Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Supply Chain Attack. Show all posts
WordPress
Cyber Attacks gravity forms Plugin Supply Chain Attack WordPress

WordPress Plugin Breach: Hackers Gain Control Through Manual Downloads

 



A serious cyberattack recently targeted Gravity Forms, a widely used plugin for WordPress websites. This incident, believed to be part of a supply chain compromise, resulted in infected versions of the plugin being distributed through manual installation methods.

What is Gravity Forms and Who Uses It?

Gravity Forms is a paid plugin that helps website owners create online forms for tasks like registrations, contact submissions, and payments. According to the developer, it powers around a million websites, including those of well-known global companies and organizations.

What Went Wrong?

Cybersecurity researchers from a security firm reported suspicious activity tied to the plugin’s installation files downloaded from the developer’s website. Upon inspection, they discovered that the file named common.php had been tampered with. Instead of functioning as expected, the file secretly sent a request to an unfamiliar domain, gravityapi.org/sites.

Further investigation showed that the altered plugin version quietly collected sensitive data from the infected websites. This included website URLs, admin login paths, installed plugins, themes, and details about the PHP and WordPress versions in use. All this information was then sent to the attackers’ server.

The attack didn’t stop there. The malicious file also downloaded more harmful code disguised as a legitimate WordPress file, storing it in a folder used by the platform’s core features. This hidden code allowed hackers to run commands on the server without needing to log in, essentially giving them full access to the website.

How Did This Affect Site Owners?

The threat mainly impacted those who manually downloaded Gravity Forms versions 2.9.11.1 and 2.9.12 between July 10 and July 11. Developers confirmed that websites which installed the plugin using automated updates from within WordPress were not affected.

In the infected versions, the malware not only blocked future update attempts but also communicated with a remote server to bring in more malicious code. In some cases, the attack even created a secret admin account giving the hackers complete control over the website.

What Should Website Admins Do Now?

The plugin's developer has released a statement acknowledging the issue and has provided instructions to help website owners detect and remove any signs of infection. Users who downloaded the plugin manually during the affected timeframe are strongly advised to reinstall a clean version and scan their websites thoroughly.

Cybersecurity experts also recommend checking for suspicious files and unknown administrator accounts. The domains used in this attack were registered on July 8, suggesting that this breach was carefully planned.

This incident highlights the growing risk of supply chain attacks in the digital world. It serves as a reminder for website administrators to rely on trusted update channels and monitor their sites regularly for any unusual activity.
Read more »
VPN breach
cyber espionage Data Breach IPany VPN malware infection PlushDaemon hackers SlowStepper malware Supply Chain Attack VPN breach

IPany VPN Compromised in Supply Chain Attack Deploying Custom Malware

 

South Korean VPN provider IPany fell victim to a supply chain attack orchestrated by the China-aligned hacking group "PlushDaemon." The attackers compromised IPany's VPN installer, embedding a custom malware named 'SlowStepper' into the installer file, affecting customers upon installation.

ESET researchers discovered that the attackers infiltrated IPany's development platform and modified the installer file ('IPanyVPNsetup.exe') to include the SlowStepper backdoor. Customers downloading the VPN's ZIP installer ('IPanyVPNsetup.zip') from the company's official website between November 2023 and May 2024 were impacted. Victims include a South Korean semiconductor firm and a software development company, with the first signs of infections reported in Japan.

When executed, the installer deploys the legitimate VPN alongside malicious files like 'svcghost.exe,' which ensures persistence by creating a Registry Run key. The SlowStepper payload is concealed within an image file ('winlogin.gif') and loaded through a malicious DLL ('lregdll.dll') into the 'PerfWatson.exe' process. The executable monitors this process to keep it operational.

ESET reports that the Lite version 0.2.10 of SlowStepper was used in this attack, designed for stealth with a smaller footprint while maintaining powerful spyware capabilities. The malware, developed in Python and Go, supports a range of espionage commands:

  • System Details Collection: Gathers system data like CPU information, HDD serials, public IP, webcam/microphone status, and more.
  • Payload Deployment: Fetches and executes files from a command-and-control server.
  • File Enumeration: Lists files and directories on compromised systems.
  • Spyware Execution: Runs Python-based tools for browser data theft, keylogging, and credential harvesting.
  • Interactive Control: Enables shell-mode for system commands.
  • Trace Removal: Deletes files or directories to erase evidence.
  • Spyware Modules: Loads specific Python modules to steal browser data, chat logs, and capture screens or webcam footage.
ESET explained, "Both the full and Lite versions make use of an array of tools programmed in Python and Go, which include capabilities for extensive collection of data, and spying through recording of audio and videos."

