Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label PHP. Show all posts

PrestaShop Sites Hit by Severe Security Flaw

 


Hackers are using a blend of known and undiscovered security flaws to insert malicious software into e-commerce websites running the PrestaShop platform, according to an urgent advisory from PrestaShop. There are currently 300,000 stores using PrestaShop, which is available in 60 different languages.

Operation objective:

Hackers exploit businesses that are utilizing out-of-date software or modules, susceptible third-party modules, or a vulnerability that has not yet been identified. The store must be vulnerable to SQL injection attacks for the attack to succeed. PrestaShop versions 1.6.0.10 and later and versions 1.7.8.2 and after running modules susceptible to SQL injection are also affected by the vulnerability.

The repeating method is stated in the PrestaShop security bulletin as follows:
  • A POST request is made by the hacker to a vulnerability endpoint to SQL injection.
  • The hacker sends a GET request to the homepage without any parameters after around a second.
  • This triggers the creation of a PHP file with the name blm.php at the root of the shop's directory.
  • The attacker now sends a GET request to the newly constructed file, blm.php, enabling them to carry out any command.
The hackers likely exploited this web shell to insert a scam payment form on the store's checkout page and steal payment card information from customers. To keep the site owner from learning that they had been compromised, the remote threat actors erased their trails after the attack.

Security measures 

Ensure that the site is updated to the most recent version, as well as all of its modules. Compromise site managers may discover entries in the web server's access logs for clues that they were compromised if the hackers weren't careful with the cleanup of evidence.

The addition of malicious software to files through file modifications and the activation of the MySQL Smarty cache storage, which is a component of the attack chain, are additional indications of compromise.

Because of the exploit's intricacy, there are various techniques to use it, and hackers might also try to cover their traces. To ensure that no file has been edited or malicious software has been installed, think about hiring a professional to conduct a thorough audit of the website.



Defective WordPress Plugin Permits Full Invasion

 

According to security researchers, a campaign scanning almost 1.6 million websites was made to take advantage of an arbitrary file upload vulnerability in a previously disclosed vulnerable WordPress plugin.

Identified as CVE-2021-24284, the vulnerability that affects Kaswara Modern WPBakery Page Builder Addons, when exploited, gives an unauthorized attacker access to sites using any version of the plugin and enables them to upload and delete files or instead gain complete control of the website.

Wordfence reported the vulnerability over three months ago, and in a new alert this week it warned that attackers are scaling up their attacks, which began on July 4 and are still active. The WordPress security provider claims to have halted 443,868 attacks on client websites per day and strives to do the same till date. Daily, on average, 443,868 tries are made.

Malicious code injection  

The hacker attempts to upload a spam ZIP payload that contains a PHP file using the plugin's 'uploadFontIcon' AJAX function by sending a POST request to 'wp-admin/admin-ajax/php'.

Afterward, this file pulls the NDSW trojan, which inserts code into the target sites' legitimate Javascript files to reroute users to dangerous websites including phishing and malware-dropping sites. You've likely been infected if any of your JavaScript files contain the string "; if(ndsw==" or if these files themselves contain the "; if(ndsw==" string.

All versions of the software are vulnerable to an attack because the bug was never patched by the software creators, and the plugin is currently closed. The bug hunters stated that although 1,599,852 different sites were hit, a bulk of them wasn't hosting the plugin, and they believed that between 4,000 and 8,000 sites still have the vulnerable plugin installed.

Blocking the attackers' IP addresses is advised even if you are not utilizing the plugin. Visit Wordfence's blog for additional information on the indicators and the sources of requests that are the most common.

If you're still using it, you need to remove the Kaswara Modern WPBakery Page Builder Addons plugin from your WordPress website.

PYSA Ransomware Group: Experts Share In-Depth Details

 

Since August 2020, the cybercrime group adopted a five-stage system design, with the malware developers prioritizing enhancements to boost the efficiency of its activities, according to an 18-month examination of the PYSA ransomware operation. The GSOC explores the PYSA ransomware inside this Threat Analysis Report. Once the Federal Bureau of Investigation (FBI) informed of the ransomware's increased activity and significant harmful impact early this year, it became known as the PYSA ransomware. 

