Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label WordPress. Show all posts
WordPress
Cyberattacks Cybersecurity Cyberthreats LayerSlider Plugin Vulnerabilities and Exploits WordPress

LayerSlider Plugin Imperils 1 Million WordPress Sites, Urgent Fixes Mandated!

 


The LayerSlider WordPress slider plugin has been installed by more than one million people and offers a full package of features for editing web content, creating digital visual effects, and designing graphic content in a single application. 

Considering that WordPress is the most popular website builder in the world, as well as used by roughly half of all websites on the planet, it makes it an ideal target for cybercriminals all over the world. Despite that, hackers have turned their attention and focus to third-party themes and plugins, which are seldom as secure as the platform itself, because most people consider this platform to be relatively secure. 

In addition, Defiant’s Wordfence team stated that unauthenticated attackers can append SQL queries to existing queries to extract information such as password hashes due to the lack of sufficient escape of the parameter supplied by the user, as well as the lack of sufficient preparation of the existing SQL query. 

There is a vulnerability of over 1 million WordPress sites attributed to a premium plugin referred to as LayerSlider, requiring administrators to prioritize applying security updates to that plugin. In addition to being a visual web content editor, LayerSlider also offers graphic design software, as well as digital visual effects that enable users to create animations and rich content for their websites. It is noted by its website that there are millions of people using it globally. 

During the week of March 25, 2024, a researcher named AmrAwad found a critical vulnerability (CVSS score: 9.8) affecting WordPress security firm Wordfence through their bug bounty program. He received $5,500 for his responsible reporting. AmrAwad was recognized for his responsible reporting. 

If an attacker has access to sensitive data from the site's database, such as password hashes, from versions 7.9.11 through 7.10.0 of the plugin, the website could be put at risk of a complete takeover or data breach in the future. In LayerSlider, SQL injection is possible as well as the function that queries slider pop-up markups is done by the “ls_get_popup_markup” function. 

If the “id” parameter of this function is not a number, it is not sanitized before it is passed to “find”. Moreover, even though the plugin escapes $args values with the “esc_sql” function, the “where” key is not included in this function, so attacker-controlled inputs within “where” can be used to query the victim's database by the attacker-controlled inputs. 

 By manipulating “id” and “where”, an attacker can craft a request in such a way that sensitive data from the database, such as password hashes, can be extracted by manipulating those variables. As the structure of possible queries limits the attack to a time-based blind SQL injection, attackers must observe the database's response times to determine the data from the database. There are several ways in which threat actors can enter WordPress sites through vulnerable WordPress plugins to steal data or compromise a website. 

It has been shown that, in January, more than 6,700 WordPress sites were exploited by Balada Injector malware triggered by a cross-site scripting flaw in the Popup Builder plugin logged under CVE-2023-6000. In addition to the thousands of sites that were exposed to the TagDiv Composer plugin flaw tracked as CVE-2023-3169 in October, Balada Injector was installed on over 9,000 sites. In the past six years, over a million WordPress sites have been compromised by the Balada Injector campaign. 

According to Sucuri, the Balada Injector has been responsible for more than a million WordPress sites that have been compromised in this campaign. It is important to note that CVE-2024-2879 still allows malicious actors to access sensitive user information and password hashes from a compromised website's database, despite this limitation. Malicious actors can do this without having any authentication on the website. 

There is a further complication because the queries are not prepared using WordPress' '$wpdb->prepare()' function, which ensures that usernames and passwords are sanitized before a query is sent to the database. This prevents SQL injection because the input is therefore sanitized before it is submitted to the database. It was quickly acknowledged by the Kreatura Team of the plugin's creators that the plugin had been prone to the flaw and it was immediately addressed. 

It has been less than 48 hours since the developers contacted me about the release of a security update. There are critical vulnerabilities in LayerSlider, which are addressed in version 7.10.1, but it is strongly recommended that all users upgrade to version 7.10.1. A WordPress site admin should in general make sure that all their plugins are up-to-date, remove any plugins that are not required, use strong passwords for their accounts, and deactivate any dormant accounts that could be hacked. 

In the world of WordPress, there are thousands of themes and plugins available, each of which builds upon the WordPress experience for the user and makes it better. Some of these are free programs, but the commercial ones tend to have a dedicated team who work on improving them as well as maintaining the security of the program. This happens mainly because hackers choose to target free-to-use themes and plugins.

Many of these are used by millions of people today, but their developers have abandoned them and they are prone to vulnerabilities that have never been addressed (or rarely) by the developers. A safe and secure installation process involves administrators installing themes and plugins that they intend to use, and ensuring that they are always updated to the most recent version of those themes and plugins.
Read more »
WordPress
Cyber Assault Cyber Attacks CyberCrime Cybersecurity JavaScript Malware attacks Sucuri WordPress

Evasive Sign1 Malware Hits 39,000 WordPress Sites in Widespread Cyber Assault

 


In the past six months, a major malware campaign known as Sign1 has compromised over 39,000 WordPress sites, using malicious JavaScript injections to direct people to scams. In a report published this week by Sucuri, it is estimated that no less than 2,500 sites have been infected by this latest malware variant over the past two months. 

As part of the attack, rogue JavaScript is injected into legitimate HTML widgets or plugins, allowing attackers to insert arbitrary JavaScript, along with other code, which provides attackers with an opportunity for their malicious code to be inserted. It was discovered that a new malicious malware campaign called FakeUpdates was targeting WordPress websites with malware shortly after Check Point Software Technologies Ltd. revealed it. 

In addition to its stealthy nature, Sign1 malware has a perilous reputation due to its stealthy tactics. It generates dynamic URLs through time-based randomization, which is extremely difficult to detect and block with security software. The malware's code is also obfuscated, so it's more difficult to detect it. Sign1 is also able to target visitors to certain websites, including popular search engines and social media platforms. This might be one of the most concerning aspects of malware. 

Sucuri’s report estimates that over 39,000 WordPress websites have been infected with Sign1 so far, suggesting a level of sophistication that could enable attackers to focus on users deemed more susceptible to scams. Sucuri’s report indicates that this level of sophistication suggests an attacker's ability to focus on users who are more likely to be targeted by scammers. Sucuri's client has been breached due to a brute force attack, so website owners should take immediate measures to protect their websites and visitors. 

