Search This Blog

Showing posts with label IP addresses. Show all posts

Defective WordPress Plugin Permits Full Invasion

 

According to security researchers, a campaign scanning almost 1.6 million websites was made to take advantage of an arbitrary file upload vulnerability in a previously disclosed vulnerable WordPress plugin.

Identified as CVE-2021-24284, the vulnerability that affects Kaswara Modern WPBakery Page Builder Addons, when exploited, gives an unauthorized attacker access to sites using any version of the plugin and enables them to upload and delete files or instead gain complete control of the website.

Wordfence reported the vulnerability over three months ago, and in a new alert this week it warned that attackers are scaling up their attacks, which began on July 4 and are still active. The WordPress security provider claims to have halted 443,868 attacks on client websites per day and strives to do the same till date. Daily, on average, 443,868 tries are made.

Malicious code injection  

The hacker attempts to upload a spam ZIP payload that contains a PHP file using the plugin's 'uploadFontIcon' AJAX function by sending a POST request to 'wp-admin/admin-ajax/php'.

Afterward, this file pulls the NDSW trojan, which inserts code into the target sites' legitimate Javascript files to reroute users to dangerous websites including phishing and malware-dropping sites. You've likely been infected if any of your JavaScript files contain the string "; if(ndsw==" or if these files themselves contain the "; if(ndsw==" string.

All versions of the software are vulnerable to an attack because the bug was never patched by the software creators, and the plugin is currently closed. The bug hunters stated that although 1,599,852 different sites were hit, a bulk of them wasn't hosting the plugin, and they believed that between 4,000 and 8,000 sites still have the vulnerable plugin installed.

Blocking the attackers' IP addresses is advised even if you are not utilizing the plugin. Visit Wordfence's blog for additional information on the indicators and the sources of requests that are the most common.

If you're still using it, you need to remove the Kaswara Modern WPBakery Page Builder Addons plugin from your WordPress website.

Analysis of Cryptocurrency Fundraising

 

A cryptocurrency is a form of digital currency meant to make internet transactions extremely safe. Investors and authorities are paying attention to the unexpected increase in the value of cryptocurrencies. The digital era has surely aided in the advancement of our understanding and use of money. We are also on the verge of a new financial revolution, which is linked to the fourth industrial revolution. There are currently 9,271 distinct cryptocurrencies available, with Bitcoin, Ethereum, Tether, BNB, and USD being the most renowned ones.  

Cryptocurrencies, despite being older than the iPad, have just entered the public sphere, with their impact being predominantly felt in the last three or four years. The aspect of digital currencies has spread to numerous banks, including JP Morgan and Wells Fargo, which are developing their own cryptos. Blockchain, AI, IoT, and a slew of other technologies are making inroads into our daily lives as more traditional concepts and technologies are scrambling to stay up or risk becoming obsolete. 

Bitcoin, one of the most popular cryptocurrencies, was launched in 2009 and employs peer-to-peer technology to enable rapid transactions without the involvement of institutional bodies such as banks or governments. A password or a private key is required to access the received cryptocurrency in the wallet. Furthermore, the transaction is safeguarded by blockchain technology when it is sent from one wallet to another.

Physical currency serves as a universal measure of worth as well as a quick means of transmitting it. The switch to such a system would very certainly be tough, as cash may become incompatible in the blink of an eye if the crypto world advance at the current pace. Established banking institutions would almost certainly have to hustle to adapt. Governments across the world are now accepting blockchain and cryptocurrency. According to the Gartner report, 83 nations are currently experimenting with or deploying as such Central Bank Digital Currencies, or CBDCs, which account for 90 percent of global GDP. While many businesses initially offered to accept Bitcoin during its first boom, this list has progressively reduced, reinforcing doubt about the cryptocurrency's potential as a medium of trade. 

In India, cryptocurrency boomed relatively late when it already cost millions of rupees, as a result, Indians have few Satoshis (small units of a bitcoin) but this isn't the case in every situation. People are dealing in smaller units such as milli or micro bitcoins as the worth of cryptocurrency. 

Furthermore, the price of a cryptocurrency varies between exchanges, which is a clear breach of the legislation of one price.

While bitcoin performs admirably as a wealth vault, its volatility makes it riskier and exposes it to increased danger of loss. Several variables influence the price of a single bitcoin, like supply and demand, competition, and regulation. Investor perceptions of cryptocurrency are also influenced by recent news events.

The lack of other traits for crypto in India is typically associated with modern physical currencies; they cannot be deposited in a bank and must be held in digital wallets, which are costly and risky due to the possibility of hacking, staff corruption, public IP addresses, and ransomware. In many aspects, government supervision over central currency is essential for regulation, and cryptocurrencies would function with far less government oversight. Bitcoin's supply is set; there is an absolute limit of 21 million units.

