Episode 119: Critical VMWare Vulnerability Threatens Data Centers

A Critical Vulnerability in VMWare’s vCenter Server threatens some of the largest data centers in the world. An actively exploited 0-day in macOS was used to take screen shots of infected computers. CodeCov claims another victim as Japanese e-Commerce unicorn Mercari reports a massive data breach. Domino’s India and Air India suffer from large-scale data breaches. And last, but not least, it’s time to update Chrome again, thanks to some high-severity vulnerabilities that were just patched.

Here are timestamps and informational links in case you’d like to jump around, and a transcript is below.
0:21 Wordfence Live – Happy 18th Birthday WordPress
0:53 VMware vCenter
3:37 macOS Security Update
6:36 Codecov Supply Chain attack – Mercari
7:58 Domino’s India and Air India data breaches
10:47 Google Chrome security update
11:45 Use Wordfence 2FA
12:18 K-12 Site Cleaning Service Worldwide
12:58 Wordfence is Hiring!
15:05 Join us on Wordfence Live!

And Defiant is hiring for a number of positions. We offer exceptional benefits, and we’ll always be remote.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 119 Transcript

Ram Gall:
Welcome to Think Like a Hacker, the podcast about WordPress, security, and innovation. I am Ram Gall, threat analyst at Wordfence, and with me is support engineer, Scott Miller. How’s it going, Scott?
Scott Miller:
Going pretty well. It’s been a while since I’ve been on the podcast. I believe episode 90 or so, but happy to be back with you, Ram.
Ram Gall:
It’s always a pleasure to have you on here. And we talked last Tuesday as well on Wordfence Live, we discussed some legacy vulnerabilities in WordPress and sort of the history, since it was WordPress’s 18th birthday this week.
Scott Miller:
Happy 18th birthday to WordPress. And if anybody missed that, as Ram said, we talked about the evolution that WordPress has seen, including security, over the years. So that was definitely a fun stream there, so if anybody missed it, go back and check that out. But we’ve got some other vulnerabilities to talk about today, right?
Ram Gall:
Yes, we do. The big one, I think, this week is the critical remote code execution vulnerability. It had a 9.8 CVSS score. This was in VMware vCenter, more specifically in the vSAN plugin for the vCenter server.
Scott Miller:
Yeah. And VMware stated that this needs your immediate attention if you’re using vCenter’s server. And they said update vCenter server version 6.5, 6.7, and 7.0 immediately.
Ram Gall:
Yeah, really the big thing is that it was in a plugin that was installed and activated by default, even on systems where it wasn’t in use. And it allowed attackers to take control of any vCenter host accessible to the internet on port 443, which is the SSL port.
Ram Gall:
And also, even if your vCenter host isn’t accessible to the internet, if the attacker has even a low privilege account inside your network, which is the case for a lot of networks these days, they’d still be able to take it over.
Ram Gall:
This is one of the few vulnerabilities we’ve covered recently that aren’t WordPress specific that could still impact some WordPress users. And that’s because the top users with vCenter servers exposed on the internet are Amazon, Hetzner Online, OVH, and Google, so hosting companies. Amazon, Google, maybe OVH and Hetzner, those are fairly big companies. They probably already updated.
Ram Gall:
But this is virtualization technology, a lot of hosting providers are going to use it. And maybe some of the smaller ones might not update quite as on time, so I don’t think anyone’s going to target your individual site by this. But if someone decides to ransom terabytes of data, which just happens to include your site and a few thousand other of your closest friends, then you might have collateral damage. So make sure your host updates this.
Scott Miller:
Yeah. And like you said, this has potential WordPress ramifications. And the issue here is due to the fact that even if users are not using vSAN, like you said, they can still be affected due to the vSAN plugin being enabled by default.
Ram Gall:
The sounds a lot like the WordPress plugin issue where a lot of people just have plugins running that they don’t need anymore, and those add to the attack surface.