They promptly notified IPany, leading to the removal of the compromised installer from its website. However, previously infected users must clean their systems to eliminate the malware. 

Notably, the download page lacked geo-fencing, leaving users across the globe potentially vulnerable.The complete list of the indicators of compromise (IoCs) associated with this campaign can be found here
Read more »
Wi-Fi router security
ASU security flaw hash collision issue Imagebuilder vulnerability OpenWrt One hardware OpenWrt update right-to-repair device secure firmware upgrade Supply Chain Attack Wi-Fi router security

OpenWrt Urges Users to Update Images to Avoid Potential Supply Chain Attacks

OpenWrt, the open-source Wi-Fi router project, has urged users to upgrade their images to the same version to mitigate a potential supply chain attack. The issue, discovered last week, stems from vulnerabilities in the project’s attended sysupgrade server (ASU). 

Details of the Vulnerability 

Paul Spooren, an OpenWrt developer, alerted users via email about a security flaw in the ASU service. The issue was first reported by Ry0taK, a security researcher from Flatt Security, two days prior. Spooren explained: "Due to the combination of the command injection in the 'openwrt/imagebuilder' image and the truncated SHA-256 hash included in the build request hash, an attacker can pollute the legitimate image by providing a package list that causes the hash collision."

Key Vulnerabilities
  • Command Injection: A flaw in Imagebuilder caused by improper sanitization of user-supplied package names allows attackers to create malicious firmware signed with legitimate keys.
  • Weak Hash Vulnerability (CWE-328): Tracked as CVE-2024-54143 with a 9.3 CVSS severity rating, the truncation of the SHA-256 hash to 12 characters enables attackers to generate hash collisions.
Spooren warned, "By exploiting this, a previously built malicious image can be served in place of a legitimate one, allowing the attacker to 'poison' the artifact cache and deliver compromised images to unsuspecting users."

Impact and Mitigation 

The vulnerabilities compromise the ASU service, which helps users upgrade firmware while preserving settings and packages. However, sensitive resources like SSH keys and signing certificates remained secure, as ASU instances operate separately from Buildbot. OpenWrt assured users that:
  • Official images and custom images from version 24.10.0-rc2 onward were unaffected.
  • Build logs for older custom images were reviewed, though logs older than seven days were excluded due to cleanup policies.
To address the issue, Spooren recommended: "Although the possibility of compromised images is near 0, it is suggested to the user to make an in-place upgrade to the same version to eliminate any possibility of being affected. If you run a public, self-hosted instance of ASU, please update it immediately."

Alternatively, users can apply two specific commits listed in OpenWrt’s advisory. Coinciding with the announcement, OpenWrt unveiled its first hardware platform, OpenWrt One, developed with the Software Freedom Conservancy (SFC). The device is described as "unbrickable," featuring a switch that separates NOR and NAND flashing. This milestone supports the right-to-repair movement, emphasizing user control and sustainability.
Read more »
WordDrone
DLL malware Microsoft Word Supply Chain Attack Taiwan WordDrone

New Malware 'WordDrone' Targets Taiwan's Drone Industry

 



Reported by: Acronis (TRU) just published a comprehensive investigation that reveals a highly sophisticated malware operation targeting Taiwan's growing drone industry. Dubbed "WordDrone," the malware deploys a version of Microsoft Word from the 1990s to install a persistent backdoor-the kind of threat that puts the security of companies in Taiwan's growing drone industry in real jeopardy. At this stage, one suspects that strategic military and technological positions of Taiwan provide the rationale behind this breach designed to extract critical information. It is during times when investments by the government in drone technology are accelerating.


How WordDrone Operates

A new malware uses the side-loading technique by which it involves a vulnerable version of Microsoft Word 2010. Using a compromised version of Word, attackers loaded three files on the target system: a legitimate copy of the Microsoft Word application, known as winword, a malicious DLL file named wwlib.dll, and an encrypted additional file with a random name.

Then, an unconscious download of the malicious DLL by running the benign Microsoft Word file becomes a delivery method to decrypt and run the real payload of malware. This technique is the exploitation of the weakness within how older versions of Microsoft Word treat DLL files: the malicious DLL can actually masquerade as part of Microsoft Office. Such an approach will make WordDrone virtually impossible for any traditional security tool to detect and block since the files that are infected look legitimate to most detection systems.


Detection Evasion Advanced Tactics

Moreover, many of the malicious DLL files are digitally signed using highly recently expired certificates. This kind of approach, a disguise for legitimacy, many security systems employ to verify software, makes detection much more difficult. This strategy gives WordDrone an advantage bypassing defences based on trusting signed binaries, which makes it rather difficult to detect.

