Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Plugins. Show all posts
WordPress
Hacking Internet Plugins Technology Website WordPress

Hackers Exploit WordPress Sites to Attack Mac and Windows Users


According to security experts, threat actors are abusing out-of-date versions of WordPress and plug-ins to modify thousands of sites to trap visitors into downloading and installing malware.

In a conversation with cybersecurity news portal TechCrunch, Simon Wijckmans, founder and CEO of the web security company c/side, said the hacking campaign is still “very much live”.

Spray and pray campaign

The hackers aim to distribute malware to loot passwords and sensitive data from Mac and Windows users. According to c/side, a few hacked websites rank among the most popular ones on the internet. Reporting on the company’s findings, Himanshu Anand believes it is a “widespread and very commercialized attack” and told TechCrunch the campaign is a “spray and pray” cyber attack targeting website visitors instead of a specific group or a person.

After the hacked WordPress sites load in a user’s browser, the content immediately turns to show a false Chrome browser update page, asking the website visitor (user) to download and install an update to access the website, researchers believe. 

Users tricked via fake sites

When a visitor agrees to the update, the compromised website will ask the user to download a harmful malware file disguised as the update, depending on whether the visitor is a Mac or Windows user. Researchers have informed Automattic (the company) that makes and distributes Wordpress.com about the attack campaign and sent a list of harmful domains. 

According to TechCrunch, Megan Fox, spokesperson for Automattic, did not comment at the time of press. Later, Automattic clarified that the security of third-party plugins is the responsibility of WordPress developers.

“There are specific guidelines that plugin authors must consult and adhere to ensure the overall quality of their plugins and the safety of their users,” Ms Fox told TechCrunch. “Authors have access to a Plugin Handbook which covers numerous security topics, including best practices and managing plugin security,” she added. 

C/side has traced over 10,000 sites that may have been a target of this hacking campaign. The company found malicious scripts on various domains by crawling the internet, using a reverse DNS lookup to find domains and sites linked with few IP addresses which exposed a wider number of domains hosting malicious scripts. TechCrunch has not confirmed claims of C/side’s data, but it did find a WordPress site showing malicious content earlier this week.

Read more »
Spam
critical vulnerabilities CVE CVE vulnerability CVEs Cyber Security Plugin Flaws plugin security Plugins RCE Spam

Critical Vulnerabilities in CleanTalk WordPress Plugin Put 200,000 Websites at Risk

 

Defiant has raised alarms about two significant vulnerabilities affecting CleanTalk’s anti-spam WordPress plugin, which could enable attackers to execute arbitrary code remotely without requiring authentication. These vulnerabilities, tracked as CVE-2024-10542 and CVE-2024-10781, are classified with a high severity score of 9.8 on the CVSS scale. They impact the “Spam protection, Anti-Spam, FireWall by CleanTalk” plugin, which boasts over 200,000 active installations on WordPress sites globally. 

The flaws pose a significant risk by allowing remote attackers to install and activate arbitrary plugins, including potentially vulnerable ones that can then be exploited for remote code execution (RCE). According to Defiant, the first vulnerability, CVE-2024-10542, involves an authorization bypass issue. This weakness exists in a function responsible for handling remote calls and plugin installations, where token-based authorization is used to secure these actions. 

However, two related functions intended to verify the originating IP address and domain name are vulnerable to exploitation. Attackers can manipulate these checks through IP and DNS spoofing, enabling them to specify an IP address or subdomain under their control. This bypasses the plugin’s authorization process, allowing the attacker to carry out actions such as installing, activating, deactivating, or uninstalling plugins without proper permissions. The vulnerability was discovered in late October and was addressed with the release of version 6.44 of the plugin on November 1. 

However, this update inadvertently introduced another vulnerability, CVE-2024-10781, which provided attackers with an alternative method of bypassing token authorization. CVE-2024-10781 arises from a flaw in how the plugin processes tokens for authorization. Specifically, if a website has not configured an API key in the plugin, attackers can use a token that matches an empty hash value to authenticate themselves. This effectively nullifies the intended security measures and allows attackers to install and activate arbitrary plugins, which can then be exploited for malicious purposes, such as executing remote code. 