Scott Miller:
Yeah, and we talk about that on Live all the time. If you’re not using something, if it just sits around, why not deactivate it and get rid of it until you need it?
Ram Gall:
Indeed. Well, it turns out that this is one of those things that’s almost universal when it comes to security. Reduce your attack surface whenever possible.
Scott Miller:
Yep. Hopefully everybody gets that updated as quickly as possible. And again, that was version 6.5, 6.7, and 7.0.
Ram Gall:
Yeah. And speaking of updates, I hear there was a big macOS security update.
Scott Miller:
Yeah. It looks like version 11.4, which is patching a zero-day. And that was an exploit that was bypassing the TCC framework.
Ram Gall:
I’m still on Mojave, but I also had a security update, which I installed yesterday, as well. So this was a flaw in its privacy preferences, and Apple says it may have been actively exploited, and it was totally a zero-day. And security firm, Jamf, has posted a report on the bug where they found it being actively exploited. So yeah, there’s no may have, whatever.
Ram Gall:
Specifically, they found the bypass being used when analyzing the XCSSET malware, which was targeting developers with malicious versions of Xcode. But this was one of those things where the main use case for it was attackers could take a screenshot of whatever was on your screen, which doesn’t seem like it was that bad, but think about the stuff you’re typing on your screen, secret documents, emails. If you’re a developer, like the malware’s targets, you’d have API keys visible in your code editor sometimes.
Scott Miller:
Yeah. For developers and authors, that could have some major issues there. And a little bit more in depth on this, it looked like it needed an app with the right permissions in order to use this, and then, they used that app to move forward with the exploitation. So it did require a little bit there, but unfortunately, if it goes through, depending on what’s on your screen, that could have been that compromised.
Ram Gall:
Yeah. And I mean, as with a lot of stuff like this, you would have to download and install an app at first. We discussed this before, actually, even last week, but Macs are actually reasonably secure. It’s just that they’re not quite as secure as public opinion perceives them to be. They’re certainly not the hot bed of malware that their own executives are trying to claim they are in order to score points in their current battle with Epic Games. But if you download and run a malicious app, you’re going to have malware on your Mac. That’s just kind of something that happens.
Scott Miller:
It’s unfortunate that’s how it goes. But like you said, I’m a little further behind as well with my version, but if you’re on the newest version right now, up until this, definitely go ahead and check to see if there’s a new update because you don’t want to see any of this happening.
Ram Gall:
Yeah. And again, security updates are available even for older versions of OSX to cover this, so it is a genuine security patch. Stay up to date. Speaking of which, iOS also has some security fixes in their latest release, though. None of those are being actively attacked, so should be in the clear, one hopes. Knock on wood.
Scott Miller:
Yeah. It looked like there were quite a few updates across the board. So depending on which devices you’re using, go over and take a look. But what about Codecov, Ram? This is just continuing, right?
Ram Gall:
Oh, man. The Codecov thing, it just goes on and on. So Mercari is an e-commerce platform that is big in Japan, and they’ve just sort of started coming state-side and expanded to the UK as well. Anyways, they’ve disclosed a major data breach incident that occurred due to the Codecov supply chain attack.
Ram Gall:
Honestly, I think we’re probably going to see stuff like this for months or even years going forward. For a reminder, Codecov was basically a code coverage tool that attackers compromised one of their scripts, and that let the attackers steal code, including stuff like API tokens and secrets from the people that were using it. So yeah.
Scott Miller:
Yeah, I mean, I listen to the podcast every week, and I hear you and Kathy give these updates. And whenever you say that Mercari is big, their app a few years ago just hit over 100 million downloads.
Ram Gall:
So yeah, that’s pretty big.
Scott Miller:
Yeah. And this, unfortunately, impacted tens of thousands of customers’ data, including financial data, including bank codes, account numbers, transfer amounts. So definitely unfortunate here.
Ram Gall:
Definitely. And speaking of data breaches, companies based in the US or Japan for that matter, aren’t the only companies being targeted by data breaches. Looks like Domino’s India and Air India have both recently disclosed really large data breaches.
