Search This Blog

Showing posts with label CMS. Show all posts

Data Breach Targets Fast Company News

Fast Company's Apple News website currently displays a statement from the business confirming that it was hacked on Sunday afternoon, followed by another intrusion on Tuesday night that let threat actors to send bigoted notifications to smartphones via Apple News.

In a press release issued last night, the company claimed that "the statements are repulsive and are not by the contents and culture of Fast Company.  We have suspended while we look into the matter and will not reopen it until it is resolved."

As soon as individuals on Twitter noticed the offensive Apple News notifications, the company disabled the Fast Company channel on the news network.

Data breach tactics

The website's webpage started to load up with articles headlined "Hacked by Vinny  Troia. [redacted] tongue my [redacted]. Thrax was here. " on Sunday afternoon, which was the first indication that Fast Company had been compromised.

In their ongoing dispute with security analyst Vinny Troia, members of the breached hacking group and the now-defunct RaidForums regularly deface websites and carry out attacks that they attribute to the researcher. Fast Company took the website offline for a while to address the defacement, but on Tuesday at around 8 PM EST, another attack occurred.

Hackers claim that after discovering that Fast Company was using WordPress for their website, they were able to compromise the company. The HTTP basic authentication which was supposed to have protected this WordPress installation was disregarded. The threat actor goes on to claim that they were able to enter the WordPress content management system by utilizing a relatively simple default password used on dozens of users.

Fast Company, according to the post, had a 'ridiculously easy' default password that was used on numerous accounts, including an admin account. The compromised account would have then been utilized by the threat actors to gain access to, among other things, authentication tokens and Apple News API credentials.

They assert that by using these tokens, they were able to set up administrator accounts on the CMS platforms, which were then used to send notifications to Apple News.

Threat actors gained access to an undefined number of customer names, birthdates, contact numbers, email, physical addresses, and personal documents, including license and passport numbers, through this same forum, which was at the center of the previous Optus breach. The hacker in question claims to have made 10,200 records available thus far. It's uncertain whether or when Apple News would reactivate the Fast Company channel.

Sophos Firewall Zero-Day Flaw Exploited by Hackers


Chinese hackers leveraged a zero-day exploit for a vital vulnerability in Sophos Firewall to infiltrate a corporation and gain access to the victim's cloud-hosted web servers. Although the security flaw has been patched, many threat actors have continued to use it to escape authentication and execute arbitrary code remotely on businesses. 

Sophos Firewall's User Portal and Webadmin parts were found to have an authentication bypass vulnerability, which was tagged as CVE-2022-1040 on March 25. 

Researchers from Volexity revealed that Chinese threat actors used the zero-day vulnerability in Sophos Firewall (CVE-2022-1040) to hack a corporation and its cloud-hosted web servers. The threat actor was still operational when Volexity started the study, and the researchers were able to track the attacker's movements, showing a clever adversary who tried to go undiscovered.

According to the researchers, "the attacker was using access to the firewall to conduct man-in-the-middle (MitM) assaults." "Data obtained from these MitM assaults was used by the attacker to target further systems outside of the network where the firewall was located." Following the firewall breach, the infection sequence included backdooring a legitimate component of the security software with the Behinder web shell, which could be accessed remotely from any URL chosen by the threat actor.

Securing web server access 

Apart from the web shell, Volexity discovered further malicious behavior that maintained the threat actor's survival and allowed them to carry on the attack: 
  • The initial phase in the assault is gaining access to the Sophos Firewall, which permits a Man-in-the-Middle (MitM) attack by altering DNS replies for specified websites of the victim companies. 
  • Using stolen session cookies, the attacker gains access to the CMS admin page and then installs a File Manager plugin to manipulate files on the website. 
For a simpler investigation of intrusions, the firm advises using the auditd framework on Unix-based servers. Vendors' devices should also include tools for analyzing potential security flaws. Volexity also made a set of YARA rules accessible that may be used to detect unusual behavior from this form of threat.

Experts Find Malware Controlling Thousands of Websites in Parrot TDS Network

The Parrot traffic direction system (TDS) that surfaced recently had a huge impact than what was thought earlier, research suggests. The malware affected more than 61,000 websites and was one of the top infections. Parrot TDS was first identified in April 2022 by cybersecurity company Avast, the PHP script had affected web servers that hosted more than 16,500 websites, acting as a gateway for future malware campaigns. It includes appending a part of infected code to all JavaScript files on affected web servers that host content management systems (CMS) like WordPress, these are attacked because of their weak login credentials and flawed plugins. 

"In 2021 alone, Sucuri said it removed Parrot TDS from nearly 20 million JavaScript files found on infected sites. In the first five months of 2022, over 2,900 PHP and 1.64 million JavaScript files have been observed containing the malware," reports The Hacker News. Alongside the use of sneaky techniques to hide the code, the "injected JavaScript may also be found well indented so that it looks less suspicious to a casual observer," said Denis Sinegubko, expert at Sucuri says. 

