Published April 22, 2019
84 min
    Add to queue
    Copy URL
    Show notes



        SpecterOps (red Team operations) and Tim Tomes (PWAPT)


    Bsides Nashville




    “We take security seriously and other trite statements“


    Wordpress infrastructure (supply chain failure)

        WordPress plugin called Woocommerce was at fault.

        Vuln late last year: https://www.bleepingcomputer.com/news/security/wordpress-design-flaw-woocommerce-vulnerability-leads-to-site-takeover/

        “According to new research by Simon Scannell, a researcher for PHP Security firm RIPS Tech, when WooCommerce is installed it will create a Shop Manager role that has the "edit_users" WordPress capability/permission. This capability allows users to edit ANY WordPress user, including the Administrator account.”




    You (Kevin) discovered the admin accounts, but could not remove them. Was that when you considered this an ‘incident’?


    [2019-03-22 09:03 EST] Kevin assigns members of the Secure Ideas team with reconnaissance and mapping of the AoM system. Kevin reminds these members that Secure Ideas doesn’t have permission to test AoM. They are advised not to do anything that could harm the AoM’s production environment.”

        What is the line they should not cross in this case?


    You did not have access to logs, you asked that an audit plugin be installed to be able to view logs. Is that permanent, and why did they not allow access to logs prior to?


    [2019-03-22 13:11 EST] AoM Support fixes the audit log plugin access. AoM Support has found that a purchase of a course through a Woocommerce plugin resulted in users being granted admin access. AoM Support provides specific order numbers. They have also done an analysis of the database backups from the last 60 days and believe that the attackers did not do anything after they got access. AoM Support announces that the Secure Ideas training site will be set up on a separate server and Secure Ideas will be granted a new level of access.


    Seems like working with AoM wasn’t difficult. Was giving you access to your own instance, and allowing you to administer it a big deal for them?


    Lessons Learned? Anything you’d do differently next time?

        Update IR plan?

        Did they reach out for additional testing?

        Did the people who got admin get removed?

        Consult with AoM on better security implementation? Your env wasn’t damaged, but did they suffer issues with other customers? *answered*






    Gas Station skimmer video - https://www.facebook.com/michellepedraza.journalist/videos/2135141863465247/







    Upcoming SI events

    IANS forum (Wash DC)



    ISC2 security Congress (Wash DC)




    Twitter handles




    Check out our Store on Teepub! https://brakesec.com/store

    Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

    #Brakesec Store!:https://www.teepublic.com/user/bdspodcast



    #Youtube Channel:  http://www.youtube.com/c/BDSPodcast

    #iTunes Store Link: https://brakesec.com/BDSiTunes

    #Google Play Store: https://brakesec.com/BDS-GooglePlay

    Our main site:  https://brakesec.com/bdswebsite

    #iHeartRadio App:  https://brakesec.com/iHeartBrakesec


    Comments, Questions, Feedback: bds.podcast@gmail.com

    Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon


    #Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

    #Player.FM : https://brakesec.com/BDS-PlayerFM

    #Stitcher Network: https://brakesec.com/BrakeSecStitcher

    #TuneIn Radio App: https://brakesec.com/TuneInBrakesec


        0:00:00 / 0:00:00