This includes a user-friendly tool, such as a full-text search engine, to make metadata extraction easier and allow threat actors to easily locate and access victim information. "The group is notorious for thoroughly researching high-value targets before unleashing its operations, compromising business systems, and forcing researchers to pay significant ransoms to retrieve sensitive data," stated PRODAFT, a Swiss cybersecurity firm, in a comprehensive report released last week. 

PYSA, which stands for "Protect Your System, Amigo" and is a descendant of the Mespinoza ransomware, was initially discovered in December 2019 and has since risen to become the third most common ransomware strain reported in the fourth quarter of 2021. The cybercriminal cell is thought to have exfiltrated confidential info linked to as many as 747 individuals since September 2020, until its databases were taken down earlier this January. 

The majority of its victims are in the United States and Europe, and the gang primarily targets the federal, medical, and educational sectors. "The United States was the most-affected country, contributing for 59.2 percent of all PYSA occurrences documented," Intel 471 stated in a review of ransomware assaults observed from October to December 2021. PYSA, like all other malware attacks, is renowned for using the "big game hunting" method of double ransom, which involves making the stolen data public if the victim refuses to comply with the firm's demands. 

Every relevant key is encrypted and assigned the ".pysa" extension, which can only be decoded with the RSA private key given after paying the fee. PYSA victims are claimed to have paid about 58 percent in digital payments to get access to protected data. PRODAFT was able to find a publicly accessible. git folder owned by PYSA operators and designated one of the project's writers as "dodo@mail.pcc," a danger actor based on the commit history thought to be situated in a country that observes daylight savings time.

As per the study, at least 11 accounts are in control of the whole operation, the mass of which was formed on January 8, 2021. However, four of these accounts — t1, t3, t4, and t5 — account for approximately 90% of activity on the management panel of the company. Other operational security failures committed by the group's members allowed a concealed system running on the TOR secrecy network — a server provider (Snel.com B.V.) based in the Netherlands — to be identified, providing insight into the actor's techniques. PYSA's infrastructure also includes dockerized containers for global leak servers, database servers, administrative servers, and an Amazon S3 cloud for storing the files, which total 31.47TB.

The panel is written in PHP 7.3.12 by using the Laravel framework and uses the Git version monitoring system to oversee the development process. Furthermore, the admin panel exposes several API endpoints that allow the system to display files, auto-generate GIFs, and scan data, which is used to group stolen victim data into broad categories for simple retrieval. Several or more potential threat groups spent nearly five months within the system of an undisclosed regional US government agency before delivering the LockBit ransomware malware at the start of the year, as per research from cybersecurity firm Sophos.

 Hazardous Redirect Web Server Evokes Malicious Campaigns On Over 16,500 Sites

 

Parrot is a novel TDS system for online traffic redirection that runs on a few servers hosting over 16,500 sites from government agencies, universities, adult platforms, and personal blogs. The service was apparently also utilized in the context of various cyber-attacks aiming at diverting victims to phishing or sites which result in malware being installed on the systems. Reportedly, all of this is dependent on individual user characteristics such as location, language, operating system, and browser.

TDS services are purchased by threat actors undertaking malicious campaigns to filter incoming traffic and route it to a final destination which serves harmful material. Advertisers and marketers utilize TDS legitimately. Most TDS services are used regularly by professionals in the marketing industry, which is why there are credible reports demonstrating how similar campaigns were executed in the recent past. 

Security analysts working with Avast have revealed that the Parrot has been identified as they recently made assertions about how the campaign was used for FakeUpdate, which delivered update warnings regarding remote access trojans, sometimes known as RATs, using fake browsers. 

Avast threat experts found Parrot TDS, which is presently being utilized for a campaign called FakeUpdate, which distributes remote access trojans (RATs) via phony browser update alerts. The effort appears to have begun in February 2022, however, there have been traces of Parrot activity dating back to October 2021.

"One of the primary differences between Parrot TDS and other TDS is its broad nature and a large number of possible victims," says Avast in the research. "Apart from servers hosting poorly secured CMS sites, such as WordPress sites, the hijacked websites we discovered appear to have nothing in common."