The CleanTalk development team addressed this second vulnerability with the release of version 6.45 on November 14, which contains fixes for both CVE-2024-10542 and CVE-2024-10781. Despite the availability of this updated version, data from WordPress indicates that as of November 26, approximately half of the plugin’s active installations are still running outdated and vulnerable versions. This exposes a significant number of websites to potential exploitation. The risks associated with these vulnerabilities are considerable, as attackers could gain complete control over affected websites by leveraging these flaws. This includes the ability to install additional plugins, some of which may themselves contain vulnerabilities that could be exploited for further malicious activities. 

Website administrators using the CleanTalk anti-spam plugin are strongly urged to update to version 6.45 or later as soon as possible. Keeping plugins up to date is a critical step in maintaining the security of WordPress websites. By applying the latest updates, administrators can protect their sites against known vulnerabilities and reduce the risk of being targeted by cyberattacks. In addition to updating plugins, security experts recommend implementing additional security measures, such as monitoring for unauthorized changes, using a robust firewall, and conducting regular security audits. 

These practices can help ensure that websites remain secure against evolving threats. By addressing these vulnerabilities and staying proactive about updates, WordPress site owners can safeguard their online presence and protect the sensitive data entrusted to their platforms.
Read more »
WordPress
ClearFake infostealers Plugins Vulnerabilities and Exploits WordPress

Infostealer-Injecting Plugins infect Thousands of WordPress Sites

 

Hackers are using WordPress sites to install malicious plugins that propagate malware that steals information by displaying fake updates and errors.

Infostealing malware has become a global nuisance for security defenders in recent years, as compromised credentials are used to infiltrate networks and steal data. 

Since 2023, a malicious campaign known as ClearFake has been used to display bogus web browser update banners on compromised sites that spread data-stealing malware. 

A new campaign named ClickFix was launched in 2024; it is quite similar to ClearFake, but it poses as software error warnings with fixes included. These "fixes" are actually PowerShell scripts that, when executed, will download and install malware that steals data. 

This year has seen a rise in ClickFix attacks, in which threat actors hack websites to show banners displaying fake issues for Facebook, Google Meet conferences, Google Chrome, and even captcha pages. 

Malicious WordPress plugins

Last week, GoDaddy disclosed that the ClearFake/ClickFix threat actors had infiltrated over 6,000 WordPress sites, installing malicious plugins that displayed the fake alerts associated with these operations. 

"The GoDaddy Security team is tracking a new variant of ClickFix (also known as ClearFake) fake browser update malware that is distributed via bogus WordPress plugins," notes GoDaddy security researcher Denis Sinegubko. "These seemingly legitimate plugins are designed to appear harmless to website administrators but contain embedded malicious scripts that deliver fake browser update prompts to end-users.” 

Sucuri, a website security firm, has also identified a fraudulent plugin called "Universal Popup Plugin" as part of this operation. When installed, the malicious plugin will hook into various WordPress activities, depending on the type, and inject a malicious JavaScript script into the site's HTML.

Sinegubko's analysis of web server access logs indicates that the threat actors are using stolen admin credentials to enter into the WordPress site and install the plugin in an automated manner. Threat actors log in with a single POST HTTP request rather than first accessing the site's login page. This shows that the process is automated after the credentials have been received. 

Although it's unknown how the threat actors are getting the credentials, the researcher points out that it might be through information-stealing malware, phishing, and brute force attempts in the past.
Read more »
Wordpress Security
data security email spam Plugins Vulnerabilities and Exploits Website Hacking WordPad Vulnerability WordPress Wordpress Security

WordPress Vulnerabilities, Exploiting LiteSpeed Cache and Email Subscribers Plugins

 

In recent cybersecurity developments, hackers have been leveraging a critical vulnerability within the LiteSpeed Cache plugin for WordPress to exploit websites running outdated versions. LiteSpeed Cache, a popular caching plugin utilized by over five million WordPress sites, is designed to enhance page load times, improve user experience, and boost search engine rankings. 

However, security experts at Automattic's security team, WPScan, have observed a significant increase in malicious activities targeting WordPress sites with versions of the LiteSpeed Cache plugin older than 5.7.0.1. The vulnerability in question, tracked as CVE-2023-40000, is a high-severity unauthenticated cross-site scripting flaw. 