After running it, the threat performs a stage of well-crafted operations. The payload begins with a shellcode stub that unpacks and injects an "install.dll" component creating persistence on the affected system. The install.dll file allows malware to be present even after reboots by various techniques: it can install malware as a background service, schedule it as a recurring task, or inject the next phase of malware execution, and does not need permanent installation.


Persistence and Defense Evasion Techniques

It applies advanced techniques in a way that it stays non-observable and keeps running. Its techniques begin with NTDLL unhooking, which disables the setting of security hooks by monitoring software and re-loads a fresh instance of the NTDLL library so that security tools cannot intervene with that. In addition to that, it keeps the EDR quiet. This scan for active security processes sets up blocking rules within Windows Firewall to dampen the functions of identified security tools, effectively disabling detection capabilities that may raise defences against its presence.


Command-and-Control (C2) Communication for Remote Control

Another advanced feature about WordDrone is the ability to communicate with a C2 server, meaning the attackers can control the malware even after it is installed. The communication schedule is hardcoded within the malware by implementing a bit array that states some active hours in a week. The malware requests from the C2 server additional details or more malicious files during active hours based on such a routine.

WordDrone can function over several communication protocols including TCP, TLS, HTTP, HTTPS, and WebSocket, which all make identification and analysis much more difficult of the malware's network activities. Its use of a custom binary format for its communication makes it even more challenging to intercept or to interpret its network traffic for cybersecurity teams.


Possible Supply Chain Attack and Initial Infection Vector

The entry point of the WordDrone malware is not clear. Initial analysis, however, showed malicious files under a well-known Taiwanese ERP software's folder. That makes it likely that the attackers have also compromised the ERP software as part of a supply chain attack, possibly exposing other organisations that make use of the software in different marketplaces.

The attack by WordDrone on the Taiwanese drone industry is an example of vulnerabilities that sectors of strategic importance have to face. Ongoing vigilance from cybersecurity experts gives caution, as defence and technology-related organisations try to win the technological battle with such persistent threats.


Read more »
WordPress Plugins
Backdoor CyberCrime CyberNAttacks Cybersecurity CyberThreat Supply Chain Attack WordPress Plugins

Hackers Slip Backdoor into WordPress Plugins in Latest Supply-Chain Attack

 


Security researchers announced on Monday that there had been a supply chain attack on up to 36,000 WordPress plugins running on a wide range of websites that had been backdoored by unknown hackers. Currently, researchers from security firm Wordfence report that the campaign has affected five plugins as of Monday morning. It has been active since last week. It has been reported that unknown threat actors have recently added malicious functionality to plugin updates on WordPress.org, which is the official site for the free open-source WordPress CMS. This update creates an attacker-controlled administrative account that can be used to control the compromised site, as well as add content designed to boost search results. 

The updates can be installed automatically when the updates are installed. There has been a significant amount of backdooring in WordPress plugins to allow malicious code to be injected which can lead to the creation of rogue administrator accounts which can be used for arbitrary purposes. As Wordfence security researcher Chloe Chamberland pointed out in an alert on Monday, the malware injects itself into the system, attempting to create an administrator user account and sending back that account's details to the attacker's server. 

Further, it appears that the threat actor may also have injected malicious JavaScript into the footers of websites, which appears to be causing SEO spam to be displayed throughout the website. According to Wordfence security researchers, a company that monitors the security of the biggest website builder platforms in the world, five plugins have been poisoned with a poisonous patching function so far. Whenever users patch these WordPress plugins, they are presented with a piece of code that creates a new admin account, which is then used by the attackers to establish the account login credentials. 

The perpetrators of this threat (whose identity has not been revealed yet) thus gain full and unrestricted access to the website in this way. The plugins that have been made available are called Social Warfare, BLAZE Retail Widget, Wrapper Link Elementor, and Contract Form 7 Multi-Step Add-on as well as Just Show Hooks. Combined, these five plugins have been installed 36,000 times. Of these, Social Warfare has the most number of installations at 30,000, far and away the most popular one. As of the time of publication, it was not yet clear how the attackers were able to compromise the patching process for these five plugins, and thus compromise their security.

It was reported that reporters at Ars Technica attempted to get in touch with the plugin developers (some did not even provide contact information on their plugin websites, meaning it was impossible to get in touch with them) but did not receive any response. There has been a sharp rise in the number of supply-chain attacks over the past decade, which has become one of the most effective ways to install malware within a supply chain. The threat actors have been able to achieve significant gains by poisoning the software source code so that by simply running a trusted update or installation file, they can infect large numbers of devices. 

