Eliana Willis

Critical remote code execution (RCE) vulnerabilities in a popular WordPress plugin have been made public. 

The RCE bugs impact PHP Everywhere, a utility for web developers to be able to use PHP code in pages, posts, the sidebar, or anywhere with a Gutenberg block – editor blocks in WordPress – on domains using the content management system (CMS). The plugin is used on over 30,000 websites.  According to the WordFence Threat Intelligence team, the three vulnerabilities in PHP Everywhere all lead to remote code execution in versions of the software below 2.0.3. The first vulnerability is tracked as CVE-2022-24663 and has been issued a CVSS severity score of 9.9. WordPress allows authenticated users to execute shortcodes via the parse-media-shortcode AJAX action. In this case, if users who are logged in – even if they have almost no permissions, such as if they are a subscriber – a crafted request parameter could be sent to execute arbitrary PHP, leading to full website takeover.  CVE-2022-24664, also issued a severity score of 9.9, is the second RCE vulnerability disclosed by the security researchers. This vulnerability was found in how PHP Everywhere manages metaboxes – draggable edit boxes – and how the software permits any user with the edit_posts capability to use these functions.

“Untrusted contributor-level users could use the PHP Everywhere metabox to achieve code execution on a site by creating a post, adding PHP code to the PHP Everywhere metabox, and then previewing the post,” WordFence says. “While this vulnerability has the same CVSS score as the shortcode vulnerability, it is less severe, since it requires contributor-level permissions.” The third vulnerability is tracked as CVE-2022-24665 and has also been issued 9.9 on the severity scale. All users with edit_posts permissions can use PHP Everywhere Gutenberg blocks, and attackers could tamper with a website’s functionality by executing arbitrary PHP code through these functions.  It was possible to set this function to administrators only, but in versions of the software below 2.0.3, this could not be implemented by default.  WordFence disclosed the vulnerabilities to the developer on January 4, who rapidly developed a set of fixes. On January 10, a patched version of the plugin, v.3.0.0, was rolled out.  The developer, Alexander Fuchs, says that the update has caused a “breaking change” due to the necessary removal of some Block editor functionality, and so users facing problems – such as if they are relying on the Classic Editor – will need to also upgrade old code to Gutenberg blocks or find another solution to run PHP.  At the time of writing, just over 30% of users have upgraded, and so many websites are still running vulnerable versions of the plugin.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Australia’s parliamentary body tasked with analysing the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) has come out in full support of extending the pact’s membership to Taiwan. In a report about expanding CPTPP membership, the Joint Standing Committee on Foreign Affairs, Defence and Trade said the Australian government along with other pact members should facilitate Taiwan’s accession to the pact. The committee explained it supported Taiwan’s accession, in spite of China’s disapproval, as it is one of the “very few major markets” that Australia has not entered a free trade agreement with. In light of the lack of a free trade agreement between Australia and Taiwan, the committee said Australia should also consider concurrently negotiating a bilateral with the Taiwanese government. The committee made this recommendation as Australia has seen benefits from adopting a similar approach with the UK previously. The committee also said that such agreements would allow the Australian government to learn from Taiwan when it comes to how to both counter disinformation campaigns and build a better cybercapacity in countering illegitimate or unsolicited attacks. When it came to China’s potential accession into the CPTPP, the committee did not give the same glowing review. It said that any support for China to enter the pact would require the country to re-establish full trading relations with Australia, including “ending its coercive trade measures and reengaging in ministerial dialogue, and to demonstrate an ability and willingness to commit to the CPTPP’s high standards”.

“The ball is in their court,” said Ted O’Brien, Liberal MP and committee member. “It’s up to China if it wishes to re-engage with Australia and I hope it does because that would enable the discussions that are necessary to determine whether an accession process should commence.” Currently, Beijing has measures in place that limit Australia’s export of goods such as barley, coal, copper ores and concentrates, cotton, hay, logs, rock lobsters, sugar, and wine to China. Tensions between Australia and China has grown steadily over the past two years, with Australia, alongside the UK and US, in September announcing a trilateral security pact — AUKUS — aimed at addressing the defence and security concerns posed by China within the Indo-Pacific region. At the time, although China was not mentioned when announcing AUKUS, Australian Prime Minister Scott Morrison said the Indo-Pacific region was increasingly becoming “more complex”.  For the inquiry’s report, much like Morrison’s AUKUS announcement, the committee stressed the federal government should prioritise supporting an “open, transparent and stable trading environment in the Indo-Pacific” when considering whether to allow states such as China to accede into the pact. Current members of the CPTPP include Australia, Brunei, Canada, Chile, Japan, Malaysia, Mexico, New Zealand, Peru, Singapore, and Vietnam. Outside of China and Taiwan, the United Kingdom has also submitted a formal request to join the CPTPP, and a working group for that accession application has been established. South Korea is also considering joining the trade pact.Related Coverage More

