Security Resources

Software Updates

Trustwave Web Application Firewall 4.58

Trustwave Spiderlabs is pleased to announce the release of CorSigs version 4.58 for Trustwave Web Application Firewall (WAF) versions 8.5 and 9.0. These rules are written to detect attacks or classes of attacks on web applications and their components.

Release Summary

This release includes the following new signatures:

  • (2180137) WordPress Plugin Support Board 1.2.3 XSS The Support Board 1.2.3 plugin for WordPress allows a remote user to execute arbitrary SQL commands via the vulnerable parameter.
  • (2180138) Joomla! Component Jimtawl 2.2.7 SQLi The Jimtawl 2.2.7 component for Joomla! allows a remote user to execute arbitrary SQL commands via the vulnerable parameter.
  • (2180139) PHP-Proxy 3.0.3 LFI PHP-Proxy 3.0.3 allows a remote user to execute Local File Inclusion via the vulnerable parameter.
  • (2180140) Magento unauthenticated arbitrary unserialize CVE-2016-4010 Magento eCommerce platform allows an unauthenticated attacker to execute PHP code on the web server via the vulnerable parameter.
  • (2500000) WordPress Plugin Ninja Forms 3.3.17 XSS CVE-2018-19287 The Ninja Forms 3.3.17 plugin for WordPress allows a remote user to inject arbitrary script via the vulnerable parameter.
  • (2500001) WordPress Plugin Media File Manager 1.4.2 LFI + CSRF CVE-2018-19040 CVE-2018-19042 CVE-2018-19043
    The Media File Manager 1.4.2 plugin for WordPress allows an unauthenticated attacker with network access via HTTP to compromise vulnerable component, resulting with server data corruption or leakage.
  • (2500002) WordPress Plugin Media File Manager 1.4.2 XSS CVE-2018-19041 The Media File Manager 1.4.2 plugin for WordPress allows a remote user to inject arbitrary script via the vulnerable parameter.
  • (2500003) WordPress Plugin Custom Frontend Login Registration 1.01 XSS The Custom Frontend Login Registration 1.01 plugin for WordPress allows a remote user to inject arbitrary script via the vulnerable parameter.

Trustwave SpiderLabs also released 14 new rules to detect suspicious Crypto-Mining Activity:

  • (2500004) DeepMiner Crypto-Mining Activity
  • (2500004) DeepMiner Crypto-Mining Activity
  • (2500006) WebCoin Crypto-Mining Activity
  • (2500007) CryptoNoter Crypto-Mining Activity
  • (2500008) xmrhut Crypto-Mining Activity
  • (2500009) CoinRail Crypto-Mining Activity
  • (2500010) CoinImp Crypto-Mining Activity
  • (2500011) CoinNebula Crypto-Mining Activity
  • (2500012) CoinBlind Crypto-Mining Activity
  • (2500013) Coinerra Crypto-Mining Activity
  • (2500014) ProjectPoi Crypto-Mining Activity
  • (2500015) CoinHave Crypto-Mining Activity
  • (2500016) CryptoLoot Crypto-Mining Activity
  • (2500016) CryptoLoot Crypto-Mining Activity

Although crypto-mining can be done legitimately, when website owners deploy mining software as an alternative to advertisements, the inserted code is mostly used by hackers as malware to hijack and utilize the CPU power of website visitors to their own advantage.

In these cases, the presence of crypto-mining script is clear evidence that the website has been compromised.

Please note that the default action for the Crypto-Mining Activity rules is LOG only and further action needs to be taken if your website has already been compromised:

  • Inspect the compromised web page and remove the malicious script
  • Validate all input received from clients and instruct developers to perform input validation wherever user input is provided
  • Make sure that you are using the latest, non-vulnerable software and versions, and check that all security patches have been applied

For more information regarding crypto-mining, please refer to the Trustwave blog.

How to Update

No action is required by customers running versions 8.5 or 9.0 of Trustwave Web Application Firewall and whom subscribe to the online update feature. Their deployments will update automatically.

Please note that even if blocking actions are defined for a protected site, Simulation Mode for these rules is ON by default in order to allow site managers to inspect the impact of new rules before blocking relevant traffic. If you want to activate blocking actions for this rule, you must update the Actions for this signature in the Policy Manager.