Zero-day Duplicator Plugin Vulnerability – Patch it with BitNinja WAF
Eniko Toth

Zero-day Duplicator Plugin Vulnerability – Patch it with BitNinja WAF

On 19 February 2020, Wordfence reported a highly critical vulnerability found in the popular Duplicator plugin for WordPress. This plugin is useful when users want to migrate and copy WordPress sites. With Duplicator, sysadmins can create a new copy of the site and the generated file can be downloaded from the WP dashboard. WordPress Duplicator Plugin Zero-day Vulnerability Exploiting the newly discovered zero-day vulnerability allows hackers to download arbitrary files from the target sites. More than 1 million WordPress websites are affected by this security flaw. When users crea...
Read more
Satori IoT Botnet Stopped by BitNinja
Eniko Toth

Satori IoT Botnet Stopped by BitNinja

Our Port Honeypot module proactively catches botnets very quickly, as botnets usually start to scan open ports, which is the first step of the attack cycle. We found an old IoT botnet that became active again. It strangely happened just 2 months after 21-year-old Kenneth Schuchman pleaded guilty to developing and deploying the Satori botnet. The Satori botnet The Satori malware family was discovered in December 2017 . It is a derivative of the famous Mirai botnet, however, the technique of leveraging default or weak passwords doesn’t seem as effective for hackers anymore. As users...
Read more
Joomla & vBulletin RCE vulnerabilities patched by BitNinja WAF 2.0
Eniko Toth

Joomla & vBulletin RCE vulnerabilities patched by BitNinja WAF 2.0

RCE attacks are one of the most dangerous types of attacks as hackers could take complete control of the victim’s host, meaning that they can run commands, install malware, etc. In this article, I’d like to introduce 2 new vulnerabilities, which have been patched by BitNinja WAF: vBulletin RCE Rusty Joomla RCE New botnet utilizes the vBulletin RCE vulnerability In September, a new zero-day vulnerability was found in vBulletin . Nowadays, vBulletin is the most popular internet forum software, so this threat could affect many people. The vulnerability (CVE-2019-16759...
Read more
BitNinja WAF protects against the latest Drupal vulnerability (CVE-2019-6340)
Eniko Toth

BitNinja WAF protects against the latest Drupal vulnerability (CVE-2019-6340)

The social media and the cybersecurity sites were blowing up when Drupal published their latest vulnerability (SA-CORE-2019-003). It’s not a surprise that this remote code execution vulnerability got a highly critical label, as hackers could easily hack your Drupal 8 websites. But BitNinja users shouldn’t have to worry for any minute, as they were protected by our WAF from the very beginning of this RCE flaw. We have already seen some attempts caught by the rule 933170, so hackers didn’t wait a lot to exploit the CVE-2019-6340. How are hackers trying to exploit the latest Drupal vulnerab...
Read more
Old IoT Botnet has been Revived
Eniko Toth

Old IoT Botnet has been Revived

The “Hello, Peppa!” botnet and the /ept/out.php vulnerability were newly discovered attacks by our Attack Vector Miner. But now, it has recognized the reactivation of a forgotten IoT botnet. This botnet exploits the D-Link router DSL-2750B  remote command execution. What does the attack look like?  The discovered pattern is the /login.cgi?cli= as you can see below:  In the case of the D-Link router DSL-2750B firmware 1.01 to 1.03, there’s an option for remote command execut...
Read more
New Zero-Day Vulnerability on the Horizon Again
Eniko Toth

New Zero-Day Vulnerability on the Horizon Again

After the “Hello, Peppa!”  zero-day botnet, our Attack Vector Miner detected another zero-day vulnerability.  Some vulnerable websites contain an /ept/out.php file, which can work as an open proxy. That’s why the attacker scans the /ept/out.php file. Let’s see an example:  The number of these attacks started to increase on July 11th, and as we can see in the diagram below, the botnet’s activity is slowing down now.  During the peak time, we experienced 15.000 attacks per day and most of them tar...
Read more
New Botnet Has Been Discovered – “Hello, Peppa!”
Eniko Toth

New Botnet Has Been Discovered – “Hello, Peppa!”

Our Attack Vector Miner (based on AI) is a very effective tool to identify 0. day attacks. Here comes the first catch! Discovery of a New Botnet At the beginning of July, our Attack Vector Miner created a new cluster, filled with logs about a new type of botnet. We perceived the first incident on 16th June from an Indian IP address (106.51.152.115). The first incident of the "Hello Peppa!" botnet Since then, we have detected more than 120.000 attacks of this botnet! The Behaviour of the “Hello, Peppa!” Botnet The specialty of this botnet is that the die ("Hello,...
Read more
Critical zero-day vulnerability in MODX Revolution patched by BitNinja WAF
Eniko Toth

Critical zero-day vulnerability in MODX Revolution patched by BitNinja WAF

Content Management Systems (CMS) are highly vulnerable to zero-day attacks recently. Lately, the Drupal was picked on by the hackers. Now the ModX CMS is in the target. CVE-2018-1000207: The new MODX vulnerability Two critical vulnerabilities have been found in MODX Revolution <= 2.6.4 in the past few days. Exploiting it  , the hackers can remote code execution so they can compromise the website and modify (spoil/delete) the files and directories. This vulnerability has already got a CVE number: CVE-2018- 1000207. With a single web request, the attacker can create a custom file...
Read more
Zero Day phpMyAdmin Vulnerablity Patched by BitNinja
Lazlo Takacs

Zero Day phpMyAdmin Vulnerablity Patched by BitNinja

A new flaw on the horizon! A new flaw has been discovered in phpMyAdmin, in which an attacker has the possibility to include files on the server. This vulnerability is caused because of a portion of a code where the pages are redirected and loaded in phpMyAdmin. Here are the steps, how it can be achieved:  1) First, the intruder has to be authenticated, after this procedure the sql query will create a session. 2) Invoking the  ../../../../../..../var/lib/sessionId the attack can be performed. There are some exceptions though:   - $cfg['AllowArbitrary...
Read more
GPON routers – new elements of your botnet attacks?
Lazlo Takacs

GPON routers – new elements of your botnet attacks?

People can never rest. We thought that after the last serious Drupal vulnerablity finally we can rest, but a new threat came up which is including GPON routers made by Dasan. GPON is a type of Passive Optical Network (PON) used to provide fiber connections. It is being used to provide short haul fiber connections for cellulas base stations, home access points, DAS. Primary regions with GPON devices include Vietnam, Mexico, Kazakhstan. Top countries Number of Devices Mexico 492,080 Kazak...
Read more