However, although specific details of how the attackers compromised other sites remain unclear, it is believed that the attackers utilized brute force assaults and plugin vulnerabilities to get into WordPress sites via brute force attacks. When the attackers get inside, they usually use the WordPress plugin Simple Custom CSS and JS to inject their malicious JavaScript through the custom HTML widgets, or they may even use the legitimate Simple Custom CSS and JS plugin as well. 

With its sophisticated evasion tactics, Sign1 can bypass conventional blocking measures by dynamically altering URLs every 10 minutes by utilizing time-based randomization; this allows it to circumvent conventional blocking strategies. Since these domains were registered just before the attacks they carried out, they remain off blocklists because of their fleeting nature. 

The attackers, initially hosted by Namecheap, have since moved their operations to HETZNER for web hosting. Cloudflare provides an additional layer of anonymity through IP address obfuscation for IP addresses. A significant challenge for security tools that attempt to detect the injected code is the intricacies of the injected code, which features XOR encoding and arbitrary variable names, which make it very difficult to detect them. 

The Sucuri insights revealed that the Sign1 malware has evolved to an increasingly sophisticated and stealthy stage, as well as being more resilient to steps taken to block it. Infections have dramatically increased over the past six months, especially with new malware versions unleashed on the market each week. Sign1, which has accelerated its sophistication and adaptability in recent months, has taken on an increasingly sophisticated and adaptive appearance since the campaign was initiated in January 2024. 

As a result of such developments, website administrators must immediately take extra precautions and implement robust protected measures to ensure that their websites remain secure. A HETZNER and Cloudflare server hosts the domains, obscuring both the hosting addresses as well as the IP addresses of the domains. 

Moreover, it may not be obvious that the injection code contains XOR encoding and random names for variables, so if you were to detect it, you would still have a hard time. Approximately six months have passed since the malware campaign started, the researchers concluded, adding that it has been developing actively since then. 

The campaign is still ongoing today. There are always spikes in infections whenever new versions are released by the developers. There has been an attack on about 2,500 websites so far on this latest attack that has been happening since the beginning of January 2024.

To keep a website secure, the researchers recommend that website owners implement a strong combination of usernames and passwords so that their website cannot be breached by brute-force attacks, which could be used against them. The attackers may also gain unrestricted access to your premises the moment you uninstall every plugin and theme that is unused or unnecessary on your website.
Read more »
WordPress
IDOR Payment Gateway Firm PII Plugin Flaws Vulnerabilities and Exploits WooCommerce Strip Payment WooCommerce WordPress Plugins WordPress

WordPress: Strip Payment Plugin Flaw Exposes Customers' Order Details


A critical vulnerability has recently been discovered in the WooCommerce Gateway plugin for WordPress. Apparently, it has compromised sensitive customer information related to their orders to unauthorized data. On WordPress e-commerce sites, the plugin supported payment processing for over 900,000 active installations. It was susceptible to the CVE-2023-34000 unauthenticated insecure direct object reference (IDOR) bug.

WooCommerce Stripe Payment

WooCommerce Strip Payment is a payment gateway for WordPress e-commerce sites, with 900,000 active installs. Through Stripe's payment processing API, it enables websites to accept payment methods like Visa, MasterCard, American Express, Apple Pay, and Google Pay.

About the Vulnerability

Origin of the Flaw

The vulnerability originated from unsafe handling of order objects and an improper access control measures in the plugin’s ‘javascript_params’ and ‘payment_fields’ functions.

Due to these coding errors, it is possible to display order data for any WooCommerce store without first confirming the request's permissions or the order's ownership (user matching).

Consequences of the Flaw

The payment gateway vulnerability could eventually enable unauthorized users access to the checkout page data that includes PII (personally identifiable information), email addresses, shipping addresses and the user’s full name.

Since the data listed above is listed as ‘critical,’ it could further lead to additional cyberattacks wherein the threat actor could attempt account hijacks and credential theft through phishing emails that specifically target the victim.

How to Patch the Vulnerability?

Users of the WooCommerce Strip Gateway plugin should update to version 7.4.1 in order to reduce the risks associated with this vulnerability. On April 17, 2023, specialists immediately notified the plugin vendor of the vulnerability, CVE-2023-34000. On May 30, 2023, a patch that addressed the problem and improved security was made available.

Despite the patch's accessibility, the concerning WordPress.org data point to risk. The truth is that unsafe plugin versions are still being used by more than half of the active installations. The attack surface is greatly increased in this situation, which attracts cybercriminals looking to take advantage of the security flaw.

Adding to this, the gateway needs safety measures to be taken swiftly like updating version 7.4.1 and ensuring that all plugins are constantly updated, and keeping an eye out for any indications of malicious activities. Website supervisors can preserve sensitive user data and defend their online companies from potential cyber threats by giving security measures a first priority.

Read more »
Zero- day vulnerability
Balada Injector Sucuri Vulnerabilities and Exploits WordPress WordPress Plugin Wordpress Security WordPress Threat Zero- day vulnerability

WordPress Security: 1 Million WordPress Sites Hacked via Zero-Day Plug-in Bugs


A campaign that utilizes several WordPress plug-ins and theme vulnerabilities to inject malicious code into websites, including a sizable number of zero-days, has infected at least 1 million WordPress-sponsored websites. 

According to a study conducted by Sucuri, the campaign, which it named "Balada Injector," is prolific and Methuselah-like in its endurance, infecting victim sites with malware at least since 2017. After being injected into the page, the malicious code leads users to a variety of scam websites, such as those offering fake tech support, bogus lottery wins, and push notifications requesting Captcha solutions. 

However, behind the scenes, injected scripts look for numerous files, including access logs, error logs, debug information files, database management tools, administrator credentials, and more, that might include any sensitive or potentially helpful information. In addition, backdoors are loaded into the websites for enduring access and, occasionally, site takeover. 