In order to maintain steady price levels, the money supply must be able to rise in lockstep with macroeconomic activity, otherwise, the problem can only be solved by raising the velocity of money or by a substantial drop in prices. This might put the economy in jeopardy. 

For investors, bitcoin's artificial scarcity is a benefit: increased demand combined with inelastic supply leads to a greater price. The lack of a central regulator renders investor protection untenable and raises the likelihood of greater instability. People engage in these markets expecting the cryptocurrencies would grow in the future; this presumption fuels speculative behaviours, and a quick shift in the presumption may cause the market to crash, injuring many naive investors. 

The magnitude of economic harm is influenced by the connectivity between crypto-assets and the traditional banking industry. According to economists, direct exposure from cryptocurrencies to the financial system might be transmitted, and indirect repercussions could expand to other asset classes. Crypto assets, according to the RBI financial stability report (2021), offer long-term risks for capital control management, financial and macroeconomic stability, and monetary policy transmission.

China has taken the toughest stance on cryptocurrencies, going from allowing crypto mining to outright prohibiting it as of June 2021. Regulations are divided between the federal and state governments in the United States and India. Most EU draught Markets in Crypto-Assets Regulation (MiCA) legislation was announced by the European Commission in September 2020. The UK  is currently supervised by the Financial Conduct Authority (FCA). It's worth noting that the South American nation was the first to declare Bitcoin to be legal cash.

If we look at the evolution of crypto as a currency, it has virtually achieved its goal of decentralisation, and is now one of the main firms such as Tesla, Microsoft, and Meta are investing in it. On the other hand, the emerging cryptocurrency has the issue of being hackable. In the long run, if cryptocurrency continues to develop at its current rate, it may eventually replace fiat currency, resolving the issues of hacking and extreme volatility.

DirtyMoe Worming Malware is Targeting Hundreds of Thousands Devices Per Day

 

Avast researchers have observed DirtyMoe malware acquiring new worm-like propagation capabilities, which allows it to extend its reach without requiring any user interaction.

According to Avast researcher Martin Chlumecky, DirtyMoe’s worming module targets older well-known susceptibilities, such as EternalBlue and Hot Potato Windows privilege escalation. One worm module can generate and target hundreds of thousands of private and public IP addresses per day. Many machines still use unpatched systems or weak passwords, leaving many victims at risk. 

Cybersecurity researchers are currently observing three main techniques that spread the malware: PurpleFox EK, PurpleFox Worm, and injected installers of Telegram Messenger which serve as mediums to spread and install DirtyMoe. However, it is highly likely that the malware uses other distribution techniques as well. 

The malware also has a service that leads to the launch of two additional processes for loading modules for Monero mining and spreading malware in a worm-like manner. The worming modules target victim devices by employing multiple bugs to install the malware, with each module targeting a specific vulnerability based on information gathered post exploration – 

• CVE-2019-9082: ThinkPHP – Multiple PHP Injection RCEs 
• CVE-2019-2725: Oracle Weblogic Server – 'AsyncResponseService' Deserialization RCE 
• CVE-2019-1458: WizardOpium Local Privilege Escalation 
• CVE-2018-0147: Deserialization Vulnerability 
• CVE-2017-0144: EternalBlue SMB Remote Code Execution (MS17-010) 
• MS15-076: RCE Allow Elevation of Privilege (Hot Potato Windows Privilege Escalation) 
• Dictionary attacks aimed at MS SQL Servers, SMB, and Windows Management Instrumentation (WMI) services with weak passwords

"The main goal of the worming module is to achieve RCE under administrator privileges and install a new DirtyMoe instance," Chlumecký explained, adding one of the component's primary functions is to generate a list of IP addresses to attack based on the geological location of the module.

In addition, another in-development worming module was unearthed to incorporate exploits targeting PHP, Java Deserialization, and Oracle Weblogic Servers, implying that the malicious actors are looking to widen the scope of the infections.

"Worming target IPs are generated utilizing the cleverly designed algorithm that evenly generates IP addresses across the world and in relation to the geological location of the worming module," Chlumecký concluded. "Moreover, the module targets local/home networks. Because of this, public IPs and even private networks behind firewalls are at risk."

Malware Abcbot Related to the Xanthe Cryptomining Bug Developer's

 

Abcbot, the newly discovered botnet has a longer history than what was originally believed. The Xanthe-based cryptojacking campaign found by Cisco's Talos security research team in late 2020 has a clear link, according to the ongoing examination of this malware family. When Talos was notified of an intrusion on one of their Docker honeypots, they discovered malware that looked like a bitcoin mining bot. 

The virus is known as Xanthe, and its main goal is to mine cryptocurrency using the resources of a compromised system. Based on the findings, the same threat actor is behind both Xanthe and Abcbot, and its goal has shifted from mining cryptocurrency on compromised hosts to more classic botnet activity like DDoS attacks.