Attackers are taking advantage of this vulnerability to inject malicious JavaScript code into critical WordPress files or the database of vulnerable websites. By doing so, they are able to create administrator-level user accounts with specific names like 'wpsupp-user' or 'wp-configuser.' Additionally, the presence of certain strings, such as "eval(atob(Strings.fromCharCode," within the database, serves as an indicator of an ongoing compromise. 

Despite efforts by many LiteSpeed Cache users to update to newer, non-vulnerable versions, an alarming number of sites—up to 1,835,000—still operate on outdated releases, leaving them susceptible to exploitation. In a separate incident, hackers have turned their attention to another WordPress plugin called "Email Subscribers," exploiting a critical SQL injection vulnerability, CVE-2024-2876. 

This vulnerability, affecting plugin versions 5.7.14 and older, allows attackers to execute unauthorized queries on databases, thereby creating new administrator accounts on vulnerable WordPress sites. Although "Email Subscribers" boasts a significantly lower number of active installations compared to LiteSpeed Cache, with approximately 90,000, the observed attacks highlight the opportunistic nature of cybercriminals. 

To address these threats effectively, WordPress site administrators are urged to promptly update plugins to the latest versions, remove unnecessary components, and remain vigilant for signs of suspicious activity, such as the sudden creation of new admin accounts. In the event of a confirmed breach, comprehensive cleanup measures are essential, including the deletion of rogue accounts, password resets for all existing accounts, and the restoration of clean backups for both the database and site files. By staying proactive and implementing robust security practices, website owners can minimize the risk of falling victim to such malicious activities and safeguard their online assets effectively.
Read more »
Plugins
ChatGPT Data Breach Online Security PII Plugins

Security Flaws Discovered in ChatGPT Plugins

 


Recent research has surfaced serious security vulnerabilities within ChatGPT plugins, raising concerns about potential data breaches and account takeovers. These flaws could allow attackers to gain control of organisational accounts on third-party platforms and access sensitive user data, including Personal Identifiable Information (PII).

According to Darren Guccione, CEO and co-founder of Keeper Security, the vulnerabilities found in ChatGPT plugins pose a significant risk to organisations as employees often input sensitive data, including intellectual property and financial information, into AI tools. Unauthorised access to such data could have severe consequences for businesses.

In November 2023, ChatGPT introduced a new feature called GPTs, which function similarly to plugins and present similar security risks, further complicating the situation.

In a recent advisory, the Salt Security research team identified three main types of vulnerabilities within ChatGPT plugins. Firstly, vulnerabilities were found in the plugin installation process, potentially allowing attackers to install malicious plugins and intercept user messages containing proprietary information.

Secondly, flaws were discovered within PluginLab, a framework for developing ChatGPT plugins, which could lead to account takeovers on third-party platforms like GitHub.

Lastly, OAuth redirection manipulation vulnerabilities were identified in several plugins, enabling attackers to steal user credentials and execute account takeovers.

Yaniv Balmas, vice president of research at Salt Security, emphasised the growing popularity of generative AI tools like ChatGPT and the corresponding increase in efforts by attackers to exploit these tools to gain access to sensitive data.

Following coordinated disclosure practices, Salt Labs worked with OpenAI and third-party vendors to promptly address these issues and reduce the risk of exploitation.

Sarah Jones, a cyber threat intelligence research analyst at Critical Start, outlined several measures that organisations can take to strengthen their defences against these vulnerabilities. These include:


1. Implementing permission-based installation: 

This involves ensuring that only authorised users can install plugins, reducing the risk of malicious actors installing harmful plugins.

2. Introducing two-factor authentication: 

By requiring users to provide two forms of identification, such as a password and a unique code sent to their phone, organisations can add an extra layer of security to their accounts.

3. Educating users on exercising caution with code and links: 

It's essential to train employees to be cautious when interacting with code and links, as these can often be used as vectors for cyber attacks.

4. Monitoring plugin activity constantly: 

By regularly monitoring plugin activity, organisations can detect any unusual behaviour or unauthorised access attempts promptly.

5. Subscribing to security advisories for updates:

Staying informed about security advisories and updates from ChatGPT and third-party vendors allows organisations to address vulnerabilities and apply patches promptly.

As organisations increasingly rely on AI technologies, it becomes crucial to address and mitigate the associated security risks effectively.