While the 1 million statistic represents the total number of sites that have been infected over the past five years, researchers only recently linked all the activities into a single operation. The campaign is still going strong and does not appear to be slowing down. 

A Focus on WordPress Plug-in & Theme Vulnerabilities 

Sucuri researchers were able to link all of the observed activity to the Balada Injector campaign since it has a few easily distinguishable attributes. These include using a rotating roster of domain names where malicious scripts are placed on haphazard subdomains, uploading and leaving numerous backdoors all across the hacked environment, and spammy redirects. 

Moreover, the developers of Balada Injector also exploit security flaws in WordPress plug-ins and themes, which is likely most noteworthy. These modular WordPress add-ons enable site administrators to integrate a variety of features, such as polling support, message board assistance, or click-to-call integration for e-commerce businesses. 

"All sorts of vulnerabilities in WordPress themes and plugins can allow an attacker to inject code or gain unauthorized access to the website — which can eventually be escalated to the level where code injections are possible[…]This entire time, Balada Injector has been quickly adding newly disclosed vulnerabilities (and sometimes disclosed zero-days), occasionally starting massive waves of infections within a few hours after vulnerability disclosures," Sucuri analysis explains. 

Sucuri has been tracking new waves of activity happening every couple of weeks, with lulls in between that are "probably utilised for gathering and testing newly reported and zero-day vulnerabilities." 

Moreover, older vulnerabilities are also included in the mix, with some still in use by the campaign for months or years after being patched. 

Targeting the WordPress Ecosystem 

Given how the WordPress ecosystem is extremely buggy, it has become a popular target for cybercriminals among any other stripes. 

"Depending on how you measure it, in 2023, WordPress still powers 60% of the websites available on the Internet today[…]The sheer volume of code that goes into this, the degree of customization often present on WordPress sites, and in general the WordPress plug-in ecosystem's complexity, popularity, and the lack of consistent security measures and practices, contribute to its attractiveness to cybercriminals as a rich hunting ground for exploitable bugs," says Casey Ellis, founder, and CTO at the Bugcrowd bug bounty platform. 

Protecting Against WordPress Plug-in Insecurity 

To safeguard oneself against Balada Injector and other WordPress threats, companies must first ensure that all of their website software is updated, delete unused plug-ins and themes, and implement a Web application firewall to protect against Balada Injector and other WordPress threats. 

According to Mike Parkin, senior technical engineer at Vulcan Cyber, the ease with which plug-ins can be added to WordPress from authorized download stores (much like the ecosystem for mobile apps) adds to the security issue. As a result, education for the Web team regarding the risks of installing unapproved modules is also necessary. 

"The myriad available plug-ins, multiple places to get them, and the ease of deployment — you have a recipe for easy malicious plug-in distribution," he says. 

Even large organizations are not resistant to WordPress Security problems. "There are cases, even in large enterprises, where a website is developed and maintained by an individual or small team[…]Often, those folks aren’t especially security conscious and are more interested in keeping their site up and fresh than they are in doing it securely. Patches get missed. Security alerts get missed. New and interesting plug-ins get installed without making sure they are safe or, sometimes, even work," he adds.  

Read more »
WordPress
Command and Control(C2) Doctor Web JavaScript exploit malware Vulnerabilities and Exploits WordPress

WordPress: New Linux Malware Exploits Over Two Dozen CMS Vulnerabilities


Recently, WordPress websites are being attacked by a previously unidentified Linux malware strain that compromises vulnerable systems by taking advantage of vulnerabilities in over twenty plugins and themes. 

In the attacks, a list of 19 different plugins and themes with known security flaws are weaponized and used to launch an implant that can target a specific website in order to increase the network's reach. 

"If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted web pages are injected with malicious JavaScripts […] As a result, when users click on any area of an attacked page, they are redirected to other sites," says Russian security vendor Doctor Web, in a report published last week. 

Additionally, Doctor Web says that it has identified a new version of the backdoor, that apparently uses a new command-and-control (C2) domain, along with an updated list of vulnerabilities over 11 additional plugins, taking this total to 30. 

While it is still unclear if the second version is a remnant from the earlier version or a functionality that is yet to be enabled, both variants includes an unimplemented method for brute-forcing WordPress administrator accounts. 

"If such an option is implemented in newer versions of the backdoor, cybercriminals will even be able to successfully attack some of those websites that use current plugin versions with patched vulnerabilities," the company said. 

Moreover, WordPress users are advised to keep all the components of the platforms updated, along with third-party add-ons and themes. It is recommended to use robust and unique logins and passwords in order to protect their accounts.  

Read more »
WordPress
API Apple CMS Data Breach Hacker Password Hacking Twitter User Privacy WordPress

Data Breach Targets Fast Company News

Fast Company's Apple News website currently displays a statement from the business confirming that it was hacked on Sunday afternoon, followed by another intrusion on Tuesday night that let threat actors to send bigoted notifications to smartphones via Apple News.

In a press release issued last night, the company claimed that "the statements are repulsive and are not by the contents and culture of Fast Company.  We have suspended FastCompany.com while we look into the matter and will not reopen it until it is resolved."

As soon as individuals on Twitter noticed the offensive Apple News notifications, the company disabled the Fast Company channel on the news network.

Data breach tactics

The website's webpage started to load up with articles headlined "Hacked by Vinny  Troia. [redacted] tongue my [redacted]. Thrax was here. " on Sunday afternoon, which was the first indication that Fast Company had been compromised.

In their ongoing dispute with security analyst Vinny Troia, members of the breached hacking group and the now-defunct RaidForums regularly deface websites and carry out attacks that they attribute to the researcher. Fast Company took the website offline for a while to address the defacement, but on Tuesday at around 8 PM EST, another attack occurred.

Hackers claim that after discovering that Fast Company was using WordPress for their website, they were able to compromise the company. The HTTP basic authentication which was supposed to have protected this WordPress installation was disregarded. The threat actor goes on to claim that they were able to enter the WordPress content management system by utilizing a relatively simple default password used on dozens of users.

Fast Company, according to the post, had a 'ridiculously easy' default password that was used on numerous accounts, including an admin account. The compromised account would have then been utilized by the threat actors to gain access to, among other things, authentication tokens and Apple News API credentials.