Avast services prevented more than 600,000 of its users from visiting these compromised sites in March 2022 alone, demonstrating the Parrot redirection gateway's huge reach. The majority of the people who were redirected were from Brazil, India, the United States, Singapore, and Indonesia. 

They have been known to accomplish this by redirecting the victim to special URLs with extensive network profiles and meticulously built software. While the TDS may be primarily focused on the RAT initiative, security experts believe some of the impacted servers also serve as hosts for various phishing sites.  

Those landing sites seem just like a genuine Microsoft login page, prompting visitors to input there login credentials. The best strategy to deal with malicious redirections for web users is to keep an up-to-date internet security solution running at all times. Avast advises administrators of possibly compromised web servers to take the following steps: 

  •  Use an antivirus to scan all files on the webserver. 
  •  Replace all original JavaScript and PHP files on the webserver. 
  •  Use the most recent CMS and plugin versions. 
  •  Look for cron jobs or other automatically executing processes on the webserver. 
  •  Always use unique and strong credentials for all services and accounts, and utilize two-factor authentication whenever possible. 
  • Use some of the security plugins for WordPress and Joomla which are available.

PHP Re-Infectors: The Malware that Never Goes Away

 

Threat actors typically infect sites for monetary gain, to improve their SEO rankings for malware or spam campaigns, and for a variety of other objectives. If the malware is readily and swiftly removed, the attack's objective is defeated. Researchers discovered a modified index.php in the majority of cases of this form of infection. According to the researchers, it makes little difference if your site is not using WordPress; attackers will normally replace the index.php with an infected copy of the WordPress index.php file. 

The index.php file is a PHP file that serves as the entrance for any website or application. It is a template file that contains a variety of codes that will be given as PHP code. Because the system will be used by anyone with a simple HTML website, it will also be modified before delivery. 

It has also been observed that hundreds, if not thousands, of infected.htaccess files are dispersed throughout the website directories. This is intended to block custom PHP files or tools from executing on the site or to enable dangerous files to run if some mitigation is already in place. In rare cases, the attackers will leave a copy of the original index.php file entitled old-index.php or 1index.php on the server. In most situations, the infected files will have 444 permissions, and attempting to remove or clean those files directly is futile because the malware will immediately make a new infected duplicate. 

In rare situations, malware will be found in the memory of php-fpm. If index.php is still being recreated, run top to see if php-fpm is present. According to the researchers, you can try to delete OPCache, albeit this normally does not solve the problem. 

OPcache boosts PHP performance by keeping pre-compiled script bytecode in shared memory, eliminating the need for PHP to load and parse scripts on every request. As a result, malware can remain in OPcache after being removed from the site files or database. 

Though attackers are constantly seeking new ways to infect websites, there are several typical procedures that customers may take to reduce the number of infections. Put your website behind a firewall and change all admin passwords on a regular basis. This includes the admin dashboard, CPanel/FTP, ssh, and email; always keep all plugins, themes, and CMS up to date; and delete any unnecessary plugins or themes.

Symfony PHP Framework has a Cache Poisoning Bug

 

Websites built on the Symfony framework were vulnerable to web cache poisoning attacks due to misuse of HTTP headers. Symfony is a popular PHP framework for web applications that has received over 200 million downloads in the past. Web cache poisoning attacks were discovered to be vulnerable on the platform, possibly exposing sensitive information such as users' IP addresses. 

Web cache poisoning is a sophisticated technique in which an attacker takes advantage of a web server's and cache's behavior to provide a malicious HTTP response to other users. Web cache poisoning is divided into two stages. To begin, the attacker must figure out how to get a response from the back-end server that has a harmful payload. They must ensure that their response is stored and then served to the intended victims once they have succeeded. 

A poisoned web cache has the potential to be a catastrophic means of disseminating a variety of attacks, including XSS, JavaScript injection, open redirection, and so on. 

Manipulation of unkeyed inputs, such as headers, is at the heart of any web cache poisoning attack. When evaluating whether or not to serve a cached response to a user, web caches disregard unkeyed inputs. Because of this behavior, threat actors can use them to inject their payload and elicit a "poisoned" response, which, if cached, will be served to all users with the corresponding cache key. 