Image: Getty Images
The federal government has officially introduced the highly-publicised anti-trolling Bill into Parliament.The Bill, Social Media (Anti-Trolling) Bill 2022, was first announced by Australian Prime Minister Scott Morrison in November as a mechanism that would “unmask anonymous online trolls” and address toxic content existing on social media platforms.  The anti-trolling Bill has since been touted by the Liberal Senator and Attorney-General Michaelia Cash as one of her party’s primary items that it wants to push out before the federal election. Introduced by Communications Minister Paul Fletcher on Thursday morning, the Bill remains largely unchanged from the exposure draft version released in December.Despite being called an anti-troll Bill, the proposed laws do not contain any sections addressing troll or harmful content. At its core, the Bill is focused on empowering people to raise lawsuits for online defamation rather than explicitly preventing cyberbullying and online abuse. Last week, Australia’s eSafety Commissioner Julie Inman outlined her concern about this, specifically on how it may be misused due to the lack of these elements addressing troll and harmful content.”I think [the anti-trolling Bill] can lend itself to a lot of retaliation, a lot of vigilante-style justice,” said Inman Grant.

The other focus of the Bill, according to its explanatory memorandum, is to overturn a recent Australian legal precedent set in the Voller case, which made individuals and organisations liable for defamatory material that exists on their social media pages.The Bill, if passed, would result in administrators of social media pages no longer being liable to defamation for third-party material posted on those pages. That liability would shift to social media service providers instead. Looking at the Bill’s details, much like its exposure draft, it is still seeking to formally classify social media service providers as publishers of any comments made on their platforms in Australia. To avoid defamation under the Bill, social media service providers would need to have a complaints scheme in place that allows victims of defamatory comments to both make complaints and request the personal information of the maker of those comments.Complaints scheme that satisfy the Bill’s requirements would also have to ensure that an accused commenter is notified that they are the subject of a complaint within 72 hours of it being made. If the accused commenter gives consent for their personal information to be provided, social media platforms must then disclose that information to complainants and assist them in relation to potentially raising any defamation lawsuits.This personal information would include contact details such as name, email address, phone number as well as country location data to determine if the user is in Australia. Geolocation data provided under the Bill would be limited to whether or not the material was “posted in Australia” by reference to geolocation technology deployed by the social media provider.The disclosure mechanism can also only be enlivened where there is reason to believe that there may be a right for the complainant to obtain relief against the poster in a defamation proceeding.As parliamentarians deliberate over the Bill, Australia’s federal inquiry into the practices of major technology companies is set to provide its findings later this month. The social media probe was approved by the federal government with the intention of building on the anti-trolling Bill’s initial goal of unmasking trolls.RELATED COVERAGE More

Security automation technology firm Rapid7 beat Wall Street estimates on Wednesday, reporting strong growth throughout 2021.Rapid7 delivered fourth quarter revenue of $151.6 million, up 34% from a year ago. For the fourth quarter, Rapid7’s non-GAAP earnings of -$0.16 a share were above expectations. 

ZDNet Recommends

Wall Street was expecting Rapid7 to report fourth quarter earnings of -$0.17 a share on revenue of $145.88 million. For 2021, Rapid7 reported a total revenue of $535.3 million and a products revenue of more than $500 billion. The company grew its customer base last year from 8,718 to 10,283. “We ended 2021 on a high note, delivering strong fourth quarter results across our security transformation and vulnerability management solutions,” said Corey Thomas, chairman and CEO of Rapid7.”We grew ARR by 38% during the year while eclipsing 10,000 customers globally, highlighting our team’s strong execution and the growing need for customers to manage increasingly complex security environments.”Product revenue in Q4 2021 was up 35% compared to Q4 2020 at $141.2 million. Professional services revenue was $10.3 million for the fourth quarter, an increase of 18% compared to the same quarter of 2020.

The company is predicting a Q1 revenue in the range of $153 million and $155 million and a non-GAAP net loss in the range of $0.18 and $0.15.For the full year, the company is expecting a revenue between $682 million and $690 million as well as an EPS between $0.05 and $0.16. In July 2021, Rapid7 announced it was spending $335 million in cash and stock to buy New York-based, privately held cybersecurity company IntSights to add “outside the wire” capabilities. 

Tech Earnings More

Image: Getty Images
Telstra is going after the government’s cyber dollars with the launch of specialist compliance, detection and response capabilities, along with a team aimed specifically at the sector. One of the reasons the telco is for moving in this direction is the recent federal government announcement that all services would be digital by 2025. “As we recover from the pandemic, reliance on digital services will remain critical, so it’s important that we secure and protect our digital environment, as disruptions due to cyber attacks could significantly impact the economy and its’ recovery,” Telstra Enterprise group owner for government Nicole McMahon said. “Telstra’s capability to protect, detect and respond to cyber threats, coupled with the unparalleled visibility of threats we have from operating the largest and most complex network in Australia, uniquely positions us to be able to act on cyber issues in real time.” The telco is offering detection and response out of its current security operations centres, which it said integrates with government systems to monitor threats with the help of analytics from its managed security service platform. Under compliance, which Telstra is dubbing Sovereign SecureEdge, it is using a cloud-based solution to “reduce latency and limitations that often come with more complex perimeter-based security solutions”. The telco said governments will be able to purchase its solutions in the coming months.

