilities, proof of concept code (PoC) to demonstrate the vulnerability, and information on attacks we observed in the wild as well as the scope of vulnerable sites.
We found about 40,000 sites that have installed this plugin, most of which are running a vulnerable version, including education sites, finance sites, and news sites. Many of these sites receive high traffic which we can see with Alexa global traffic rank in the left column in Figure 7:
There are many exploits in the wild for the Social Warfare plugin and it is likely they will continue to be used maliciously. Since over 75 million websites are using WordPress and many of the high traffic WordPress websites are using the Social Warfare plugin, the users of those websites could be exposed to malware, phishing pages or miners. Website administrators should to update the Social Warfare plugin to 3.5.3 or newer version.
Palo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report with our fellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. For more information on the Cyber Threat Alliance, visit www.cyberthreatalliance.org.
These measures were strategies to influence world events through covert, clandestine actions. Soviet intelligence agencies and operatives were recruited to wage political warfare on the United States through media manipulation, assassinations of dissidents, and even counterfeiting official documents.
In another study, the Institute determined that Sweden was flooded with false news reports in the run up to its election. Researchers found that 22 percent of shared URLs linked to junk sites, but only 1 percent of them could be traced to Russia.
The Internet Research Agency operatives posed as Americans and tapped into longstanding divides on topics like immigration, race and the second amendment on Twitter. They deployed bots to promote rancorous debate. This tactic extended to closed networks on Facebook.
According to a report released by Democrats on the House Intelligence Committee, Russian operatives produced more than 3,000 targeted Facebook ads. In November 2017, Facebook identified as many as 150 million Americans who were exposed to Russian propaganda in the previous two years.
As a result, deep misunderstandings of political matters emerged, says Clint Watts, a Senior Fellow at the Center for Cyber and Homeland Security at George Washington University. Watts, who is the author of Messing with the Enemy: Surviving in A Social Media World of Hackers Terrorists Russians And Fake News, notes that Russians were indiscriminate in their disinformation campaigns, targeting both users who leaned politically to the left and to the right.
In the United States, the First Amendment bars the government from regulating most speech. Russian operatives have also taken advantage of this freedom to post incendiary comments with relative impunity. In recent months, Congress and the White House have warned of the possibility of regulating social media, but experts say education is the key.
Close Topics Topics Cybersecurity Best Practices Cyber Threats and Advisories Critical Infrastructure Security and Resilience Election Security Emergency Communications Industrial Control Systems Information and Communications Technology Supply Chain Security Partnerships and Collaboration Physical Security Risk Management How can we help? GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help LocallyFaith-Based CommunityExecutivesHigh-Risk Communities Spotlight Resources & Tools Resources & Tools All Resources & Tools Services Programs Resources Training Groups News & Events News & Events News Events Cybersecurity Alerts & Advisories Directives Request a CISA Speaker Congressional Testimony CISA Conferences CISA Live! Careers Careers Benefits & Perks HireVue Applicant Reasonable Accommodations Process Hiring Resume & Application Tips Students & Recent Graduates Veteran and Military Spouses Work @ CISA About About Culture Divisions & Offices Regions Leadership Doing Business with CISA Site Links Reporting Employee and Contractor Misconduct CISA GitHub CISA Central 2023 Year In Review Contact Us Free Cyber Services#protect2024Secure Our WorldShields UpReport A Cyber Issue
In a social engineering attack, an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity. However, by asking questions, he or she may be able to piece together enough information to infiltrate an organization's network. If an attacker is not able to gather enough information from one source, he or she may contact another source within the same organization and rely on the information from the first source to add to his or her credibility.
Phishing is a form of social engineering. Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization. For example, an attacker may send email seemingly from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, attackers can use it to gain access to the accounts.
Vishing is the social engineering approach that leverages voice communication. This technique can be combined with other forms of social engineering that entice a victim to call a certain number and divulge sensitive information. Advanced vishing attacks can take place completely over voice communications by exploiting Voice over Internet Protocol (VoIP) solutions and broadcasting services. VoIP easily allows caller identity (ID) to be spoofed, which can take advantage of the public's misplaced trust in the security of phone services, especially landline services. Landline communication cannot be intercepted without physical access to the line; however, this trait is not beneficial when communicating directly with a malicious actor.
Smishing is a form of social engineering that exploits SMS, or text, messages. Text messages can contain links to such things as webpages, email addresses or phone numbers that when clicked may automatically open a browser window or email message or dial a number. This integration of email, voice, text message, and web browser functionality increases the likelihood that users will fall victim to engineered malicious activity.
To thwart such efforts, states have postured for defense by joining multilateral security alliances, preparing domestic resistance units, and creating new cyber and intelligence capabilities within their national security bureaucracies. But such initiatives remain predominantly confined to the security realm. This leaves states largely defenseless against Kremlin hybrid tactics that target civilian (non-military) institutions with the aim of disrupting social cohesion. Indeed, if the modus operandi of hybrid warfare is to avoid outright military conflict, at least initially, and instead conduct a whole-of-society war on the political, economic, and social fabric of states, then resistance and defense should, too, be pursued in a whole-of-society manner.
Current frameworks and tools for assessing and responding to hybrid threats beyond the security domain are insufficient. Despite the numerous documented successes of Russian-backed election meddling, cyber attacks on public and private institutions, media manipulation, and disruption of financial sectors,4 there is a dearth of research and proven, scalable analytical frameworks and tools that can help states to identify the societal targets of hybrid warfare and counter these hybrid threats at the societal level. There is a particular need for tools that can effectively identify social cleavages and institutions that render states vulnerable and are thus among the most likely targets of Kremlin-backed hybrid tactics.
We believe our findings have important implications for the Estonian government, the European Union, NATO, and international actors deeply invested in countering Russian aggression in the Baltics (including the U.S. government), as well as for civil society and private sector institutions in Estonia. Our research enabled us to identify specific policy and pragmatic opportunities for these states, organizations, and institutions to mitigate hybrid threats, prevent the deepening of exploitable societal divisions, and bolster resilience to Kremlin-backed attacks on Estonian society. At the time of publication, some institutions have already acted on our research findings, demonstrating the benefits of applying a whole-of-society analytical framework and tool such as the SCAT.
c80f0f1006