The aim of the JavaScript code is to jump-start the second phase of the attack, to deploy a PHP script that has been already injected on the server and is built to obtain information about website visitor, (for ex- IPs, browser, referrer, etc.) and send the details to a remote server. The third phase of the attack surfaces as a Javascript code, it works as a traffic direction system to find out the specific payload to send for a particular user based on the data which was shared in the second stage. 

When the TDS has confirmed the eligibility of a particular site visitor, the NDSX script deploys the final payload through a third-party website. The mostly used third-stage malware is a JavaScript downloader called FakeUpdates. 

"The NDSW malware campaign is extremely successful because it uses a versatile exploitation toolkit that constantly adds new disclosed and 0-day vulnerabilities. Once the bad actor has gained unauthorized access to the environment, they add various backdoors and CMS admin users to maintain access to the compromised website long after the original vulnerability is closed," said Sinegubko.

 Hazardous Redirect Web Server Evokes Malicious Campaigns On Over 16,500 Sites


Parrot is a novel TDS system for online traffic redirection that runs on a few servers hosting over 16,500 sites from government agencies, universities, adult platforms, and personal blogs. The service was apparently also utilized in the context of various cyber-attacks aiming at diverting victims to phishing or sites which result in malware being installed on the systems. Reportedly, all of this is dependent on individual user characteristics such as location, language, operating system, and browser.

TDS services are purchased by threat actors undertaking malicious campaigns to filter incoming traffic and route it to a final destination which serves harmful material. Advertisers and marketers utilize TDS legitimately. Most TDS services are used regularly by professionals in the marketing industry, which is why there are credible reports demonstrating how similar campaigns were executed in the recent past. 

Security analysts working with Avast have revealed that the Parrot has been identified as they recently made assertions about how the campaign was used for FakeUpdate, which delivered update warnings regarding remote access trojans, sometimes known as RATs, using fake browsers. 

Avast threat experts found Parrot TDS, which is presently being utilized for a campaign called FakeUpdate, which distributes remote access trojans (RATs) via phony browser update alerts. The effort appears to have begun in February 2022, however, there have been traces of Parrot activity dating back to October 2021.

"One of the primary differences between Parrot TDS and other TDS is its broad nature and a large number of possible victims," says Avast in the research. "Apart from servers hosting poorly secured CMS sites, such as WordPress sites, the hijacked websites we discovered appear to have nothing in common."

Avast services prevented more than 600,000 of its users from visiting these compromised sites in March 2022 alone, demonstrating the Parrot redirection gateway's huge reach. The majority of the people who were redirected were from Brazil, India, the United States, Singapore, and Indonesia. 

They have been known to accomplish this by redirecting the victim to special URLs with extensive network profiles and meticulously built software. While the TDS may be primarily focused on the RAT initiative, security experts believe some of the impacted servers also serve as hosts for various phishing sites.  

Those landing sites seem just like a genuine Microsoft login page, prompting visitors to input there login credentials. The best strategy to deal with malicious redirections for web users is to keep an up-to-date internet security solution running at all times. Avast advises administrators of possibly compromised web servers to take the following steps: 

  •  Use an antivirus to scan all files on the webserver. 
  •  Replace all original JavaScript and PHP files on the webserver. 
  •  Use the most recent CMS and plugin versions. 
  •  Look for cron jobs or other automatically executing processes on the webserver. 
  •  Always use unique and strong credentials for all services and accounts, and utilize two-factor authentication whenever possible. 
  • Use some of the security plugins for WordPress and Joomla which are available.

Microweber Creators Patched XSS Flaw in CMS Software


Microweber, an open-source website builder and content management system, has a stored cross-site scripting (XSS) vulnerability, according to security researchers. 

The security flaw, identified as CVE-2022-0930 by researchers James Yeung and Bozhidar Slaveykov, was patched in Microweber version 1.2.12. The issue developed as a result of flaws in older versions of Microweber's content filtering protections. 

Because of these flaws, attackers could upload an XSS payload as long as it contained a file ending in 'html' — a category that encompasses far more than simply plain.html files. Once this payload is uploaded, a URL with malicious HTML can be viewed and malicious JavaScript performed. 

An attacker could steal cookies before impersonating a victim, potentially the administrator of a compromised system, by controlling a script that runs in the victim's browser. A technical blog article by Yeung and Slaveykov, which includes a proof-of-concept exploit, gives additional detail about the assault. Microweber was asked to comment on the researchers' findings via a message sent through a webform on The Daily Swig's website. Microweber responded by confirming that the "issue is already fixed." 