This year, an almost disastrous event occurred when a backdoor was discovered, largely through chance, in the widespread open-source XZ Utils code library a week or so ahead of its general release date, narrowly averting disaster. In addition, there have been many other recent supply-chain attacks that can be found in the media. Researchers are currently working on investigating how and why the malware was uploaded to the plugin channel for downloading on the WordPress site to increase their knowledge about it. Several emailed questions were sent to representatives of WordPress, BLAZE, and Social Warfare, none of whom responded. 

Because there is no contact information on the websites of the developers of the remaining three plugins, it was impossible to connect with the representatives of those developers. As mentioned by the Wordfence researchers, they were first made aware of the attack on Saturday when they received an email from a member of the WordPress plugin review team that mentioned the attack. Based on their analysis of the malicious file, the researchers were able to identify four other plugins that had similar codes that were exposed to the same threat. 

There is generally a perception that WordPress is a secure platform for designing and building websites. However, it is a platform with a vast number of third-party themes and plugins, many of which suffer from poor protection, and/or don't enjoy the same level of maintenance as the platform itself. Consequently, they are considered to be a great entry point for threat actors, due to their unique nature. Moreover, the themes and plugins available for WordPress can be both free-to-use and commercially produced, but the latter are often abandoned or maintained by a single developer or hobbyist. 

There is therefore a strong need for WordPress administrators to use extreme caution when installing third-party additions to their websites. They need to ensure that only the files they intend to use are installed. It is imperative for users to ensure their WordPress plugins are always updated and to remain vigilant for any news regarding vulnerabilities. Individuals who have installed any of the compromised plugins should uninstall them immediately and thoroughly inspect their sites for any newly created admin accounts or unauthorized content. Users who utilize the Wordfence Vulnerability Scanner will be alerted if their site is running any of the affected plugins. 

Furthermore, the Wordfence post advises users to monitor their sites for connections originating from the IP address 94.156.79.8, as well as to check for admin accounts with the usernames "Options" or "PluginAuth."
Read more »
TeamCity
Authentication Bypass Cyber Security JetBrains Server Exploit Supply Chain Attack TeamCity

TeamCity Software Vulnerability Exploited Globally

 


Over the past few days a security breach has transpired, hackers are taking advantage of a significant flaw in TeamCity On-Premises software, allowing them to create unauthorised admin accounts. This flaw, known as CVE-2024-27198, has prompted urgent action from software developer JetBrains, who released an update on March 4 to address the issue.

The gravity of this situation is evident as hackers exploit the vulnerability on an extensive scale, creating hundreds of unauthorised users on instances of TeamCity that have not yet received the essential update. According to LeakIX, a platform specialising in identifying exposed device vulnerabilities, over 1,700 TeamCity servers remain unprotected. Most notably, vulnerable hosts are predominantly found in Germany, the United States, and Russia, with an alarming 1,440 instances already compromised.

On March 5, GreyNoise, a company analysing internet scanning traffic, detected a notable surge in attempts to exploit CVE-2024-27198. The majority of these attempts originated from systems in the United States, particularly those utilising the DigitalOcean hosting infrastructure.

These compromised TeamCity servers are not mere inconveniences; they serve as vital production machines used for building and deploying software. This presents a significant risk of supply-chain attacks, as the compromised servers may contain sensitive information, including crucial credentials for environments where code is deployed, published, or stored.

Rapid7, a prominent cybersecurity company, brought attention to the severity of the situation. The vulnerability, with a critical severity score of 9.8 out of 10, affects all releases up to TeamCity version 2023.11.4. Its nature allows remote, unauthenticated attackers to gain control of a vulnerable server with administrative privileges.

JetBrains responded swiftly to the report by releasing TeamCity version 2023.11.4 on March 4, featuring a fix for CVE-2024-27198. They are urging all TeamCity users to update their instances to the latest version immediately to mitigate the risks associated with this critical vulnerability.

Considering the observed widespread exploitation, administrators of on-premise TeamCity instances are strongly advised to take immediate action in installing the newest release. Failing to do so could leave systems vulnerable to unauthorised access and potential supply-chain attacks, amplifying the urgency of this situation.

The recent discovery of a critical flaw in TeamCity software has far-reaching implications for the global security landscape. Users are urged to act promptly by updating their TeamCity instances to ensure protection against unauthorised access and the looming threat of potential supply-chain attacks. The urgency of this matter cannot be overstated, accentuating the imperative need for immediate action.



