Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Zero- day vulnerability. Show all posts

WordPress Security: 1 Million WordPress Sites Hacked via Zero-Day Plug-in Bugs


A campaign that utilizes several WordPress plug-ins and theme vulnerabilities to inject malicious code into websites, including a sizable number of zero-days, has infected at least 1 million WordPress-sponsored websites. 

According to a study conducted by Sucuri, the campaign, which it named "Balada Injector," is prolific and Methuselah-like in its endurance, infecting victim sites with malware at least since 2017. After being injected into the page, the malicious code leads users to a variety of scam websites, such as those offering fake tech support, bogus lottery wins, and push notifications requesting Captcha solutions. 

However, behind the scenes, injected scripts look for numerous files, including access logs, error logs, debug information files, database management tools, administrator credentials, and more, that might include any sensitive or potentially helpful information. In addition, backdoors are loaded into the websites for enduring access and, occasionally, site takeover. 

While the 1 million statistic represents the total number of sites that have been infected over the past five years, researchers only recently linked all the activities into a single operation. The campaign is still going strong and does not appear to be slowing down. 

A Focus on WordPress Plug-in & Theme Vulnerabilities 

Sucuri researchers were able to link all of the observed activity to the Balada Injector campaign since it has a few easily distinguishable attributes. These include using a rotating roster of domain names where malicious scripts are placed on haphazard subdomains, uploading and leaving numerous backdoors all across the hacked environment, and spammy redirects. 

Moreover, the developers of Balada Injector also exploit security flaws in WordPress plug-ins and themes, which is likely most noteworthy. These modular WordPress add-ons enable site administrators to integrate a variety of features, such as polling support, message board assistance, or click-to-call integration for e-commerce businesses. 

"All sorts of vulnerabilities in WordPress themes and plugins can allow an attacker to inject code or gain unauthorized access to the website — which can eventually be escalated to the level where code injections are possible[…]This entire time, Balada Injector has been quickly adding newly disclosed vulnerabilities (and sometimes disclosed zero-days), occasionally starting massive waves of infections within a few hours after vulnerability disclosures," Sucuri analysis explains. 

Sucuri has been tracking new waves of activity happening every couple of weeks, with lulls in between that are "probably utilised for gathering and testing newly reported and zero-day vulnerabilities." 

Moreover, older vulnerabilities are also included in the mix, with some still in use by the campaign for months or years after being patched. 

Targeting the WordPress Ecosystem 

Given how the WordPress ecosystem is extremely buggy, it has become a popular target for cybercriminals among any other stripes. 

"Depending on how you measure it, in 2023, WordPress still powers 60% of the websites available on the Internet today[…]The sheer volume of code that goes into this, the degree of customization often present on WordPress sites, and in general the WordPress plug-in ecosystem's complexity, popularity, and the lack of consistent security measures and practices, contribute to its attractiveness to cybercriminals as a rich hunting ground for exploitable bugs," says Casey Ellis, founder, and CTO at the Bugcrowd bug bounty platform. 

Protecting Against WordPress Plug-in Insecurity 

To safeguard oneself against Balada Injector and other WordPress threats, companies must first ensure that all of their website software is updated, delete unused plug-ins and themes, and implement a Web application firewall to protect against Balada Injector and other WordPress threats. 

According to Mike Parkin, senior technical engineer at Vulcan Cyber, the ease with which plug-ins can be added to WordPress from authorized download stores (much like the ecosystem for mobile apps) adds to the security issue. As a result, education for the Web team regarding the risks of installing unapproved modules is also necessary. 

"The myriad available plug-ins, multiple places to get them, and the ease of deployment — you have a recipe for easy malicious plug-in distribution," he says. 

Even large organizations are not resistant to WordPress Security problems. "There are cases, even in large enterprises, where a website is developed and maintained by an individual or small team[…]Often, those folks aren’t especially security conscious and are more interested in keeping their site up and fresh than they are in doing it securely. Patches get missed. Security alerts get missed. New and interesting plug-ins get installed without making sure they are safe or, sometimes, even work," he adds.  

