mbensimon
Staff
Staff
Description

This article describes how to use FortiDeceptor Decoys to detect activities related to The critical privilege escalation security flaw (CVE-2022-3180), which enables unauthenticated attackers to add a rogue user with admin privileges to take over sites running the vulnerable WordPress plugin completely.

 

WordPress is a content management system (CMS) that allows users to host and build websites. WordPress contains plugin architecture and a template system, so one can customize any website to fit the business, blog, portfolio, or online store.

 

A zero-day flaw in the latest version of a WordPress premium plugin, WPGateway, is being actively exploited in the wild, potentially allowing malicious actors to take over affected sites completely.

Cyber Deception Against cyber attacks that try to leverage CVE-2022-3180:

FortiDeceptor starts by deploying network decoys across the network segments, creating a fake environment that simulates the real network and assets. Network decoys like Linux/windows endpoints & servers, WEB & DB & GIT applications, IoT/OT, and many more.

 

1) FortiDeceptor customization module generates a real instance of WordPress that will be deployed in the customer data center. The ability to deploy a Decoy that runs a real WordPress software will expand the attack surface for any malware or threat actor trying to leverage the CVE-2022-3180 vulnerability. In addition, this decoy will generate accurate threat intelligence and IOCs against the attack.

2) To exploit this vulnerability, an attacker would need to be able to access the WordPress decoy. Even if an organization has not exposed WordPress Server externally, attackers can still exploit this flaw once inside a network.

Scope

The Deception Decoys against the WordPress CVE-2022-3180 vulnerability attacks can be used in FortiDeceptor V.3.3 and above.

Solution

Cyber Deception Against WordPress CVE-2022-3180 attacks:

 

1) Configure network segments under the 'Deployment Network' section that FortiDeceptor will use to deploy network decoys. (due to the nature of the attack, verify that the data center & DMZ & Cloud segments are covered where WordPress Server can be located).

 

2) Use the 'Customization' feature to deploy windows2016/2019 Decoy that can run a WordPress instance. (see this video for technical instruction on how to use the customization module-> https://video.fortinet.com/products/fortideceptor/3.0/fortideceptor-windows-customization ).

 

3) Install WordPress inside a windows server decoy using this link -> https://www.microhost.com/docs/tutorial/how-to-install-wordpress-on-iis-in-windows-server-2019/

 

4) Deploy network Decoys (template & custom) across the vlan segments configured under the 'Deployment Network' section.

 

5) Once a threat actor or malware penetrates the network and infects the endpoint, any interaction with Deception Decoy will trigger a real-time alert.

 

6) FortiDeceptor will leverage the Fortinet Fabric to execute a threat mitigation response to isolate the threat.

 

FortiDeceptor is Part of the Fortinet Security Fabric.

FortiDeceptor is natively integrated with FortiGate, FortiNAC, FortiEDR, FortiSIEM, FortiSOAR, FortiAnalyzer, and other third-party security solutions to automate the mitigation response based on attack detection.

For example, the video below shows FortiDeceptor leveraging FortiNAC to isolate an infected machine device targeted by ransomware malware automatically.

https://www.youtube.com/watch?v=SfiEL7-F5Mo&t=154s

Another example of FortiDeceptor leveraging FortiGate to automatically isolate an infected machine device that has been compromised by a threat actor or malware.

Contributors