They assert that by using these tokens, they were able to set up administrator accounts on the CMS platforms, which were then used to send notifications to Apple News.

Threat actors gained access to an undefined number of customer names, birthdates, contact numbers, email, physical addresses, and personal documents, including license and passport numbers, through this same forum, which was at the center of the previous Optus breach. The hacker in question claims to have made 10,200 records available thus far. It's uncertain whether or when Apple News would reactivate the Fast Company channel.



Read more »
WordPress
Backups Bugs data security Flaws Security Vulnerabilities and Exploits WordPress

New Zero-day Flaw in BackupBuddy Plugin Leaves WordPress Users at Risk

 

Wordfence, a WordPress security company, has disclosed that a zero-day vulnerability in the BackupBuddy plugin is being actively exploited. 

"This vulnerability makes it possible for unauthenticated users to download arbitrary files from the affected site which can include sensitive information," it stated.

Users can back up their entire WordPress installation from the dashboard, including theme files, pages, posts, widgets, users, and media files, among other things. The flaw (CVE-2022-31474, CVSS score: 7.5) affects versions 8.5.8.0 to 8.7.4.1 of the plugin, which has an estimated 140,000 active installations. It was fixed in version 8.7.5, which was released on September 2, 2022. 

The problem stems from the "Local Directory Copy" function, which is intended to keep a local copy of the backups. The vulnerability, according to Wordfence, is the consequence of an insecure implementation that allows an unauthenticated threat actor to download any arbitrary file on the server. Additional information about the vulnerability has been withheld due to active in-the-wild abuse and the ease with which it can be exploited.

The plugin's developer, iThemes, said, "This vulnerability could allow an attacker to view the contents of any file on your server that can be read by your WordPress installation. This could include the WordPress wp-config.php file and, depending on your server setup, sensitive files like /etc/passwd."

Wordfence reported that the targeting of CVE-2022-31474 began on August 26, 2022, and that it has blocked nearly five million attacks since then. The majority of the intrusions attempted to read the files listed below -
  • /etc/passwd
  • /wp-config.php
  • .my.cnf
  • .accesshash
Users of the BackupBuddy plugin are encouraged to update to the most recent version. They should determine that they may have been compromised, it's recommended to reset the database password, change WordPress Salts, and rotate API keys stored in wp-config.php.
Read more »
WordPress
AWS Google Drive Vulnerabilities and Exploits WordPress

5 Million Attacks Targeting 0-Day in BackupBuddy Plugin Blocked: Wordfence Report


Vulnerability exploited in the wild 

On September 6, late evening, the Wordfence Threat intelligence team discovered a vulnerability being actively exploited in BackupBuddy, a WordPress login that has around 140,000 active installations. 

The vulnerability allows unauthorised users to download arbitrary from the compromised site which may have sensitive data. It impacts versions 8.5.8.0 to 8.7.4.1, and was fully fixed by September 2, 2022, in version 8.7.5. 

Because of the fact that it is an actively exploited vulnerability, experts recommend users make sure that their site is updated to the latest fixed version 8.7.5 which iThemes has made available to all site owners using a vulnerable version regardless of the licence status.

About the vulnerability

The BackupBuddy plugin for WordPress is made to make backup management easy for owners of WordPress sites. One of the plugin features is storing backup files in various different locations, like AWS, Google Drive, and OneDrive. 

There is also an option to store backup downloads locally through the "Local Directory Copy" option. Sadly, the process to download these locally stored files was not executed safely, which can allow unauthorised users to download any file that is stored on the server.

How is the vulnerability exploited?

Notably, the plugin registers an admin_init hook for the function aimed to download local backup files and the process itself lacks any nonce validation or capability checks. 

It means that the function can be activated via any administrative page, this includes the ones that can be called without any verification, allowing unauthorised users to call the function.

The backup location isn't validated; thus, an arbitrary file could be sneaked and downloaded. 

Because of this vulnerability being exploited in the wild, due to its ease of exploitation, Wordfence has shared some details about the vulnerability.

How to stay safe?

Wordfence suggests for looking up the 'local download 'or the 'local-destination-id' parameter when checking requests in your access logs. "Presence of these parameters along with a full path to a file or the presence of ../../ to a file indicates the site may have been targeted for exploitation by this vulnerability," it says. 

If the site is breached, it may mean that BackupBuddy was the reason for the breach.

In its report, Wordfence concludes:

"we detailed a zero-day vulnerability being actively exploited in the BackupBuddy plugin that makes it possible for unauthenticated attackers to steal sensitive files from an affected site and use the information obtained in those files to further infect a victim. This vulnerability was patched yesterday and we strongly recommend updating to the latest version of the plugin, currently version 8.7.5."





Read more »
WordPress
Cloudfare Data Breach DDOS Attacks JavaScript WordPress

 Bogus DDoS Protection Alerts Distribute RATs

Researchers from Sucuri cautioned that malware distributors are luring users into downloading and running malware on their computers by taking advantage of their expertise and innate trust in DDoS protection pages.

DDoS protection alerts are web pages that users' browsers deliver when checks are made to ensure that the visitor is actually a human and not a bot or a DDoS assault participant.

Tactics of the scam 

These warnings would appear to be an inconvenience, but their sole purpose was to serve as preliminary checks before the user accessed the intended web page. They are also important to ensure malicious traffic is blocked before it reaches its objectives.

The attacks start with a malicious JavaScript injection intended to target WordPress sites, which causes a bogus Cloudflare DDoS protection pop-up, according to Sucuri's experts.

When the user clicks on the bogus popup, an ISO file containing a remote access trojan (RAT) is downloaded onto their machine. In addition, the victim is told to open the file to get a verification code needed to access the target website.

The NetSupport RAT, RaccoonStealer information stealer, and two more payloads were seen being dropped by the ISO file.

The RAT is frequently used to screen victims before the distribution of ransomware and has been related to FakeUpdates/SocGholish. According to Malwarebytes researcher Jerome Segura, the ISO file contains a shortcut that pretends to be executable and executes PowerShell from another text file.