PrestaShop Sites Hit by Severe Security Flaw

 


Hackers are using a blend of known and undiscovered security flaws to insert malicious software into e-commerce websites running the PrestaShop platform, according to an urgent advisory from PrestaShop. There are currently 300,000 stores using PrestaShop, which is available in 60 different languages.

Operation objective:

Hackers exploit businesses that are utilizing out-of-date software or modules, susceptible third-party modules, or a vulnerability that has not yet been identified. The store must be vulnerable to SQL injection attacks for the attack to succeed. PrestaShop versions 1.6.0.10 and later and versions 1.7.8.2 and after running modules susceptible to SQL injection are also affected by the vulnerability.

The repeating method is stated in the PrestaShop security bulletin as follows:
  • A POST request is made by the hacker to a vulnerability endpoint to SQL injection.
  • The hacker sends a GET request to the homepage without any parameters after around a second.
  • This triggers the creation of a PHP file with the name blm.php at the root of the shop's directory.
  • The attacker now sends a GET request to the newly constructed file, blm.php, enabling them to carry out any command.
The hackers likely exploited this web shell to insert a scam payment form on the store's checkout page and steal payment card information from customers. To keep the site owner from learning that they had been compromised, the remote threat actors erased their trails after the attack.

Security measures 

Ensure that the site is updated to the most recent version, as well as all of its modules. Compromise site managers may discover entries in the web server's access logs for clues that they were compromised if the hackers weren't careful with the cleanup of evidence.

The addition of malicious software to files through file modifications and the activation of the MySQL Smarty cache storage, which is a component of the attack chain, are additional indications of compromise.

Because of the exploit's intricacy, there are various techniques to use it, and hackers might also try to cover their traces. To ensure that no file has been edited or malicious software has been installed, think about hiring a professional to conduct a thorough audit of the website.



Malicious Actor Claims Targeting IBM & Stanford University

 

Jenkins was mentioned as one of the TTPs employed by spyware in a report on a British cybercrime forum found by CloudSEK's contextual AI digital risk platform XVigil. To boost ad clickthroughs, this module features stealth desktop takeover capabilities. Based on unofficial talks, CloudSEK experts anticipate that this harmful effort will increase attempts to infect bots. 

Evaluation of threats 

A malicious actor detailed how they hacked into a major organization by taking advantage of a flaw in the Jenkins dashboard in a post on a cybercrime site on May 7, 2022. 

Previously, the same threat actor was observed giving access to IBM. In addition, the actor provided evidence of a sample screenshot showing their alleged connection to a Jenkins dashboard. 

The malicious actors came upon a Jenkins dashboard bypass that had internal hosts, scripts, database logins, and credentials. They exploited the company's public asset port 9443 by using search engines like Shodan as per researchers. 

After receiving data, the actor employed a custom debugging script to find vulnerable targets for bypassing rproxy misconfiguration. 

Origin of the threat actor

The hacker claimed they previously targeted IBM Tech Company as well, in particular internal administrators' scripts and firewall configurations for internal networks, in other posts by the same person on the cybercrime site.

The actor also stated the following exploit narrative as to how to get into Stanford University in their future posts: 
  • The actor counted all the subdomains connected to the University using the Sudomy tool. 
  • The actor then applied a path, such as -path /wp-content/plugins/, to the domains using httpx. 
  • An attacker can execute RCE on the plugin by returning data from all of the subdomains that have a valid path with the susceptible zero-day vulnerability. 

According to CloudSEK, which reported the threats, other entities could execute similar exploits using the threat actor's TTP. "Modules like these can facilitate complex ransomware assaults and persistence," the security experts said while adding that threat actors "could migrate laterally, infecting the network, to retain persistence and steal credentials." 

Actors may utilize revealed credentials to access the user's other accounts because password reuse is standard practice. For reference, the malicious actors also took credit for hacking Stanford University and Jozef Safarik University in Slovakia. 

According to reports from XVigil, official access to the domains was reportedly found in several nations, including Ukraine, Pakistan, United Arab Emirates, and Nepal. 

Google: 5-year-old Apple Flaw Exploited

 

Google Project Zero researchers have revealed insights into a vulnerability in Apple Safari that has been extensively exploited in the wild. The vulnerability, known as CVE-2022-22620, was first patched in 2013, but experts identified a technique to overcome it in 2016. 