The bug was created when a Symfony-based website was running behind a proxy or load-balancer, which has since been resolved. Developers can tell Symfony to look for X-Forwarded-* headers in these circumstances, which provide further information about the client such the original IP address, protocol, and port. A trusted_headers allow list is used by Symfony to limit allowed headers and prevent web cache poisoning attacks. Symfony's developers added support for the X-Forwarded-Prefix header in version 5.2, which attaches information about the request's original path-base. 

The flaw was in the sub-request feature, which allows developers to render and serve a tiny section of a page instead of the entire page, according to a GitHub advisory. Even though it wasn't on their trusted headers list, the X-Forwarded-Prefix header was processed by 'sub-requests.' By forging malicious sub-requests with the X-Forwarded-Prefix header and having them cached in cache servers, malicious actors could perform web cache poisoning attacks.

PHP Git Server Hacked to Plant Malware in Code Base

 

In the most recent software supply chain assault, the official PHP Git repository was hacked and the code base altered. On Sunday, two malevolent commits were pushed to the php-src Git repository kept up by the PHP team on their git.php.net server. The threat actors had signed off on these commits as though these were made by known PHP developers and maintainers, Rasmus Lerdorf and Nikita Popov. 

The incident is disturbing considering PHP stays the server-side programming language to control more than 79% of the sites on the Internet. In the noxious commits [1, 2] seen by BleepingComputer, the assailants published a strange change upstream, "fix typo" under the pretence this was a minor typographical amendment. 

As indicated by Bleeping Computer, the code has all the earmarks of being intended to embed a backdoor and make a situation wherein remote code execution (RCE) might be conceivable. Popov said the development team isn't sure precisely how the assault occurred, however, pieces of information show that the official git.php.net server was likely undermined, instead of individual Git accounts. A remark, "REMOVETHIS: sold to zerodium, mid-2017," was included in the script. There is no sign, nonetheless, that the exploit seller has any inclusion in the cyberattack. 

Zerodium's chief executive Chaouki Bekrar named the culprit as a "troll," remarking that "likely, the researcher who found this bug/exploit tried to sell it to many entities but none wanted to buy this crap, so they burned it for fun." The commits were recognized and returned before they made it downstream or affected clients. An investigation concerning the security incident is currently in progress and the team is scouring the repository for some other indications of malevolent activity. Meanwhile, however, the development team has concluded now is the opportune chance to move permanently to GitHub. 

"We have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the git.php.net server," Popov said. "Instead, the repositories on GitHub, which were previously only mirrors, will become canonical. This means that changes should be pushed directly to GitHub rather than to git.php.net." Developers with past write access to the task's repositories will now have to join the PHP group on GitHub.

Indian Copyright Office Asks for Executable File for Website Code?


India copyright office grants a series of rights to the developer of a computer program that protects his original creation legally. Under the Copyright Act, computer programming codes can be registered as ‘literary works’. As the program is safeguarded by copyrights, each subsequent modification or addition to the code containing sufficient originality will also be protected under the law. Generally, a computer program is preserved not by just one copyright but by a set of copyrights beginning from the first source code written till the last addition by the creator.

Although, source code and object code differ from each other, the copyright office views both of the code forms as equal for registration purposes – maintaining the notion that the source code and object code are just two distinct forms of the same copyrighted program.

Copyright ownership refers to a collection of rights that gives the creator an exclusive right to use the original creation like a song, literary work, movie, or software. It means that the original authors of works and the people/company to whom they have given authorization to are the only ones having exclusive right to reproduce the creation.

Recently, a company director applied for copyrights for his PHP and python program. However, to his surprise, the Indian copyright office started asking for an executable file. It’s a well-known fact that PHP code used in websites does not have an executable file, hence there was no possible way that the director could have provided the executable file for his PHP program. The question still remains how the officials at the Indian copyright office are not aware of the fact that there is no executable file for website code, moreover, why do they even require it in the first place?

In India, the Copyright Act, 1957 grants protection to the Intellectual Property Rights (IPR) of computer software. As per the definition in the Indian Copyright Act, Computer programs are classified as ‘literary works’. Accordingly, the rights of computer software are protected under the provisions of the Act.