See also: How Vodafone Australia changed its 5G plans after the Huawei ban Earlier in the week, Telstra was crowing over taking out the Ookla Speedtest over the latter half of 2021. Telstra recorded median download speeds of 78Mbps, against 70Mbps for Optus, and 60Mbps for Vodafone. On the median upload front, Telstra led the way with 11.7Mbps, followed by Vodafone with 10.3Mbps, and Optus on 9Mbps. For median latency, Telstra lagged on 24 milliseconds, with both Optus and Vodafone on 21 milliseconds. In further good news for the telco, the Telecommunications Industry Ombudsman (TIO) said on Wednesday that it saw complaints about Telstra halve year-on-year. For the quarter to the end of 2021, Telstra had 9,660 complaints against it recorded by the TIO, with Optus having 3,800, and Vodafone having 1,155 and stablemates TPG and iiNet with a further 685 and 490 complaints respectively. Over the past year, complaints involving mobile has become the clear leading category for Telstra, making up 3,800 complaints, while the number of complaints involving multiple internet, landline, or mobile categories has shifted from north of 5,200 complaints to just over 1,930. Overall, total industry complaints have continued to trend downwards, with 18,386 complaints filed, compared to almost 30,500 a year ago. Last week it was announced that Cynthia Gebert was appointed as the Telecommunications Industry Ombudsman for a period of five years due to begin on May 2. Current TIO Judy Jones is set to leave the post next month. Related Coverage More

A decryptor has been released for the Maze, Sekhmet, and Egregor ransomware after someone published the master decryption keys in a BleepingComputer forum post. 

ZDNet Recommends

Around 6:30 yesterday evening, someone identifying themselves as “Topleak” said, “It was decided to release keys to the public for Egregor, Maze, Sekhmet ransomware families.” “Each archive with keys have corresponding keys inside the numeric folders which equal to advert id in the config. In the “OLD” folder of maze leak is keys for it’s old version with e-mail based. Consider to make decryptor first for this one, because there were too many regular PC users for this version,” the user wrote. “Since it will raise too much clues and most of them will be false, it is necessary to emphasize that it is planned leak, and have no any connections to recent arrests and takedowns. M0yv source is a bonus, because there was no any major source code of resident software for years now, so here we go. Neither of our team member will never return to this kind of activity, it was pleasant to work with you. All source code of tools ever made is wiped out.”Cybersecurity company Emsisoft created a decryptor using the keys but victims need to have the ransom note they received. The decryptor already has more than 200 downloads. Bleeping Computer administrators removed the link because it included the source code for the ‘M0yv’ malware.  Emsisoft threat analyst Brett Callow said that while Maze, Sekhmet, and Egregor are no longer active, companies typically archive any encrypted data that they were unable to recover in the hope that a decryptor will eventually become available — which it now has. “The release of the keys is another sign that ransomware gangs are rattled. While the gang claims their decision had nothing to do with the recent arrests of REvil — yeah, right. The reality is that gangs’ costs and risks are both increasing. Ransomware became such an enormous problem because threat actors were able to operate with almost complete impunity,” Callow told ZDNet. 

He went on to explain that there is a “stunning” enforcement gap when it comes to cybersecurity, noting that the chances of being successfully investigated and prosecuted for a cyber attack in the US are now estimated at 0.05%. “That’s no longer the case. The ransomware problem is far from solved, but there’s now far more ‘risk’ in the risk/reward ratio. The Biden administration’s policy measures, multi-million dollar rewards, international cooperation, offensive actions and disruptions are all combining to make it harder and riskier for ransomware gangs to operate while insurers are simultaneously pushing their customers to become resilient,” Callow said. In February 2021, members of the Egregor ransomware cartel were arrested in Ukraine after a joint investigation by French and Ukrainian police. According to France Inter, French authorities got involved in the investigation after game studio Ubisoft, logistics firm Gefco and several other major French companies were attacked by Egregor members. It was long suspected that Egregor, Maze, and Sekhmet were developed by the same group. Allan Liska, a ransomware expert with threat intelligence firm Recorded Future, told ZDNet in 2020 that they tracked 206 victims published to the Egregor extortion site and, before the switchover, 263 victims published to the Maze site. At the time, Liska said the two variants accounted for 34.3% of victims published to all ransomware extortion sites.On Wednesday, Liska told ZDNet that Maze, Egregor, and Sekhment were always tied together, each seen as a successor to the other He said they were notable for a number of reasons. Maze codified the idea of the ransomware extortion site, which most ransomware groups now have, Liska explained. “The arrests of Maze affiliates in February of 2021 really kicked off the year of ransomware arrests,” Liska said.”Sadly, by now any decryptors are likely useless. Though, you never know, some victim may have a server in storage hoping for this day.” More