Read more »
Vulnerability
ConnectWise ScreenConnect Cyber Security Cybersecurity Mass Exploitation Ransomware remote desktop management Supply Chain Attack Vulnerability

Ransomware Distributed Through Mass Exploitation of ConnectWise ScreenConnect

 

Shortly after reports emerged regarding a significant security flaw in the ConnectWise ScreenConnect remote desktop management service, researchers are sounding the alarm about a potential large-scale supply chain attack.

Kyle Hanslovan, CEO of Huntress, expressed concerns about the exploitation of these vulnerabilities, warning that hackers could potentially infiltrate thousands of servers controlling numerous endpoints. He cautioned that this could lead to what might become the most significant cybersecurity incident of 2024. ScreenConnect's functionality, often used by tech support and others for remote authentication, poses a risk of unauthorized access to critical endpoints.

Compounding the issue is the widespread adoption of ScreenConnect by managed service providers (MSPs) to connect with customer environments. This mirrors previous incidents like the Kaseya attacks in 2021, where MSPs were exploited for broader access to downstream systems.

ConnectWise addressed the vulnerabilities without assigning CVEs initially, but subsequent proof-of-concept exploits emerged swiftly. By Tuesday, ConnectWise acknowledged active cyberattacks exploiting these bugs, and by Wednesday, multiple researchers reported increasing cyber activity.

The vulnerabilities now have designated CVEs, including a severe authentication bypass flaw (CVE-2024-1709) and a path traversal issue (CVE-2024-1708) enabling unauthorized file access.

The Shadowserver Foundation reported thousands of vulnerable instances exposed online, primarily in the US, with significant exploitation observed in the wild.

According to Huntress researchers, initial access brokers (IABs) are leveraging these bugs to gain access to various endpoints, intending to sell this access to ransomware groups. There have been instances of ransomware attacks targeting local governments, including endpoints potentially linked to critical systems like 911 services.

Bitdefender researchers corroborated these findings, noting the use of malicious extensions to deploy downloaders capable of installing additional malware.

The US Cybersecurity and Infrastructure Security Agency (CISA) added these vulnerabilities to its Known Exploited Vulnerabilities catalog.

Mitigation measures include applying patches released with ScreenConnect version 23.9.8 and monitoring for indicators of compromise (IoCs) as advised by ConnectWise. Additionally, organizations should vigilantly observe their systems for suspicious files and activities.

ConnectWise's actions to revoke licenses for unpatched servers offer some hope, although the severity of the situation remains a concern for anyone running vulnerable versions or failing to patch promptly.
Read more »
Xfinity
comcast Data Breach Supply Chain Attack Telecommunication Xfinity

Comcast-Owned Telcom Business 'Xfinity' Suffers Data Breach


Comcast-owned Xfinity has suffered a major data breach, affecting more than 25 million of its customers. 

This intrusion not only demonstrates a risky and expanding practice among hackers, but it has also greatly increased the vulnerability of millions of US-based individuals. In certain cases, the situation is actually a lot worse than one may believe.

According to editor of Scamicide.com, Attorney Steven Weisman, this data breach is significantly dreadful for customers since threat actors were able to access the last four digits of social security numbers of the affected individuals. The first five numbers could easily be figured out by the hackers, as they are based on the owner’s residential address and the location where the card was issued.

“So if a criminal has the last four digits, the first three they can figure out easily, the second set they can get relatively easily, so it puts a lot of people in danger of identity theft,” explained Weisman.

Due to this particular issue of rather uncomplicated identification of social security numbers, the government had started randomizing the numbers in 2011.

Furthermore, these hackers are rather harmful. They introduced their malware in the software that Xfinity bought, rather than really hacking into Xfinity. According to Weisman, they are known as "supply chain" hacks, and their prevalence is significantly on the rise. 

“They put their malware into the legitimate software. A company like Comcast gets some accounting software that they have no reason to think is anyway tainted and bam – the malware is in there and the personal information is stolen,” said Weisman.

In the recent times, these types of data breach are becoming more common. Customers are being asked by Xfinity to check their credit, change their passwords, and sign up for a multi-step verification process after the company announced the incident on its website. Additionally, people ought to routinely check their credit scores and freeze their credit.

About Xfinity

Xfinity is a US-based telecommunications business segment, owned by Comcast Corporation, used in marketing consumer cable television, internet, telephone, and wireless services provided by the company. Xfinty, before being established in 2010 was operating under the common-label of Comcast, where the aforementioned services were marketed.  

Read more »
Subscribe to: Posts (Atom)