Attackers Exploiting Bugs in PHP7 to Hijack Web Servers


Last week, Russia-based security researcher Emil 'Neex Lerner has discovered a remote code execution vulnerability in the PHP bug tracker - classified as the CVE-2019-11043. The vulnerability allows the attackers to gain control of servers running PHP7 with NGINX and the PHP-FPM extension, simply by adding "?a=" to the URL of the website. Evidence shows that this critical PHP issue is being actively exploited by the threat actors.

Reportedly, the vulnerability did not affect all the PHP-capable servers, only NGINX servers with PHP-FPM enabled are exposed to the risk. The FPM is the PHP-FPM module which is employed for the purpose of performance enhancement and the vulnerability which lets a remote net server to execute its own arbitrary code simply by accessing a specially designed URL, resides in env_path_info in the file fpm_main.c of the FPM component.

PHP (Hypertext pre-processor) is a wide-open source general-purpose scripting language that is used in the development of Static websites, Dynamic websites or Web applications. It is one of the most common programming languages used to build websites and is focused on server-side scripting. It forms the basis for content management systems such as Wordpress and also (in a way) for more sophisticated applications like Facebook. Therefore, to realize a security vulnerability inside it remains a great deal for security researchers.

Experts believe that this security vulnerability has all the right boxes checked for marking the beginning of a storm in the cybersecurity world, it doesn't only expose to risk multiple environments but also makes it extremely convenient for attackers to exploit the vulnerability. Although one can argue that patches are available for users as a safeguard against the vulnerability, not everyone is equally updated with the workarounds.

The barricades to enter the website for hacking has been radically lowered by this vulnerability, so much so that even people from nontechnical background could potentially abuse it, according to ZDNet.

Satnam Narang, Senior Security Response Manager at Tenable, explains that "The PoC script included in the GitHub repository can query a target webserver to identify whether or not it is vulnerable by sending specially crafted requests,"

"Once a vulnerable target has been identified, attackers can send specially crafted requests by appending '?a=' in the URL to a vulnerable web server," adds Narang.

Malware Alert: Mirai Alias Miori Is Being Dispensed Via RCE Exploits




To add on to the latest list of raging malware, the cyber-cons decided on changing names of some older ones.

Malware Mirai, is now being dispensed by the name of Miori, by way of malicious remote code execution exploits.


The Mirai Malware has a really solid history of wreaking havoc by executing DDOS (Distributed Denial of Service) attacks on various platforms among IoT devices.


The botnet in question has previously executed some truly jeopardizing DDOS attacks and has been the culprit for computer fraud and abuse.


The malware would need to function equally well on different architectures in order to run on cross-platforms.


Now, Miori can easily exploit internet connected devices by abusing their vulnerabilities. The smart devices are always on the radar for this malware.


The above-mentioned malware is being dispensed through Remote Code Execution vulnerability in the PHP structure of the name ThinkPHP. The exploit especially has targeted, versions previous to 5.0.23 and 5.1.31.


 The security researchers who are on to the malware, have alluded that the rate of infection is increasing in the case of ThinkPHP RCE in smart devices.


Numerous other Mirai malware which exploit the ThinkPHP RCE vulnerability are also being dispensed.


Researchers also confirmed that a Linux device was made to perform the DDOS attack because of the infection dispensed via other connected devices as the default credentials got reset through a telnet.


Reportedly, Miori is merely a subdivision which the cyber-cons use to fabricate vulnerable devices via Thinkpad RCE.


The malware variant could be downloaded from the following command and control server. Hxxp://144[.]202[.]49[.]126/php


Once the malware is executed a console gets generated which switches the Telnet on, to brute force other IP addresses.


On the port 42352 (TCP/UDP) the C&C server keeps a check to receive further commands.


The configuration table, of the Miori malware was de-crypted by researchers, which was instated in its binary strings.


The username passwords and other credentials which were used by the malware were also found out by the researchers as they were fairly easy to speculate.


A scrutinized look resulted in the discovery of two URLs that were employed by the two variants of Mirai, namely APEP and IZIH9. Both were employing the same string  anti-obfuscation procedure as Miarai and Miori.


APEP also spreads by exploiting CVE-2017-17215 which encompasses of one other RCE vulnerability which can seriously affect router devices.