Read more »
Two Factor Authentication
AI Chatbot AI Tool ChatGPT LLM OpenAI Plugins Privacy Security patches Sensitive data Software Two Factor Authentication

ChatGPT: Security and Privacy Risks

ChatGPT is a large language model (LLM) from OpenAI that can generate text, translate languages, write different kinds of creative content, and answer your questions in an informative way. It is still under development, but it has already been used for a variety of purposes, including creative writing, code generation, and research.

However, ChatGPT also poses some security and privacy risks. These risks are highlighted in the following articles:

  • Custom instructions for ChatGPT: This can be useful for tasks such as generating code or writing creative content. However, it also means that users can potentially give ChatGPT instructions that could be malicious or harmful.
  • ChatGPT plugins, security and privacy risks:Plugins are third-party tools that can be used to extend the functionality of ChatGPT. However, some plugins may be malicious and could exploit vulnerabilities in ChatGPT to steal user data or launch attacks.
  • Web security, OAuth: OAuth, a security protocol that is often used to authorize access to websites and web applications. OAuth can be used to allow ChatGPT to access sensitive data on a user's behalf. However, if OAuth tokens are not properly managed, they could be stolen and used to access user accounts without their permission.
  • OpenAI disables browse feature after releasing it on ChatGPT app: Analytics India Mag discusses OpenAI's decision to disable the browse feature on the ChatGPT app. The browse feature allowed ChatGPT to generate text from websites. However, OpenAI disabled the feature due to security concerns.

Overall, ChatGPT is a powerful tool with a number of potential benefits. However, it is important to be aware of the security and privacy risks associated with using it. Users should carefully consider the instructions they give to ChatGPT and only use trusted plugins. They should also be careful about what websites and web applications they authorize ChatGPT to access.

Here are some additional tips for using ChatGPT safely:

  • Be careful what information you share with ChatGPT. Do not share any sensitive information, such as passwords, credit card numbers, or personal health information.
  • Use strong passwords and enable two-factor authentication on all of your accounts. This will help to protect your accounts from being compromised, even if ChatGPT is compromised.
  • Keep your software up to date. Software updates often include security patches that can help to protect your devices from attack.
  • Be aware of the risks associated with using third-party plugins. Only use plugins from trusted developers and be careful about what permissions you grant them.
While ChatGPT's unique instructions present intriguing potential, they also carry security and privacy risks. To reduce dangers and guarantee the safe and ethical use of this potent AI tool, users and developers must work together.

Read more »
WordPress
Bug CVE vulnerability IP addresses malware phishing PHP Plugins Trojan Attacks WordPress

Defective WordPress Plugin Permits Full Invasion

 

According to security researchers, a campaign scanning almost 1.6 million websites was made to take advantage of an arbitrary file upload vulnerability in a previously disclosed vulnerable WordPress plugin.

Identified as CVE-2021-24284, the vulnerability that affects Kaswara Modern WPBakery Page Builder Addons, when exploited, gives an unauthorized attacker access to sites using any version of the plugin and enables them to upload and delete files or instead gain complete control of the website.

Wordfence reported the vulnerability over three months ago, and in a new alert this week it warned that attackers are scaling up their attacks, which began on July 4 and are still active. The WordPress security provider claims to have halted 443,868 attacks on client websites per day and strives to do the same till date. Daily, on average, 443,868 tries are made.

Malicious code injection  

The hacker attempts to upload a spam ZIP payload that contains a PHP file using the plugin's 'uploadFontIcon' AJAX function by sending a POST request to 'wp-admin/admin-ajax/php'.

Afterward, this file pulls the NDSW trojan, which inserts code into the target sites' legitimate Javascript files to reroute users to dangerous websites including phishing and malware-dropping sites. You've likely been infected if any of your JavaScript files contain the string "; if(ndsw==" or if these files themselves contain the "; if(ndsw==" string.

All versions of the software are vulnerable to an attack because the bug was never patched by the software creators, and the plugin is currently closed. The bug hunters stated that although 1,599,852 different sites were hit, a bulk of them wasn't hosting the plugin, and they believed that between 4,000 and 8,000 sites still have the vulnerable plugin installed.