NetSupport RAT, which was at first a genuine program called NetSupport Manager, gives hackers remote access to the victim's computer, allowing them to install more malware, steal sensitive data, or even entangle the system in a botnet.

As website owners struggle to distinguish genuine visitors from the voluminous bot traffic, these have grown in popularity in recent years.

"Remote access trojans (RATs) are among the most harmful infections a computer can contract as they offer the attackers total control of the system. The victim is now entirely at their mercy. Both site owners and visitors can take all necessary safety procedures", as per Sucuri.

Users are advised to avoid downloading and opening odd files, update their operating system and applications frequently and consider installing a script-blocking browser extension.




Read more »
WordPress
attacks Plugin Site Vulnerabilities and Exploits WordPress

Alert WordPress Admins! Uninstall the Modern WPBakery Plugin Immediately

 

WordPress administrators have been cautioned to uninstall a problematic plugin or risk a total site takeover. This threat is associated with a plugin that is no longer in use: Modern WPBakery page builder extensions. CVE-2021-24284 is a vulnerability in the plugin that allows "unauthenticated arbitrary file upload through the 'uploadFontIcon' AJAX action." 

As a result, attackers might upload malicious PHP scripts to the WordPress site, resulting in remote code execution and site takeover. There has been a significant surge in attacks due to this defunct WordPress relic. 

Researchers detected "many vulnerable endpoints" in Modern WPBakery in 2021, which might lead to the injection of malicious JavaScript or even the deletion of arbitrary data. The goal of the game this time is to upload rogue PHP files and then inject malicious JavaScript into the site. 

Approximately 1.6 million sites have been examined for the presence of the plugin by malicious actors, and current estimates imply that 4,000 to 8,000 websites are still hosting the plugin. Check and delete immediately. 

The current recommendation is to search for the plugin and then uninstall it as quickly as possible. It has been entirely abandoned, and no security updates will be sent. If anyone has it installed, it's only a matter of time until the exploiters find their way to your Modern WPBakery hosting website and begin collecting information. It's advised to as soon as possible, remove this out-of-date invitation to site-wide compromise.
Read more »
WordPress
Bug CVE vulnerability IP addresses malware phishing PHP Plugins Trojan Attacks WordPress

Defective WordPress Plugin Permits Full Invasion

 

According to security researchers, a campaign scanning almost 1.6 million websites was made to take advantage of an arbitrary file upload vulnerability in a previously disclosed vulnerable WordPress plugin.

Identified as CVE-2021-24284, the vulnerability that affects Kaswara Modern WPBakery Page Builder Addons, when exploited, gives an unauthorized attacker access to sites using any version of the plugin and enables them to upload and delete files or instead gain complete control of the website.

Wordfence reported the vulnerability over three months ago, and in a new alert this week it warned that attackers are scaling up their attacks, which began on July 4 and are still active. The WordPress security provider claims to have halted 443,868 attacks on client websites per day and strives to do the same till date. Daily, on average, 443,868 tries are made.

Malicious code injection  

The hacker attempts to upload a spam ZIP payload that contains a PHP file using the plugin's 'uploadFontIcon' AJAX function by sending a POST request to 'wp-admin/admin-ajax/php'.

Afterward, this file pulls the NDSW trojan, which inserts code into the target sites' legitimate Javascript files to reroute users to dangerous websites including phishing and malware-dropping sites. You've likely been infected if any of your JavaScript files contain the string "; if(ndsw==" or if these files themselves contain the "; if(ndsw==" string.

All versions of the software are vulnerable to an attack because the bug was never patched by the software creators, and the plugin is currently closed. The bug hunters stated that although 1,599,852 different sites were hit, a bulk of them wasn't hosting the plugin, and they believed that between 4,000 and 8,000 sites still have the vulnerable plugin installed.

Blocking the attackers' IP addresses is advised even if you are not utilizing the plugin. Visit Wordfence's blog for additional information on the indicators and the sources of requests that are the most common.

If you're still using it, you need to remove the Kaswara Modern WPBakery Page Builder Addons plugin from your WordPress website.
Read more »
WordPress
Avast CMS Joomla vulnerability malware Microsoft Phishing Attacks PHP RAT Remote Access Tool Trojan Attacks WordPress

 Hazardous Redirect Web Server Evokes Malicious Campaigns On Over 16,500 Sites

 

Parrot is a novel TDS system for online traffic redirection that runs on a few servers hosting over 16,500 sites from government agencies, universities, adult platforms, and personal blogs. The service was apparently also utilized in the context of various cyber-attacks aiming at diverting victims to phishing or sites which result in malware being installed on the systems. Reportedly, all of this is dependent on individual user characteristics such as location, language, operating system, and browser.

TDS services are purchased by threat actors undertaking malicious campaigns to filter incoming traffic and route it to a final destination which serves harmful material. Advertisers and marketers utilize TDS legitimately. Most TDS services are used regularly by professionals in the marketing industry, which is why there are credible reports demonstrating how similar campaigns were executed in the recent past. 

Security analysts working with Avast have revealed that the Parrot has been identified as they recently made assertions about how the campaign was used for FakeUpdate, which delivered update warnings regarding remote access trojans, sometimes known as RATs, using fake browsers. 

Avast threat experts found Parrot TDS, which is presently being utilized for a campaign called FakeUpdate, which distributes remote access trojans (RATs) via phony browser update alerts. The effort appears to have begun in February 2022, however, there have been traces of Parrot activity dating back to October 2021.

"One of the primary differences between Parrot TDS and other TDS is its broad nature and a large number of possible victims," says Avast in the research. "Apart from servers hosting poorly secured CMS sites, such as WordPress sites, the hijacked websites we discovered appear to have nothing in common."

Avast services prevented more than 600,000 of its users from visiting these compromised sites in March 2022 alone, demonstrating the Parrot redirection gateway's huge reach. The majority of the people who were redirected were from Brazil, India, the United States, Singapore, and Indonesia. 

They have been known to accomplish this by redirecting the victim to special URLs with extensive network profiles and meticulously built software. While the TDS may be primarily focused on the RAT initiative, security experts believe some of the impacted servers also serve as hosts for various phishing sites.  