Scott Miller:
Yeah. There was some customer data being sold on a hacking forum, right?
Ram Gall:
I mean, that is usually where one buys the customer data, I suppose, if one is a malicious hacker. So they wanted like 10 Bitcoins for it. That’s a lot.
Scott Miller:
Yeah. I was going to say, 13 terabytes of data, and they wanted 10 Bitcoins. So I believe, at about the time of this podcast, that’s probably about 390,000 give or take.
Ram Gall:
Yeah. Though at the time that they actually wanted the Bitcoins, I think it was more like half-a-million or more.
Scott Miller:
Okay, yeah.
Ram Gall:
Yeah. April, I think that was when it peaked. But yeah, apparently this was details with like 180 million orders and a million credit cards.
Scott Miller:
Yeah, I saw that any user who ordered from Domino’s India from a phone call using their phone number or email ID could potentially have been affected by the leak. And there was a tool that was initially available via Tor. I believe it became publicly accessible after, that you could check your phone number or email, though, I’m not sure if I would be rushing to put my phone number or email address into that, right?
Ram Gall:
At this point, that information’s already out there. But generally speaking, OpSec-wise, yeah, maybe don’t give your phone number or email to everyone.
Scott Miller:
Yeah. And you mentioned Air India, that breach impacted passengers that registered between August 2011 and February 2021. So that’s quite a long range there.
Ram Gall:
That’s 10 years, right?
Scott Miller:
Yeah, a big impact. Of course, they’re advising passengers to change their credentials to block any attempts on their account.
Ram Gall:
Make sure you change your date of birth, okay?
Scott Miller:
There you go. You got to get that account secure. But that’s unfortunate because such a long range. Although they did say that the CVV codes, of course, were maintained elsewhere in a different database. And they also said credit card data was not obtained from what they could tell.
Ram Gall:
I was a little confused by the statement because the official statement does say that it included some credit card data. So one assumes that it might’ve been numbers, but without CVV codes, a lot of the time you can’t actually use those.
Scott Miller:
Yeah, definitely good to see that those were being held elsewhere. I believe by the processor. So even if the credit card data was obtained, hopefully, that doesn’t result in anything there.
Ram Gall:
Yeah, and this was, again, four-and-a-half million customers. So not the largest data breach we’ve seen, but still nothing to sneeze at.
Scott Miller:
Yeah. And as you said, with that long of a range, back to August 2011, even if you have not flown there for a while, if you’re a registered user, you’re going to want to go in and change your credentials there, just be safe.
Ram Gall:
Definitely. Speaking of being safe, guess what? It’s time to update Chrome again.
Scott Miller:
Yes. This is a weekly thing on the podcast, right?
Ram Gall:
Well, it’s actually been, I want to say it’s been like three weeks since our last one. And these ones aren’t actually zero-days. So there are some high severity buffer overflows and use-after-free vulnerabilities, the kind of things that could be exploited for all sorts of nastiness. But these were reported in March and April, and as far as we know, no one’s been actively exploiting them yet. But now that the word’s out, it’s only a matter of time, so update Chrome.
Scott Miller:
Yep. It looks like Chrome version 91 released yesterday, I believe. And correct me if I’m wrong, but it looks like there were 32 security vulnerabilities patched there, and eight of which were high severities. So yeah, definitely take a look. And I’m sure by now, if you’re a regular listener, you’re always checking to see if you have an update ready for Chrome.
Ram Gall:
I know. Basically the entire message of this podcast is update all the things and use two-factor authentication. And I keep on hammering those things, but those are the big secrets of cyber security.
Scott Miller:
Yeah. You can’t stress it enough. We do it every week on Wordfence Live. You can’t put a value on two-factor authentication. It’s just that important, but yeah.
Ram Gall:
And that’s why we give it away for free because it’s priceless.
Scott Miller:
Absolutely. If you’re not using it, and you’re using Wordfence, then that’s the next thing you got to go check out. Go get that set up.
Ram Gall:
Cool. Speaking of keeping secure, we do still offer free site cleans for any sort of government-sponsored or government-funded schools anywhere in the world serving grades K through 12, which is kindergarten through 12th grade, basically pre-secondary education.
Scott Miller:
Yeah. This was a service that we opened up initially for the US-based K through 12 schools. And then, when we saw the support that we were getting, we opened it up outside of the United States. So if you’re part of a K through 12 school or you know somebody who is, we have a blog post with all the information. You can send that over to them, and we can help out with a site cleaning or a site audit and get your site secure.
Ram Gall:
Indeed. And we do want some help making sure that everyone’s sites are secure, and we are hiring.
Scott Miller:
We got awesome benefits too. There’s lots of things that you can expense to help yourself out with work, whether it’s just something on your desk to help you work, whether it’s something to keep you healthy, keep you fit. We got a bunch of stuff here at Defiant, right?
Ram Gall:
Yeah. In addition to really good medical, dental, and vision, we also get to expense awesome coffee machines.
Scott Miller:
Yeah, you can’t forget that the great medical. We help out with school and certifications. I mean, Ram, you just went through that yourself, and I’m sure that’s a huge help.
Ram Gall:
Yep. I literally got a four year degree in 10 months. The pandemic gave me a lot of time, okay?
Scott Miller:
You and the rest of us. So what kind of positions do we have available right now?
Ram Gall:
We’ve got PHP developer positions, so if you really like PHP. And experience working on WordPress plugins is not necessary because we have different kinds of projects using different frameworks. We also have a SecOps position. If you are good at AWS and you love security, we would like to hear from you.
Ram Gall:
We’ve got a website performance researcher. So if you know what cumulative layout shift is or Largest Contentful Paint, then we would also like to hear from you. Basically, you’d be writing articles about research, about what factors contribute most to site performance.
Ram Gall:
And finally, we’ve got a QA engineer spot, which is how I started out here. And I still do that sort of thing on a semi-regular basis.
Scott Miller:
Yeah, if you want to work alongside Ram, and you’re qualified there, you could check out that QA engineer position. But if you’re not feeling qualified for any of these, I mean, keep an eye out, defiant.com/employment, because, Ram, we’re a growing company, right?
Ram Gall:
We’re a pretty Good place to work. We’re a great place to work.
Scott Miller:
Yeah, we always got positions opening up. We’re growing. We’re doing more things here. We offer a lot with security and these site cleanings. So really fun place. And if you want to catch us, you can also catch Ram and I usually every Tuesday on Live, right?
Ram Gall:
Exactly. We will generally discuss whatever we think is interesting or whatever we think our users would like to learn more about. And in the past, we’d cover topics about how to do responsible disclosure, our process when researching security vulnerabilities, the importance of two-factor authentication, how encryption works, all sorts of cool stuff. So yeah, come watch Wordfence Live and watch our backlog of Wordfence live episodes because we’ve got some good ones.
Scott Miller:
Oh, yeah, absolutely. No matter what your experience level is with WordPress, you can find something for you on our YouTube channel or on Live. Sometimes we’re going over the basics. Sometimes Ram and the team’s getting pretty in-depth. We’re talking about how to clean your own site, how to go over your site with a site audit. So there’s always something cool on Tuesdays on Live. And that’s typically every Tuesday at noon Eastern Time, right?
Ram Gall:
Exactly. Tune in, same bat time, same bat channel. I think I can say that now.
Scott Miller:
That’s right.
Ram Gall:
Anyways.
Scott Miller:
Well, it’s been a pleasure, Ram.
Ram Gall:
It has. And you beat me to saying it, but I will see you on Tuesday.
Scott Miller:
We’ll see you next Tuesday. And, of course, thanks everybody for tuning in and listening. Ram, you’ll be back next week with Kathy, I assume?
Ram Gall:
Yes, I will. Thanks for listening to everyone. Bye.

You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.