Blocking the attackers' IP addresses is advised even if you are not utilizing the plugin. Visit Wordfence's blog for additional information on the indicators and the sources of requests that are the most common.

If you're still using it, you need to remove the Kaswara Modern WPBakery Page Builder Addons plugin from your WordPress website.
Read more »
Wordpress Vulnerability
Flaws Plugins Security Flaws Vulnerabilities and Exploits Web security Website Takeover Website vulnerability WordPress Plugin Wordpress Vulnerability

Brizy WordPress Plugin Exploit Chains Permit Full Site Takeovers

 

According to researchers, flaws in the Brizy Page Builder plugin for WordPress sites may be linked together to allow attackers to totally take over a website. 

Brizy (or Brizy - Page Builder) is used on over 90,000 websites. It's advertised as an easy-to-use website builder for individuals with no technical knowledge. It has over 500 pre-designed blocks, maps and video integration, and drag-and-drop creation capability. 

Before version 2.3.17, it also had a stored cross-site scripting (XSS) vulnerability and an arbitrary file-upload vulnerability, according to researchers. 

“During a routine review of our firewall rules, we found traffic indicating that a vulnerability might be present in the Brizy – Page Builder plugin, though it did not appear to be under active attack,” researchers at Wordfence explained in a Wednesday posting. 

“This led us to discover two new vulnerabilities as well as a previously patched access-control vulnerability in the plugin that had been reintroduced.” 

According to the researchers, the two new flaws may be chained together with the reintroduced access control weakness to enable total site takeover. Any logged-in user, in combination with the stored XSS flaw, would be able to edit any published post and inject malicious JavaScript into it. Meanwhile, a combination with the other flaw may allow any logged-in user to post potentially executable files and achieve remote code execution. 

A Reintroduced Access Control Bug Serves as the Attack's Foundation

The previous access-control problem (now listed as CVE-2021-38345) was fixed in June 2020 but reappeared this year in version 1.0.127. According to Wordfence, it's a high-severity problem caused by a lack of adequate authorisation checks, allowing attackers to edit posts. The plugin used a pair of administrator functions for a wide range of authorization checks, and any user that passed one of these tests was considered to be an administrator.

"Being logged in and visiting any endpoint in the wp-admin directory was sufficient to pass this check," as per the researchers. 

As a result, all logged-in users, such as newsletter subscribers, were able to alter any post or page made or updated with the Brizy editor, even if it had already been published. 

According to Wordfence’s analysis, “While this vulnerability might only be a nuisance on its own, allowing attackers to replace the original contents of pages, it enabled two additional vulnerabilities that could each be used to take over a site.” 
 
The first follow-on bug (CVE-2021-38344) is a medium-severity stored XSS flaw that allows intruders to insert malicious scripts into web pages. Because it is a stored XSS issue rather than a reflected one, victims are only required to visit the affected page to be attacked. 

The flaw allows a less-privileged user (such as a contributor or subscriber) to attach JavaScript to an update request, which is subsequently executed if the post is read or previewed by another user, such as an administrator. It becomes hazardous, however, when paired with the authorisation bypass, according to the researchers. 

The second new vulnerability is a high-severity arbitrary file-upload flaw (CVE-2021-38346), which might allow authenticated users to post files to a website. According to Wordfence researchers, the authorization check vulnerability allows subscriber-level users to elevate their privileges and subsequently upload executable files to a place of their choice via the brizy_create_block_screenshot AJAX method. According to the evaluation, other types of assaults are also possible.

“While the plugin appended .JPG to all uploaded filenames, a double extension attack was also possible,” researchers explained. 

“For instance, a file named shell.php would be saved as shell.php.jpg, and would be executable on a number of common configurations, including Apache/modPHP with an AddHandler or unanchored SetHandler directive. An attacker could also prepend their filename with ../ to perform a directory traversal attack and place their file in an arbitrary location, which could potentially be used to circumvent execution restrictions added via .htaccess.” 

Thus, “by supplying a file with a .PHP extension in the id parameter, and base64-encoded PHP code in the ibsf parameter, an attacker could effectively upload an executable PHP file and obtain full remote code execution on a site, allowing site takeover,” they added. 

Users can protect themselves by switching to the most recent version of the plugin, 2.3.17.
Read more »
Subscribe to: Posts (Atom)