21 Sep

Threatpost Fails to Properly Vet Sources, Leading to Spreading Inaccurate Information about Vulnerability Created by Duplicator

On Monday we discussed how the security company Sucuri showed that they lack an even basic understanding of security through a post they had written about a vulnerability created by the WordPress plugin Duplicator, which they clearly didn’t understand. What we also noted is that while their lack of security knowledge isn’t some new development, it is something that doesn’t appear to be well known. Part of the reason for that is that security journalists don’t seem to be interested in doing actual journalism and instead often act as stenographers for terrible security companies, so instead of shedding light on the bad practices of Sucuri and other similar companies (there are lots of them), they are often promoting them. Shortly after we posted that, a Google alert notified us of an article by Threatpost discussing the vulnerability, which was sourced to none other than Sucuri. That article is titled “Old WordPress Plugin Being Exploited in RCE Attacks”.

What seems to be the most problematic with the Threatpost’s article is this claim, which is repeated from Sucuri:

Sucuri researchers note that the group of impacted users might further be winnowed down by the fact that vulnerable users would have to meet the following conditions:

  • The installer.php file must have been generated by Duplicator plugin
  • The installer.php file must be left on the site’s root folder
  • The installer version must be older than 1.2.42

As we noted back on September 6th, there is still very much an issue as of that version:

Making things worse here, the Wordfence post is titled “Duplicator Update Patches Remote Code Execution Flaw”, but that isn’t all that accurate since by default the new set of files generated during duplication still allows changing the database details, it does attempt to limit code execution (though we haven’t tested that out to see if it totally effective), and then use the website to take a variety malicious actions.

The Threatpost article actual cites Wordfence as claiming what we mentioned as still being an exploitation route, is in fact happening:

“We’ve also seen attackers supplying remote database credentials to connect the WordPress site to a database under the attacker’s control. From there, the attacker can login using their own admin user accounts, and upload a malicious plugin or theme in order to fully compromise the site,” wrote Matt Barry, Wordfence engineer in an email interview with Threatpost.

Considering that Wordfence (aka Defiant) has a long history of making false claims it is possible that isn’t true (they shouldn’t be used as a source either), but if true it indicates the issue certainly continues to be a problem, which seems like what Threatpost should have actually been covering.

That article was written by someone that Threatpost markets as an “industry-leading journalist”, which if true, doesn’t say good things about the rest of the industry.

Making the situation worse, we left a comment on the article that clarified the situation, but that comment was not approved to be shown. Other comments written since then were, so it seems like someone saw that they had gotten things wrong and were not willing to share that with the public or correct the article.

Kaspersky Lab’s Connection

While Threatpost currently markets itself as “an independent news site” that “is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.” The reality is that in the past they were clearly part of security company Kaspersky Lab. Up until October of last year, in the footer of the website it was stated that they were “The Kaspersky Lab Security News Service”. It isn’t clear what the ownership situation is now, but the current name servers for the website are Kaspersky Lab’s:

Name Server: ns3.kasperskylabs.net
Name Server: ns2.kasperskylabs.net
Name Server: ns1.kasperskylabs.net

Threatpost also shares an address with Kaspersky Lab Americas.

It seems like their continued connection (if not outright ownership) should be noted by them considering that not only is Kaspersky Lab a major player in the security industry, but the company is very much in the news these days themselves related to their claimed connections to the Russian government.

Security companies running journalism outlets creates a large conflict of interest for their journalists since they would have a pretty obvious concern about criticizing security companies since they could be their next employer. WordPress has the same sort of issue when you consider who is the owner of a major outlet, WordPress Tavern.

Leave a Reply

Your email address will not be published. Required fields are marked *