When asked how they found Microweber as a target, Yeung told The Daily Swig, “I came across and found other researchers had found vulnerabilities on Microweber and that's why I joined that mania!” 

The vulnerabilities discovered in Microweber are similar to those found in other comparable enterprise software packages. The researcher explained, “I have found similar vulnerabilities in multiple CMS like Microweber, and I found that most of them are lacking user input sanitization from HTTP requests (some of which are not intended to be submitted from client).” 

To avoid issues in this area, Yeung determined that developers should gradually shift toward allow-lists and away from utilising block-lists.

Zero-day Exploit Detected in Adobe Experience Manager


A zero-day vulnerability in a prominent content management solution used by high-profile firms such as Deloitte, Dell, and Microsoft has been found. 

The flaw in Adobe Experience Manager (AEM) was detected by two members of Detectify's ethical hacking community.

Adobe Experience Manager (AEM) is a popular content management system for developing digital customer experiences like websites, mobile apps, and forms. AEM has become the primary Content Management System (CMS) for many high-profile businesses due to its comprehensiveness and ease of use. 

The flaw allows hackers to bypass authentication and obtain access to CRX Package Manager, making applications vulnerable to Remote code execution attacks. It affects CR package endpoints and can be fixed by denying public access to the CRX consoles. 

Detectify spokesperson stated, "With access to the CRX Package Manager, an attacker could upload a malicious package in Adobe Experience Manager to leverage it to an RCE and gain full control of the application." 

Ai Ho and Bao Bui, members of Detectify Crowdsource, initially detected the vulnerability in an instance of AEM used by Sony Interactive Entertainment's PlayStation subsidiary in December 2020. Three months later, the AEM CRX bypass was discovered within various Mastercard subdomains. The issues were reported to Sony and Mastercard at the time. 

Mastercard, LinkedIn, PlayStation, and McAfee were among the prominent companies affected by the flaw, according to the members of Detectify. 

A Detectify spokesperson explained: "The CRX Package Manager is accessed by bypassing authentication in Dispatcher, Adobe Experience Manager’s caching and/or load balancing tool. Dispatcher checks user’s access permissions for a page before delivering the cached page and is an essential part of most – if not all – AEM installations. It can be bypassed by adding a lot of special characters in combination in the request." 

Bao Bui, a security researcher and former CTF player of the Meepwn CTF Team, began hunting bug bounties around a year ago. Ai Ho, a security engineer, and developer, has been involved in the bug bounty industry for two years, developing and releasing his own bug-catching tools on GitHub. 

Adobe was notified of the zero-day problem and quickly issued a patch. 

On Detectify's platform, the AEM CRX Bypass zero-day was then implemented as a security test module. "Since it went live in May 2021, around 30 instances of the AEM CRX Bypass vulnerability have been in customers’ web applications," added a Detectify spokesperson. 

So far, Detectify's scans for over 80 specific AEM vulnerabilities have produced over 160,000 hits.

SQL Triggers Used by Hackers to Compromise User Database


Over the past year, a broader pattern of WordPress malware with SQL triggers has occurred within infected databases to mask intrusive SQL queries. Whenever the trigger condition is fulfilled, these queries insert an admin-level user into a contaminated database. Users can use a MySQL database to store essential data, including CMS settings and a common CMS is used on their website (such as WordPress). Something that might change the MySQL database is whether injecting harmful code or removing the content of your Website, could also do severe harm to the website. 

Potential for protection is one factor why the MySQL database has its own unique username and password, which will deter someone from checking the MySQL database manually without the required login details. Unfortunately, if attackers have unauthenticated access, they can also read a wp-config.php file to understand the website's database authentication credentials — which can then be used to connect to the database using code from the attacker and malicious adjustments. 

An intruder with unwanted access to a website, who would like to create a permanent loophole if the files of the Website are washed, is indeed an example from real life.

An intruder's approach is to set an admin user in the CMS database of the website. Usually, these can be conveniently found in the administrative dashboard or SQL client. The unauthorized admin account is a loophole outside of the website and in the directory of the webserver. This knowledge is critical since owners of a compromised website will also forget the index. However, the exclusion of suspected users from the database of the website does not entail the removal of any potential backdoors. 

A SQL trigger is an automatically stored process that runs when certain database modifications are introduced. While there have been several useful implementations, that bad actors use SQL triggers to retain unwanted access after a compromise. To achieve this, attackers are placing a SQL trigger in a compromised website database and malicious activity is performed if specific conditions have been reached or an incident happens.

If attackers breach a site, they will bet on any database passwords that are stored in wp-config or other CMS configuration files — and once the hacker has obtained the data at any post-infection period, it can be extremely hard to identify if the hacker has harvested any valuable information. Users must change passwords, including the databases if a breach occurs. Failure to pursue this post-hack phase will allow an attacker to enter and change the website even after the user has assumed the infection was removed.