Apple has updated a zero-day vulnerability in the WebKit that affects iOS, iPadOS, macOS, and Safari and could have been extensively exploited in the wild, according to CVE org. 

In February, Apple patched the zero-day vulnerability; it's a use-after-free flaw that may be accessed by processing maliciously generated web content, spoofing credentials, and resulting in arbitrary code execution ."When the issue was first discovered in 2013, the version was patched entirely," Google Project Zero's Maddie Stone stated. "Three years later, amid substantial restructuring efforts, the variant was reintroduced. The vulnerability remained active for another five years before being addressed as an in-the-wild zero-day in January 2022." 

While the flaws in the History of API bug from 2013 and 2022 are fundamentally the same, the routes to triggering the vulnerability are different. The zero-day issue was then reborn as a "zombie" by further code updates made years later. 

An anonymous researcher discovered the flaw, and the corporation fixed it with better memory management. Maddie Stone examined the software's evolution over time, beginning with the code of Apple's fix and the security bulletin's description of the vulnerability, which stated that the flaw is a use-after-free flaw. 

“As an offensive security research team, we can make assumptions about the main issues that current software development teams face: Legacy code, short reviewer turn-around expectations, under-appreciation and under-rewarding of refactoring and security efforts, and a lack of memory safety mitigations” the report stated. 

"In October, 40 files were modified, with 900 additions and 1225 removals. The December commit modified 95 files, resulting in 1336 additions and 1325 removals," Stone highlighted. 

Stone further underlined the need of spending appropriate time to audit code and patches to minimize instances of duplication of fixes and to understand the security implications of the modifications being made, citing that the incident is not unique to Safari.

Apple’s Big Sur 11.4 Patches a Security Flaw that Could be Exploited to Take Screenshots

 

Big Sur 11.4 was updated this week to fix a zero-day vulnerability that allowed users to capture screenshots, capture video, and access files on another Mac without being noticed. The flaw lets users go around Apple's Transparency Consent and Control (TCC) architecture, which manages app permissions. 

According to Jamf's blog, the issue was identified when the XCSSET spyware "used this bypass especially for the purpose of taking screenshots of the user's desktop without requiring additional permissions." By effectively hijacking permissions granted to other programmes, the malware was able to get around the TCC. 

Researchers identified this activity while analyzing XCSSET "after detecting a considerable spike of identified variations observed in the wild". In its inclusion in the CVE database, Apple has yet to offer specific details regarding the issue. “The exploit in question could allow an attacker to gain Full Disk Access, Screen Recording, or other permissions without requiring the user’s explicit consent–which is the default behaviour,” researchers said. 

Last August, Trend Micro researchers identified the XCSSET malware after they detected fraudsters introducing malware into Xcode developer projects, causing infestations to spread. They recognized the virus as part of a package known as XCSSET, which can hijack the Safari web browser and inject JavaScript payloads that can steal passwords, bank data, and personal information, as well as execute ransomware and other dangerous functionalities. 

At the time, Trend Micro researchers discovered that XCSSET was exploiting two zero-day flaws: one in Data Vault, which allowed it to bypass macOS' System Integrity Protection (SIP) feature, and another in Safari for WebKit Development, which permitted universal cross-site scripting (UXSS). 

According to Jamf, a third zero-day issue can now be added to the list of flaws that XCSSET can attack. Jamf detailed how the malware exploits the issue to circumvent the TCC.

Avast Security Evangelist Luis Corrons recommends not waiting to update your Mac. “All users are urged to update to the latest version of Big Sur,” he said. “Mac users are accustomed to receiving prompts when an app needs certain permissions to perform its duties, but attackers are bypassing that protection completely by actively exploiting this vulnerability.”

Microsoft Fixes LPE Vulnerability Impacting Windows 7 and Server 2008

 

Microsoft quietly patched a local privilege escalation (LPE) flaw that affects both Windows 7 and Server 2008 R2 computers. This LPE flaw (which has yet to be assigned a CVE ID) is caused by a misconfiguration of two service registry keys, and it enables local attackers to escalate privileges on fully patched devices. 