Abcbot attacks, first reported by Qihoo 360's Netlab security team in November 2021, are triggered by a malicious shell script that targets insecure cloud instances operated by cloud service providers such as Huawei, Tencent, Baidu, and Alibaba Cloud to download malware that co-opts the machine to a botnet but not before terminating processes from competing threat actors and establishing persistence. The shell script in question is an updated version of one found by Trend Micro in October 2021, which targeted Huawei Cloud's vulnerable ECS instances. 

Further investigation of the botnet, which included mapping all known Indicators of Compromise (IoCs) such as IP addresses, URLs, and samples, revealed Abcbot's code and feature-level similarities to that of a cryptocurrency mining operation known as Xanthe, which spread the infection using incorrectly configured Docker implementations. 

The semantic similarities between the two malware families range from the way the source code is formatted to the names given to the routines, with some functions having not only identical names and implementations (e.g., "nameservercheck"), but also have the word "go" appended to the end of the function names (e.g., "filerungo"). According to experts, Abcbot also contains spyware that allows four malicious users to be added to the hacked machine: 
  • Logger 
  • Ssysall 
  • Ssystem 
  • sautoupdater 
Researchers believe that there are substantial links between the Xanthe and Abcbot malware families, implying that the same threat actor is involved. The majority of these would be difficult and inefficient to recreate identically, including string reuse, mentions of shared infrastructure, stylistic choices, and functionality that can be seen in both instances. If the same threat actor is behind both campaigns, it signals a shift away from cryptocurrency mining on compromised devices and toward botnet-related operations like DDoS attacks.

VPN Services Reportedly Leaked Around 1.2TB User Data Containing Sensitive Information


A recent discovery by a tech service company has taken the world by storm. The VPN services may not be as protected and secure as they guarantee to be, the company reveals that around 894GB of client information and data from UFO VPN has been exposed on the web.

This was proved true for eight quite well-known VPN services that have purportedly released a mammoth 1.2TB of client information. These VPN applications are as yet accessible on the Google Play Store with just one removed until now.

The leaked info contains subtleties like accounts passwords, VPN session secrets/tokens, IP addresses of both client devices and servers, and even the operating system of the devices.

As per by Comparitech, the tech service company responsible for the discovery,  more than 20 million client entries are included in the logs every day.

The VPN specialist co-op was likewise informed regarding the information spill yet denied any such claims. UFO VPN said that the client logs are saved for traffic monitoring and that every last bit of it is 'anonymized'.

It was later found that there are seven more Hong Kong-based VPN administrations that have around 1.2TB of client information out in the open online.

The list incorporates FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, Rabbit VPN, and UFO VPN as well. Found by VPNmentor, it was discovered that all these VPN services share a typical Elasticsearch server and also the same recipient for payments, Dreamfii HK Limited.

The information uncovered from these VPN administrations contain sensitive data like home addresses, Bitcoin and PayPal payment details, email addresses and passwords, user names, and more. Dreamfii HK is expected to be the parent company for all these VPN services.

As of now, these VPN applications are as yet accessible on the Play Store, and only Rabbit VPN has been removed.

Tor Browser Bug Executes Uncalled for JavaScript Codes!


The well-known Tor is allegedly experiencing some kind of bug in its mechanism. It has hence warned the users to stay vigilant as regards to the “Tor Browser Bug”, which runs JavaScript codes on various unexpected sites.

Tor (originally Team Onion Router) is a free and open-source software which chiefly works on allowing anonymous communication to users.

Reportedly, the team has been working on a solution and would roll it out as soon as it is done, but there isn’t a particular time to expect it.

One of the most critical features for the security of the Tor Browser Bundle (TBB) happens to be the ability to block the code execution of the JavaScript, mention sources.

TBB is a browser that has a set of superior privacy features majorly for concealing real IP addresses to maintain the anonymity of online users and their devices’ locations.

Owing to these features, the browser has become a go-to for the working people, especially the journalists, citizens of repressive countries and people with political agendas because after all, it is a great instrument to dodge online censorship and firewalls.

People who are against the anonymity of the users and just can’t let things be, have in the past tried several times to expose Tor Browser users’ actual IP addresses via exploits that functioned on JavaScript code.

Sources cite that while few attempts of the better nature have been successfully employed to track down criminals, others were pretty strangely executed.

And then recently, a bug was discovered in the much appreciated TBB’s security mechanism. When the browser was set to allow the use of the most supreme security level and still permitted the execution of the JavaScript code when instead it should have barred it.

It is a relief that the team of Tor is well aware of the bug and is, with dedication working towards developing a patch for it. Per sources, they also mentioned that if a user requires to “Block JavaScript” they could always disable it entirely.

As per reports, the procedure for doing the above-mentioned is to open the “about config” and search for “javascript.enabled”. If here the “Value” column mentions “false” it means that the JavaScript is disabled and if it mentions “true” then right-click to select “Toggle” or double click on the row to disable it.