Those landing sites seem just like a genuine Microsoft login page, prompting visitors to input there login credentials. The best strategy to deal with malicious redirections for web users is to keep an up-to-date internet security solution running at all times. Avast advises administrators of possibly compromised web servers to take the following steps: 

  •  Use an antivirus to scan all files on the webserver. 
  •  Replace all original JavaScript and PHP files on the webserver. 
  •  Use the most recent CMS and plugin versions. 
  •  Look for cron jobs or other automatically executing processes on the webserver. 
  •  Always use unique and strong credentials for all services and accounts, and utilize two-factor authentication whenever possible. 
  • Use some of the security plugins for WordPress and Joomla which are available.
Read more »
WordPress
cyber attack Cyber War Infected websites Ukraine WordPress

Cyber Attacks Targeted on Websites Using Wordpress

Thirty Ukrainian Universities were hacked as a result of the targeted cyberattack supporting Russia's attack on Ukraine. In the latest report, experts from Wordfence said that the cyber attack had massive repercussions on Ukrainian Education organizations by hackers known as Monday Group. The threat actor has openly supported Russia's invasion of Ukraine. The members of the hacking group identify themselves as 'the Mxonday' has attacked the websites using WordPress hosting more than in the past two weeks, since the start of the Russian invasion of Ukraine. 


As per the Wordfence blog, the firm protects more than 8,000 Ukranian websites, around 300 of these belong to education websites. Wordfence also offers assistance to government agencies, police, and military websites. The security firm also mentioned that it experienced a rise of 144,000 cyber attacks on February 25, the second day of the Kinetic attack. The rise is three times the number of regular attacks compared to the starting of the month across the Ukranian websites that Wordfence protects. According to founder and CEO Mark Maunder, a threat actor was continuously trying to attack Ukranian websites, immediately after the Ukranian invasion. 

An inquiry into the issue found four IP addresses associated with the campaign, these are distributed through a VPN service from Sweden. The hacking group also has ties with Brazil, Wordfence is supposed to be operating from here. But the threat actors behind the cyber attack are yet to be known. The report comes after ESET's new research, which mentioned various malware families that are used in targeted cyber attacks against organizations in Ukraine. An ESET blog reported a destructive campaign that used HermeticWiper that targets different organizations. 

The cyberattacks comprised of three elements; HermeticWiper, which corrupts a system making it inoperable, HermeticWizard, which spreads HermeticWiper across the local network via WMI and SMB, and lastly, HermeticRansom. According to the blog, the cyberattack was preceded by a few hours from the start of the Russian invasion of Ukraine. The malware used in these attacks suggests that the planning of the campaign was done months ago. HermeticWiper has been found in hundreds of systems in the last five Ukrainian organizations, says ESET. It also mentioned that no tangible connection with a known threat actor has been found yet.
Read more »
WordPress
Acunetix vulnerability Cyber Attacks Cyber flaws FBI Iranian hackers Ransomware Threat SQL VPNS WordPress

FBI Issued a Warning to U.S Firms Concerning Iranian Hackers

 

The FBI issues a warning concerning Iranian hackers, posing as radical right organization Proud Boys during the 2020 presidential election, have now broadened operations, launching cyberattacks against a variety of industry divisions and spreading propaganda hostile to Saudi Arabia. 

"Over time, as Iranian operators have evolved both the strategic priorities and tradecraft, the hackers have matured into more proficient malicious attackers being capable of performing a whole spectrum of operations," read a Microsoft report.

Ransomware works by encrypting a device's data and making it inaccessible until the hacker receives a ransom payment. 

In a recent alert, the FBI stated, in addition to its election-related operation, the Emennet malicious attacker has been engaged in "conventional cyber exploitation activity," targeting industries such as news, transportation, tourism, oil and petrochemicals, telecoms, and financial services. It has been using VPNs to launch attacks on websites operated by certain software applications, such as WordPress, which cybercriminals can exploit to launch hacks in countries other than the United States, Europe, and the Middle East. 

The hackers employed multiple free source and commercial tools in activities, including SQLmap, Acunetix, DefenseCode, Wappalyzer, Dnsdumpster, Netsparker, wpscan, and Shodan, to mask location. The threat actor picked possible victims during the discovery phase of the hacking operations by browsing the web for prominent corporations representing various sectors. For initial access, the hackers would try to locate flaws in the program. 

"In certain cases, the goal may have been to target a large assortment of networks/websites inside a specific sector rather than a specific target company. Emennet would also attempt to discover hosting/shared hosting services in other scenarios," according to the FBI. 

Users must keep personal anti-virus and anti-malware products up to date, patch obsolete software, and make use of reliable web hosting companies, according to the authorities. In any case, Iran's state-sponsored hacker organizations aren't the only ones who have exploited the BIG-IP flaw.
Read more »
WordPress
Bugs data security Email Flaws Fraud phishing Vulnerabilities and Exploits WordPress

20K WordPress Sites Exposed by Insecure Plugin REST-API

 

The WordPress WP HTML Mail plugin is prone to a high-severity issue that can lead to code injection and the distribution of persuasive phishing emails. It is used by over 20,000 sites. 

'WP HTML Mail' is a plugin that allows creating customized emails, contact form notifications, and other messages that online platforms deliver to their users. 

WooCommerce, Ninja Forms, BuddyPress, and other plugins are all functional with the plugin. While the volume of sites that utilise it isn't big, many of them have a large audience, causing the vulnerability to impact a large number of people. 

According to research by Wordfence's Threat Intelligence team, an unauthenticated actor might use the vulnerability dubbed "CVE-2022-0218" to change the email template to include arbitrary information. 

Cybercriminals can also utilise the same flaw to send phishing emails to anyone who has registered on the hacked sites. The problem is with how the plugin registers two REST-API routes for retrieving and updating email template settings. 

Unauthorized users can call and execute the functions since these API endpoints aren't appropriately protected from unauthorised access. 

In its report, Wordfence explains in detail: “The plugin registers the /themesettings endpoint, which calls the saveThemeSettings function or the getThemeSettings function depending on the request method. The REST-API endpoint did use the permission_callback function, however, it was set to __return_true which meant that no authentication was required to execute the functions. Therefore, any user had access to execute the REST-API endpoint to save the email’s theme settings or retrieve the email’s theme settings.” 

Aside from phishing assaults, an adversary might inject harmful JavaScript into the email template, which would run whenever the site administrator accessed the HTML mail editor. This might lead to the creation of new admin accounts, the redirection of site visitors to phishing sites, the injection of backdoors into theme files, and even the entire takeover of the site. 

On December 23, 2021, Wordfence detected and reported the vulnerability to the plugin's creator, but they didn't hear back until January 10, 2022. With the release of version 3.1 on January 13, 2022, a security fix addressed the vulnerability. 

As a result, all WordPress site owners and administrators should make sure they have the newest version of the 'WP HTML Mail' plugin installed.
Read more »
WordPress Plugin
All In One Cyber Security SEO WordPress WordPress Plugin

All In One SEO Plugin Affects Millions of WordPress Websites

 

All in One SEO, a popular WordPress SEO-optimization plugin, contains a combination of security flaws that, when coupled into an exploit chain, might expose website owners to website takeover. 

As per Sucuri researchers, an attacker with an account on the site – such as a subscriber, shopping account holder, or member – can exploit the weaknesses, which is a privilege-escalation bug and a SQL-injection problem. 

“WordPress websites by default allow any user on the web to create an account,” researchers said in a posting on Wednesday. “By default, new accounts are ranked as a subscriber and do not have any privileges other than writing comments. However, certain vulnerabilities, such as the ones just discovered, allow these subscriber users to have vastly more privileges than they were intended to have.” 

Furthermore, the pair is ideal for straightforward exploitation, thus users must upgrade to the patched version, v. 4.1.5.3. The issues in the plugin utilized by more than 3 million websites, were discovered by Marc Montpas, an Automattic security researcher. 

The more serious of the two issues is the privilege-escalation problem, which affects All in One SEO versions 4.0.0 and 4.1.5.2. It has a significant vulnerability-severity rating of 9.9 out of 10 on the CVSS vulnerability-severity scale, owing to its simplicity of exploitation and the possibility to install a backdoor on the webserver. 

Sucuri researcher indicated that the vulnerability "can be exploited by simply changing a single character of a request to upper-case." 

Fundamentally, the plugin can send commands to different REST API endpoints while also performing a permissions check to ensure that no one is doing anything they are not authorized to do. According to the post, the REST API routes are case-sensitive, thus an attacker only needs to change the case of one character to circumvent the authentication checks. 

“When exploited, this vulnerability can overwrite certain files within the WordPress file structure, effectively giving backdoor access to any attacker,” Sucuri researchers said. “This would allow a takeover of the website, and could elevate the privileges of subscriber accounts into admins.” 

The second bug has a CVSS severity of 7.7 and impacts All in One SEO versions 4.1.3.1 and 4.1.5.2. The problem is on an API endpoint called "/wp-json/aioseo/v1/objects." As per Sucuri, if attackers abused the prior vulnerability to get admin capabilities, they would gain entry to the endpoint and also be capable of sending malicious SQL instructions to the back-end database to collect user passwords, admin information, and other sensitive information. 

In order to safeguard themselves, All in One SEO customers should update to the patched version, researchers advised.
Read more »
WordPress
Cyber Attacks Hacker Vulnerable Website WordPress

1.6 Million Vulnerable Websites hit by Cyber Attack

 

Wordfence researchers indicate that in the last few days, they have spotted a significant series of attacks emerging from 16,000 IP addresses and targeting over 1.6 million WordPress websites. 

Four WordPress plugins including fifteen Epsilon Framework themes are targeted by the malicious attackers, one of which has no patch available. Some of the vulnerable plugins have been fixed recently as of this week, while others were updated as recently as 2018. 

The affected plugins and their versions are: 
  • PublishPress Capabilities 
  • Kiwi Social Plugin 
  • Pinterest Automatic 
  • WordPress Automatic 
The targeted Epsilon Framework themes are: 
  • Shapely 
  • NewsMag 
  • Activello 
  • Illdy 
  • Allegiant 
  • Newspaper X 
  • Pixova Lite 
  • Brilliance 
  • MedZone Lite 
  • Regina Lite 
  • Transcend 
  • Affluent 
  • Bonkers 
  • Antreas 
  • NatureMag Lite – No patch available 

"In most cases, the attackers are updating the users_can_register option to enabled and setting the default_role option to administrator," Wordfence explains. "This makes it possible for attackers to register on any site as an administrator effectively taking over the site." 

To see if one's site has already been infiltrated, one should go through all user accounts and search for any unauthorized modifications that need to be removed right away. 

Next, go over to "http://examplesite[.]com/wp-admin/options-general.php" and look through the Membership as well as the new user default role settings. Even if the plugins and themes aren't on the list, it's a good idea to upgrade them as soon as possible. If one is using NatureMag Lite, which has no solution, then they should uninstall it right away. 

It is critical to note that upgrading the plugins would not remove the threat if the site has already been hacked. In this scenario, it is recommended that first follow the methods provided in detailed clean-up manuals. In general, one must aim to minimize the number of plugins on the WordPress site to a bare minimum, as this significantly reduces the possibility of being attacked and hacked in the first place.
Read more »
WordPress
malware PHP Security Researchers Threat actors WordPress

PHP Re-Infectors: The Malware that Never Goes Away

 

Threat actors typically infect sites for monetary gain, to improve their SEO rankings for malware or spam campaigns, and for a variety of other objectives. If the malware is readily and swiftly removed, the attack's objective is defeated. Researchers discovered a modified index.php in the majority of cases of this form of infection. According to the researchers, it makes little difference if your site is not using WordPress; attackers will normally replace the index.php with an infected copy of the WordPress index.php file. 

The index.php file is a PHP file that serves as the entrance for any website or application. It is a template file that contains a variety of codes that will be given as PHP code. Because the system will be used by anyone with a simple HTML website, it will also be modified before delivery. 

It has also been observed that hundreds, if not thousands, of infected.htaccess files are dispersed throughout the website directories. This is intended to block custom PHP files or tools from executing on the site or to enable dangerous files to run if some mitigation is already in place. In rare cases, the attackers will leave a copy of the original index.php file entitled old-index.php or 1index.php on the server. In most situations, the infected files will have 444 permissions, and attempting to remove or clean those files directly is futile because the malware will immediately make a new infected duplicate. 

In rare situations, malware will be found in the memory of php-fpm. If index.php is still being recreated, run top to see if php-fpm is present. According to the researchers, you can try to delete OPCache, albeit this normally does not solve the problem. 

OPcache boosts PHP performance by keeping pre-compiled script bytecode in shared memory, eliminating the need for PHP to load and parse scripts on every request. As a result, malware can remain in OPcache after being removed from the site files or database. 

Though attackers are constantly seeking new ways to infect websites, there are several typical procedures that customers may take to reduce the number of infections. Put your website behind a firewall and change all admin passwords on a regular basis. This includes the admin dashboard, CPanel/FTP, ssh, and email; always keep all plugins, themes, and CMS up to date; and delete any unnecessary plugins or themes.
Read more »
WordPress Plugin
Cyber Attacks Ransom Attack Ransom Payment Ransomware WordPress WordPress Plugin

WordPress Sites Hacked in Fake Ransomware Attacks

 

A new wave of cyberattacks began late last week, hacking over 300 WordPress sites and displaying fraudulent encryption notifications in an attempt to mislead site owners into paying 0.1 bitcoin for recovery. 

These ransom requests include a countdown timer in order to create a feeling of urgency and perhaps terrify a web administrator into paying the ransom. While the 0.1 bitcoin ($6,069.23) ransom demand is little in contrast to what is seen in high-profile ransomware operations, it may still be a significant sum for many website owners. 

Sucuri, a cybersecurity firm hired by one of the victims to conduct incident response, identified these attacks. The researchers revealed that the websites had not been encrypted, but rather that the threat actors had altered an installed WordPress plugin to show a ransom message and countdown when the page was accessed. 

In addition to presenting a ransom note, the plugin would change the 'post status' of all WordPress blog entries to 'null,' leading them to become unpublished. As a result, the cyber actors developed a simple but strong illusion that gave the impression that the site had been encrypted. 

The site was restored to its usual state after deleting the plugin and running a command to republish the posts and pages. Sucuri discovered that the first place where the actor's IP address showed in the network traffic records was the wp-admin panel. This suggests that the infiltrators gained access to the site as administrators, either by brute-forcing the password or by obtaining stolen credentials from dark web markets. 

This was not an isolated attack, but rather part of a larger campaign, giving legitimacy to the second scenario. Sucuri discovered a plugin called Directorist, which is a tool for creating online company directory listings on websites. 

Sucuri has identified around 291 websites hit by this attack, with a Google search revealing a mix of cleaned-up and still-displaying ransom letters. All of the sites BleepingComputer found in search results utilise the same Bitcoin address, 3BkiGYFh6QtjtNCPNNjGwszoqqCka2SDEc, which has not received any ransom payments. 

Safeguarding against website encryptions

Sucuri recommends the following security procedures to keep WordPress sites safe from hackers: • Review the site's admin users, delete any fraudulent accounts, and update/change any wp-admin passwords. 
  • Protect the wp-admin administrator page. 
  • Modify the passwords for all other access points (database, FTP, cPanel, etc). 
  • Protect your website using a firewall. 
  • Adhere to dependable backup techniques that will make restoration simple in the event of a genuine encryption incident. 
Because WordPress is frequently targeted by threat actors, it is also critical to ensure that all of your installed plugins are up to date. 

BleepingComputer was notified about a recent fix for the Directorist plugin, which addressed an issue that enabled low-privilege users to run arbitrary code. While Sucuri's analysis does not identify the plugin as an infiltration point, the presence of this vulnerability makes sense in the context of the specific assault. 

This also implies that eradicating the virus and restoring the site would not prevent the attackers from striking again as long as the Directorist plugin is still in an older, vulnerable version.
Read more »
WordPress
Data Breach GoDaddy SSL Two Factor Authentication User Data User Privacy User Security WordPress

1.2 Million users Affected by GoDaddy Data Breach

 

GoDaddy, the web hosting provider, has announced a data breach as well as warned that data on 1.2 million clients might be compromised. 

GoDaddy Inc. is a publicly listed American Internet domain registration and web hosting firm based in Tempe, Arizona, and incorporated in Delaware. GoDaddy has over 20 million clients and over 7,000 employees globally as of June 2020. 

Demetrius Comes, GoDaddy's chief information security officer, said in a statement with the Securities and Exchange Commission that the business discovered unauthorized access to its networks in which it hosts and administers its customers' WordPress servers. 

WordPress is a web-based content management system that millions of people use to create blogs and web pages. Users can host their WordPress installations on GoDaddy's servers. 

According to GoDaddy, an unauthorized user gained access to GoDaddy's systems around September 6th. GoDaddy stated that the breach was detected last week, on November 17. It is unclear whether the hacked password was secured using two-factor authentication. 

According to the complaint, the hack impacts 1.2 million current and inactive WordPress users, whose email accounts and customer numbers were disclosed. According to GoDaddy, this disclosure may put users at increased risk of phishing attacks. As per the web host, the initial WordPress admin password generated while WordPress had been installed, which could be used to manage a customer's WordPress server, had also been exposed. 

Active users' FTP credentials (for file transfers) as well as the login information for their WordPress accounts, that store all of the user's content, were compromised in the incident, according to the business. In certain situations, the user's SSL (HTTPS) private key was revealed, which might allow an attacker to mimic the customer's website or services if misused. 

According to GoDaddy, it has updated client WordPress passwords and private keys and is now in the process of providing new SSL certificates. Meanwhile, Dan Race, a GoDaddy spokeswoman, refused to respond, citing the company's ongoing investigation.
Read more »
Subscribe to: Posts (Atom)