On Windows 7 and Windows Server 2008R2, security researcher Clément Labro discovered that insecure permissions on the registry keys of the RpcEptMapper and DnsCache services enable attackers to trick the RPC Endpoint Mapper service into loading malicious DLLs. Attackers can execute arbitrary code in the sense of the Windows Management Instrumentation (WMI) service, which runs with LOCAL SYSTEM permissions, by leveraging this flaw. 

“In short, a local non-admin user on the computer just creates a Performance subkey in one of the above keys, populates it with some values, and triggers performance monitoring, which leads to a Local System WmiPrvSE.exe process loading attacker's DLL and executing code from it,” 0patch co-founder Mitja Kolsek explained when the flaw was first announced as a zero-day in November. 

Labro said he discovered the zero-day after releasing an update to PrivescCheck, a method for checking basic Windows protection misconfigurations that can be used by malware for privilege escalation. Labro said he didn't realize the latest tests were highlighting an unpatched privilege escalation process until he started looking at a series of warnings that appeared days after the update on older systems like Windows 7. 

Both Windows 7 and Windows Server 2008 R2 had passed their end-of-life (EOL) deadlines, and Microsoft had stopped offering free software patches for them. While the company's ESU (Extended Support Updates) paid support service included some security updates for Windows 7 users, no patch for this problem was announced at the time. 

Although Microsoft quietly solved the RpcEptMapper registry key vulnerability (as discovered by 0patch) in the April 2021 Windows Updates (ESU) release by modifying permissions for groups Authenticated Users and Users to no longer require 'Create Subkey,' the organization has yet to resolve the DnsCache vulnerability. Since February, an open-source exploit tool for the Windows 7 / 2008R2 RpcEptMapper registry key vulnerability has been available. 

However, "at this point, if you are still using Windows 7 / Server 2008 R2 without isolating these machines properly in the network first, then preventing an attacker from getting SYSTEM privileges is probably the least of your worries," as Labro said.

Apple Patches-Up Three Actively Exploited And Identified Zero-Day Vulnerabilities In its iPhone, iPod and iPad Devices

 

This month Apple released iOS 14.2 and iPad 14.2, which patched up a sum total of 24 vulnerabilities in different parts of the OSes, including sound, crash reporter, kernel, and foundation. 

The multinational technology has fixed up three identified zero-day vulnerabilities in its iPhone, iPod, and iPad devices possibly associated with a spate of related flaws very recently found by the Google Project Zero team that additionally had an impact over Google Chrome and Windows. 

Ben Hawkes from Google Project Zero who was able to identify the zero-day vulnerabilities as "CVE-2020-27930 (RCE), CVE-2020-27950 (memory leak), and CVE-2020-27932 (kernel advantage escalation)," he said in a tweet. 

Apple likewise offered credit to Project Zero for recognizing these particular defects in its security update and gave a little more detail on each.

CVE-2020-27930 is 'a memory corruption flaw' in the FontParser on iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and iPad mini 4 and later, as indicated by Apple. 

The vulnerabilities take into account an attacker to process a “maliciously crafted font” that can prompt arbitrary code execution.

Apple described CVE-2020-27950 as a memory initialization issue in the iOS kernel that influences iPhone 6s and later, iPod tough 7th generation, iPad Air 2 and later, and iPad smaller than usual 4 and later. 

The defect would permit a pernicious application to reveal kernel memory, according to the company. The Apple update comes along with the time of updates by Google over the last two weeks to fix various zero days in Google Chrome for both the desktop and Android versions of the browser. 

Shane Huntley from Google's Threat Analysis Group claims that the recently fixed Apple zero-day flaws are identified with three Google Chrome zero-days and one Windows zero-day likewise uncovered over the last two weeks, possibly as a component of a similar exploit chain.

“Targeted exploitation in the wild similar to the other recently reported 0days,” he tweeted, adding that the attacks are “not related to any election targeting.” 

It is however critical to take into notice that both Apple and Google have had an infamous past with regards to vulnerability revelation. 

The two tech monsters famously butted heads a year ago over two zero-day bugs in the iPhone iOS after Google Project Zero analysts guaranteed that they had been exploited for quite a long time.