Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Joomla vulnerability. Show all posts

 Hazardous Redirect Web Server Evokes Malicious Campaigns On Over 16,500 Sites

 

Parrot is a novel TDS system for online traffic redirection that runs on a few servers hosting over 16,500 sites from government agencies, universities, adult platforms, and personal blogs. The service was apparently also utilized in the context of various cyber-attacks aiming at diverting victims to phishing or sites which result in malware being installed on the systems. Reportedly, all of this is dependent on individual user characteristics such as location, language, operating system, and browser.

TDS services are purchased by threat actors undertaking malicious campaigns to filter incoming traffic and route it to a final destination which serves harmful material. Advertisers and marketers utilize TDS legitimately. Most TDS services are used regularly by professionals in the marketing industry, which is why there are credible reports demonstrating how similar campaigns were executed in the recent past. 

Security analysts working with Avast have revealed that the Parrot has been identified as they recently made assertions about how the campaign was used for FakeUpdate, which delivered update warnings regarding remote access trojans, sometimes known as RATs, using fake browsers. 

Avast threat experts found Parrot TDS, which is presently being utilized for a campaign called FakeUpdate, which distributes remote access trojans (RATs) via phony browser update alerts. The effort appears to have begun in February 2022, however, there have been traces of Parrot activity dating back to October 2021.

"One of the primary differences between Parrot TDS and other TDS is its broad nature and a large number of possible victims," says Avast in the research. "Apart from servers hosting poorly secured CMS sites, such as WordPress sites, the hijacked websites we discovered appear to have nothing in common."

Avast services prevented more than 600,000 of its users from visiting these compromised sites in March 2022 alone, demonstrating the Parrot redirection gateway's huge reach. The majority of the people who were redirected were from Brazil, India, the United States, Singapore, and Indonesia. 

They have been known to accomplish this by redirecting the victim to special URLs with extensive network profiles and meticulously built software. While the TDS may be primarily focused on the RAT initiative, security experts believe some of the impacted servers also serve as hosts for various phishing sites.  

Those landing sites seem just like a genuine Microsoft login page, prompting visitors to input there login credentials. The best strategy to deal with malicious redirections for web users is to keep an up-to-date internet security solution running at all times. Avast advises administrators of possibly compromised web servers to take the following steps: 

  •  Use an antivirus to scan all files on the webserver. 
  •  Replace all original JavaScript and PHP files on the webserver. 
  •  Use the most recent CMS and plugin versions. 
  •  Look for cron jobs or other automatically executing processes on the webserver. 
  •  Always use unique and strong credentials for all services and accounts, and utilize two-factor authentication whenever possible. 
  • Use some of the security plugins for WordPress and Joomla which are available.

Bug in Joomla! Extension VirtueMart allows hacker to gain Super Admin access

Security researchers at Sucuri found a critical security vulnerability in  VirtueMart, a popular e-commerce extension for the Joomla which has been downloaded more than 3.5 million times.

The vulnerability allows a malicious user to easily gain super admin privilege. With the Super Admin access, the hacker has full control of the website.

Sucuri removed the technical details about the bug after receiving a request from the developer of VirtueMart.

"VirtueMart uses Joomla’s JUser class “bind” and “save” methods to handle user accounts information. That’s not a problem in it of itself, but this class is very tricky and easy to make mistakes with." Researcher wrote in Sucuri's blog post.

VirtueMart has claimed the bug is in Joomla. Researchers at Sucuri also believe the problem is on the Joomla class itself. However, few Joomla experts disagree with the VirtueMart and Sucuri.

"The vulnerability is in VirtueMart's amateurish use of JUser, not the JUser class itself. JUser is a low level API in Joomla! which expects filtered input." Nicholas Dionysopoulos, a contributer to Joomla Project, posted in a Facebook post.

"The modus operandi of programmatic user account creation in Joomla! is to first filter the input using JInput (typically through JFactory::getApplication()->input, not a new object instance), construct an array with only the keys you need and the pass this to JUser. "


The bug was discovered last week and have been fixed in the latest version of VirtueMart(v2.6.10).

Joomla 3.2.2 is vulnerable to SQL Injection and XSS


If your website is running Joomla 3.2.2, you should upgrade your CMS to the latest version.

A new version of Joomla v3.2.3 has been released to address more than 40 bugs and four security vulnerabilities.

One of the patched security flaws is SQL Injection, caused by Inadequate escaping, rated as High severity bug.  It affects versions 3.1.0 through 3.2.2.

Other two security bugs are Cross site scripting vulnerabilities, which have been rated as Medium severity bugs. 

The last one allows unauthorized logins via GMail authentication, caused by inadequate checking. It affects versions 2.5.8 and earlier 2.5.x and 3.2.2 and earlier 3.x.

It doesn't matter whether you do care about the 40 bugs but you always should consider the security fixes.  So, better update your cms immediately before attackers informing you by hacking your site.

Thousands of Joomla websites using JomSocial vulnerable to Remote Code Execution

Thousands of Joomla websites using JomSocial are vulnerable to Remote Code Execution vulnerability.  JomSocial is a social networking extension for Joomla CMS.

The extension is currently listed on the Joomla's Vulnerable Extension list.  The vulnerability is being exploited in the wild, several users have reported that someone had hacked into their website.

According to JomSocial, hackers breached JomSocial website by exploiting this vulnerability.  The security experts at JomSocial have spotted the attack and released a patch for this vulnerability.  While analyzing the vulnerability which is being exploited, they also discovered another critical vulnerability.

The vulnerability was discovered by a security researcher Matias Fontanini.  He notified JomSocial about the vulnerability.  At first, the team said that they have fixed the issue in the 3.1.0.1. However, researcher found 3.1.0.1 is also vulnerable.

Vulnerability Details:
The vulnerability is located in the 'photos' controller, 'ajaxUploadAvatar' task. The parameters parsed by the 'Azrul' plugin are not properly sanitized before being used in a call to the 'call_user_func_array' PHP function.

"This allows an attacker to execute arbitrary static class functions, using any amount of user-provided parameters."  An attacker can exploit this vulnerability by calling CStringHelper::escape function and execute arbitrary PHP code.

HTTP Request exploiting the vulnerability

More technical details about the vulnerability and exploit code is available here.

As you can see that exploit code is already publicly available, all JomScoial Admins are advised to upgrade to latest version of the extension (v3.1.0.4) as soon as possible.

Bangladesh National Commission for UNESCO and MoCHTA websites hacked

 

Sil3nt hack3r , a member of hacking crew called as Muslim Cyber Sh3ll'z, has breached multiple Bangladesh government websites and left those sites defaced.

The list of affected websites includes Ministry of Chittagong Hill Tracts Affairs, Bangladesh National Commission for UNESCO, BPSC Departmental Examination(portal.bpsc.gov.bd) and Cabinet Division(cabinet.gov.bd) .

The security breach was done few days ago but still few sites are not recovered by the admin and displays the defacement page.

We can still able to see the defacement page at 'www.bncu.gov.bd' and 'www.mochta.gov.bd/ck.htm'.

Apart from Bangladeshi government websites, the crew also defaced Indian government website(pcmcindia.gov.in) , Vietnam govt. (cti.gov.vn).

This is not the first time the Bangladesh National Commission for UNESCO being attacked.  It was defaced multiple times in the past ,  last month it was defaced by Rahm Anonymous.

*Outdated Joomla:
 At EHN, we have found those affected government websites are using outdated Joomla version 1.5 that has multiple critical vulnerabilities.