The National Vulnerability Database (NVD) disclosed an RCE vulnerability, CVE-2022-2441 (High Impact), in the WordPress ImageMagick Engine plugin. The vulnerability can lead to remote code execution, data exfiltration, credential theft, ransomware, denial of service, crypto mining, and botnet activities. This blog analyzes the advanced techniques threat actors leverage to find enterprises that host vulnerable workloads, target the WordPress Admin in a phishing campaign, and establish a reverse channel for control. VSP identifies any code executed by the attacker as being malicious and safeguards the victim server by taking protective measures to stop it in milliseconds.
Background: On October 10th, 2023, the US-CERT’s National Vulnerability Database (NVD) disclosed a remote code execution vulnerability, CVE-2022-2441 (High Impact), in versions up to and including 1.7.5 of the ImageMagick Engine plugin. This plugin preserves an embedded color profile when resizing images, making it a highly desirable plugin. Over 60,000 servers worldwide use the WordPress ImageMagick Engine plugin. Even though this vulnerability has a 2022 vintage, the detailed analysis required from NVD appears to still be incomplete. The fact that this vulnerability requires tricking the admin may have played a role in NVD not publishing this vulnerability until October 10th, 2023. Perhaps what prompted the premature disclosure by NVD may be related to a significant uptick in exploitation activity.
Exploitation Risk: The ImageMagick Engine plugin misses performing CSRF checks in several parts of the code, which allows a Threat Actor to trick a logged-in admin into performing unwanted activity, including executing OS Commands which leads to remote code execution of malware that further the agenda of the Threat Actor. Having penetrated the targeted workload, a Threat Actor can go on to perform lateral movement and initiate various actions, including data exfiltration, credential theft, ransomware, denial of service, crypto mining, and botnet activities.
In-Depth Analysis: On September 1st, 2022, a researcher who goes by the handle ABDO10 published an exploit for the ImageMagick Engine, version 1.7.4. While this exploit doesn’t work off the bat, it showed enough promise to the more sophisticated attacker. This is why, even today, a working exploit commands a small premium, according to VulnDB. On October 18, 2022, the developers of this plugin released a patch that fixed the underlying CSRF vulnerability.
Advanced Threat Techniques: Given the inherent weakness in the typical EDRs’ ability to deal with LOLBin (Living off the Land Binaries) malware, threat actors prefer to use LOLBin Malware instead of precompiled malware that can be examined in Sandboxes. LOLBin malware leverages OS runtime utilities like bash and awk to execute commands, manipulate permissions, gather process information, extract credentials, access SSH private keys and known_hosts files, encode and encrypt data, inspect bash history, and even remove itself.
Kill Chain: We can divide the attacker’s activities into five stages: reconnaissance, persistence, weaponization, exploitation, and exfiltration.
During the reconnaissance stage, Threat Actors leverage tools like Shodan to find enterprises that host vulnerable workloads. Next, the attacker targets the WordPress Admin in a phishing campaign. If the admin takes the bait, the attacker establishes a reverse channel for control, as shown in the persistence stage. In the weaponization stage, the attacker deploys second-stage malware (such as LOLBin scripts) for further reconnaissance, lateral movement, data exfiltration, etc. In the exploitation stage, the attacker performs malicious actions like lateral movement and data theft. Finally, in the exfiltration stage, critical data is sent back to the Threat Actor’s command and control center.
How VSP Protects: The Virsec Security Platform (VSP) plays a crucial role in this scenario. It identifies, within milliseconds, any code executed by the attacker as early as in the reconnaissance stage as being influenced by the attacker and therefore, malicious.
Even before the malicious code runs at Step 4, VSP’s Application Control Engine recognizes that no legitimate application is authorized to perform such actions. As a result, VSP safeguards the victim server by taking protective measures, such as terminating the user’s session, restarting the WordPress server, or closing the network socket used for communication with the attacker’s control center.
Demonstration: Watch this video showing how the Virsec Security Platform (VSP) thwarted Threat Actors that targeted these vulnerabilities at https://youtu.be/GnRzoL50WYE.
Key Takeaways:
For more information about the Virsec Security Platform (VSP) and how we protect vulnerable legacy workloads, visit www.virsec.com.
Don't miss our security insights, and subscribe to our blog now.