Apr 22, 2019
SpecterOps (red Team operations) and Tim Tomes (PWAPT)
“We take security seriously and other trite statements“
Wordpress infrastructure (supply chain failure)
WordPress plugin called Woocommerce was at fault.
“According to new research by Simon Scannell, a researcher for PHP Security firm RIPS Tech, when WooCommerce is installed it will create a Shop Manager role that has the "edit_users" WordPress capability/permission. This capability allows users to edit ANY WordPress user, including the Administrator account.”
You (Kevin) discovered the admin accounts, but could not remove them. Was that when you considered this an ‘incident’?
“[2019-03-22 09:03 EST] Kevin assigns members of the Secure Ideas team with reconnaissance and mapping of the AoM system. Kevin reminds these members that Secure Ideas doesn’t have permission to test AoM. They are advised not to do anything that could harm the AoM’s production environment.”
What is the line they should not cross in this case?
You did not have access to logs, you asked that an audit plugin be installed to be able to view logs. Is that permanent, and why did they not allow access to logs prior to?
[2019-03-22 13:11 EST] AoM Support fixes the audit log plugin access. AoM Support has found that a purchase of a course through a Woocommerce plugin resulted in users being granted admin access. AoM Support provides specific order numbers. They have also done an analysis of the database backups from the last 60 days and believe that the attackers did not do anything after they got access. AoM Support announces that the Secure Ideas training site will be set up on a separate server and Secure Ideas will be granted a new level of access.
Seems like working with AoM wasn’t difficult. Was giving you access to your own instance, and allowing you to administer it a big deal for them?
Lessons Learned? Anything you’d do differently next time?
Update IR plan?
Did they reach out for additional testing?
Did the people who got admin get removed?
Consult with AoM on better security implementation? Your env wasn’t damaged, but did they suffer issues with other customers? *answered*
Gas Station skimmer video - https://www.facebook.com/michellepedraza.journalist/videos/2135141863465247/
Upcoming SI events
IANS forum (Wash DC)
ISC2 security Congress (Wash DC)
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email firstname.lastname@example.org
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
Comments, Questions, Feedback: email@example.com
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec