Multiple Critical Vulnerabilities Fixed In LearnPress Plugin Version <= 4.1.7.3.2

If you’re a LearnPress user, please update the plugin to at least version 4.2.0.

The plugin LearnPress (versions 4.1.7.3.2 and below), which has over 100,000 active installations is a comprehensive WordPress LMS Plugin for WordPress. This is one of the most popular WordPress LMS Plugins which can be used to easily create & sell courses online. We can create a course curriculum with lessons & quizzes included which is managed with an easy-to-use interface for users.

This plugin suffers from multiple critical vulnerabilities. These vulnerabilities allow any unauthenticated users to inject a SQL query to the database and perform local file inclusion. We also found another SQL injection that would need a user with at least “Contributor” role to be exploited. The described vulnerability was fixed in version 4.2.0.

The security vulnerability in LearnPress
Unauthenticated Local File Inclusion (CVE-2022-47615)

The vulnerable code responsible for this vulnerability is located on inc/rest-api/v1/frontend/class-lp-rest-courses-controller.php function list_courses . This function is used to handle API request to lp/v1/courses/archive-course .

Source and more details:

75k WordPress sites impacted by critical online course plugin flaws

The WordPress online course plugin ‘LearnPress’ was vulnerable to multiple critical-severity flaws, including pre-auth SQL injection and local file inclusion.

LearnPress is a learning management system (LMS) plugin that allows WordPress websites to easily create and sell online courses, lessons, and quizzes, providing visitors with a friendly interface while requiring no coding knowledge from the website developer.

The vulnerabilities in the plugin, used in over 100,000 active sites, were discovered by PatchStack between November 30 and December 2, 2022, and reported to the software vendor.

The issues were fixed on December 20, 2022, with the release of LearnPress version 4.2.0. However, according to WordPress.org stats, only about 25% have applied the update.

Vulnerability details

The first vulnerability discovered by PatchStack is CVE-2022-47615, an unauthenticated local file inclusion (LFI) flaw that allows attackers to display the contents of local files stored on the web server.

This could expose credentials, authorization tokens, and API keys, leading to further compromise.

The vulnerability is found in a piece of code that handles API requests for the website, located in the “list_courses” function, which does not validate certain variables ($template_pagination_path, $template_path, and $template_path_item) properly.

An attacker could potentially exploit CVE-2022-47615 by sending a specially crafted API request and using malicious values for the three variables.

The second critical flaw is CVE-2022-45808, an unauthenticated SQL injection potentially leading to sensitive information disclosure, data modification, and arbitrary code execution.

This vulnerability lies in a function that handles SQL queries for the website, which does not correctly sanitize and validate the “$filter” variable in the query parameters, allowing an attacker to insert malicious code in it.

SQL injection example
SQL injection example (PatchStack)

The third flaw impacting older LearnPress versions is CVE-2022-45820, an authenticated SQL injection flaw in two shortcodes of the plugin (“learn_press_recent_courses” and “learn_press_featured_courses”) failing to properly validate and sanitize the input of the “$args” variable.

PatchStack provided a proof-of-concept exploit showing how a ‘Contributor’ user could trigger the SQL injection using a specially crafted shortcode on a drafted post.

This vulnerability needs to be performed by a user with the ability to edit or create a new blog post, limiting the risk of the flaw.

The vendor fixed the above issues by introducing an allowlist and sanitization of the vulnerable variables or removing the ability to include templates in user input.

Website owners relying on LearnPress are advised to either upgrade to version 4.2.0 or disable the plugin until they can apply the available security update.

Source: https://www.bleepingcomputer.com/news/security/75k-wordpress-sites-impacted-by-critical-online-course-plugin-flaws/

Data Breaches That Have Happened in 2022 and 2023 So Far

Apple, Meta, and Twitter have all disclosed cybersecurity attacks over the past 12 months.

Data breaches have been on the rise for a number of years, and sadly, this trend isn’t slowing down. The last year or so has been littered with thefts of sensitive information. Data breaches have affected companies and organizations of all shapes, sizes, and sectors, and they’re costing US businesses millions in damages.

The widely-covered T-mobile data breach that occurred last year, for instance, cost the company $350 million in 2022 – and that’s just in customer pay outs. This puts more onus than ever on businesses to secure their networks, ensure staff have strong passwords, and train employees to spot the telltale signs of phishing campaigns.

Below, we’ve compiled a list of significant, recent data breaches (and a couple of important data leaks) that have taken place since January 1, 2022, dated to the day they were first reported in the media.

January 2023
January 30
JD Sports Data Breach: As many as 10 million people may have had their personal information accessed by hackers after a data breach occurred at fashion retailer JD sports, which owns JD, Size?, Millets, Blacks, and Scotts. JD Sports CFO Neil Greenhalgh told the Guardian that the company is advising customers “to be vigilant about potential scam emails, calls and texts” while also “providing details on how to report these.”

January 20
T-Mobile Data Breach: T-Mobile has suffered another data breach, this time affecting around 37 million postpaid and prepaid customers who’ve all had their data accessed by hackers. The company claims that while it only discovered the issue on January 5th of this year, the intruders are thought to have been exfiltrating data from the company’s systems since late November 2022.

As discussed in the introduction to this article, this is not the first time that T-Mobile has fallen victim to a high-profile cyber attack impacting millions of customers. In the aftermath of last year’s attack, during which 76 million customers had their data compromised, the company pledged it would spend $150 million to upgrade its data security – but the recent attack raises serious questions over whether this has been well spent.

January 18
MailChimp Breach: Another data breach for MailChimp, just six months after its previous one. MailChimp claims that a threat actor was able to gain access to its systems through a social engineering attack, and was then able to access data attached to 133 MailChimp accounts. It’s a bad sign for the company, as the attack method is startling similar to last year’s breach, casting serious doubts on its security protocols.

PayPal Data Breach: A letter sent to PayPal customers on January 18, 2023, says that on December 20, 2022, “unauthorized parties” were able to access PayPal customer accounts using stolen login credentials.

PayPal goes on to say that the company has “no information” regarding the misuse of this personal information or “any unauthorized transactions” on customer accounts and that there isn’t any evidence that the customer credentials were stolen from PayPal’s systems.

January 6
Chick-fil-A Data Breach: fast food chain Chick-fil-A is investigating “suspicious activity” linked to a select number of customer accounts. The company has published information on what customers should do if they notice suspicious activity on their accounts, and advised such customers to remove any stored payment methods on the account.

January 4

Twitter Data Breach: Twitter users’ data was continuously bought and sold on the dark web during 2022, and it seems 2023 is going to be no different. According to recent reports, a bank of email addresses belonging to around 200 million Twitter users is being sold on the dark web right now for as little as $2. Even though the flaw that led to this leak was fixed in January 2022, the data is still being leaked by various threat actors.

December 2022
December 31
Slack Security Incident: Business communications platform Slack released a statement just before the new year regarding “suspicious activity” taking place on the company’s GitHub account.

“Upon investigation, we discovered that a limited number of Slack employee tokens were stolen and misused to gain access to our externally hosted GitHub repository. Our investigation also revealed that the threat actor downloaded private code repositories on December 27,” the company said. However, Slack confirmed that “no downloaded repositories contained customer data, means to access customer data, or Slack’s primary codebase”.

December 15
SevenRooms Data Breach: Threat actors on a hacking forum posted details of over 400GB of sensitive data stolen from the CRM platform’s servers. The information included files from big restaurant clients, promo codes, payment reports, and API keys. However, it seems that the servers that were breached did not store any customer payment details.

December 1
LastPass Data Breach: Password manager LastPass has told some customers that their information was accessed during a recent security breach. According to LastPass, however, no passwords were accessed by the intruder. This is not the first time LastPass has fallen victim to a breach of their systems this year – someone broke into their development environment in August, but again, no passwords were accessed.

November 2022
November 11
AirAsia Data Breach: AirAsia Group has, according to reports, suffered a ransomware attack orchestrated by “Daixin Team”. The threat group told DataBreaches.net that they obtained “the personal data of 5 million unique passengers and all employees.” This included name, date of birth, country of birth, location, and their “secret question” answer.

November 1
Dropbox data breach: Dropbox has fallen victim to a phishing attack, with 130 Github repositories copied and API credentials stolen after credentials were unwittingly handed over to the threat actor via a fake CricleCI login page.

However, Dropbox confirmed in a statement relating to the attack that “no one’s content, passwords or payment information was accessed” and that the issue was “quickly resolved”. Dropbox also said that they were in the process of adopting the “more phishing-resistant form” of multi-factor authentication technique, called “WebAuthn”.

October 2022
October 26
Medibank Data Breach: Medibank Private Ltd, currently the largest health insurance provider in Australia, said today that data pertaining to almost all of its customer base (nearly 4 million Australians) had been accessed by an unauthorized party. The attack caused Medibank’s stock price to slide 14%, the biggest one-day dip since the company was listed.

October 18
Vinomofo Data Breach: Australian wine dealer Vinomofo has confirmed it has suffered a cyber attack. Names, dates of birth, addresses, email addresses, phone numbers, and genders of the company’s almost 500,000 customers may have been exposed – although it is currently unclear how many have been affected.

October 17
MyDeal Data Breach: 2.2 million customers of Woolworths subsidiary MyDeal, an Australian retail marketplace, has been impacted by a data breach. According to reports, the company’s CRM system was compromised, with names, email addresses, telephone numbers, delivery addresses, and some dates of birth exposed during the breach.

October 15
Shein Data Breach: Fashion brand Shein’s parent company Zoetop has been fined $1.9 million for its handling of a data breach back in 2018, one which exposed the personal information of over 39 million customers that had made accounts with the clothing brand.

The New York Attorney General’s Office says Zoetop lied about the size of the breach, as the company initially said only 6.42 million accounts had been affected and didn’t confirm credit card information had been stolen when it in fact had.

October 11
Toyota Data Breach: In a message posted on the company’s website, the car manufacturer stated that almost 300,000 customers who had used its T-Connect telematics service had had their email addresses and customer control numbers compromised. The company assured customers that there was no danger of financial data such as credit card information, nor names or telephone numbers, having been breached.

In its statement, Toyota acknowledged that the T-Connect database had been compromised since July 2017, and that customers should be vigilant for phishing emails.

October 10
Singtel Data Breach: Singtel, the parent company of Optus, revealed that “the personal data of 129,000 customers and 23 businesses” was illegally obtained in a cyber-attack that happened two years ago. Data exposed includes “National Registration Identity care information, name, date of birth, mobile numbers, and addresses” of breach victims.

October 7
Possible Facebook Accounts Data Breach: Meta said that it has identified more than 400 malicious apps on Android and iOS app stores that target online users with the goal of stealing their Facebook login credentials. “These apps were listed on the Google Play Store and Apple’s App Store and disguised as photo editors, games, VPN services, business apps, and other utilities to trick people into downloading them,” the Tech giant said.

October 3
LAUSD Data Breach: Russian-speaking hacking group Vice Society has leaked 500GB of information from The Los Angeles Unified School District (LAUSD) after the US’s second-largest school district failed to pay an unspecified ransom by October 4th. The ransomware attack itself first made the headlines in early September when the attack disrupted email servers and computer systems under the district’s control.

September 2022
September 23
Optus Data Breach: Australian telecoms company Optus – which has 9.7 million subscribers – has suffered a “massive” data breach. According to reports, names, dates of birth, phone numbers, and email addresses may have been exposed, while a group of customers may have also had their physical addresses and documents like driving licenses and passport numbers accessed.

The attackers are thought to be a state-sponsored hacking group or some sort of criminal organization and breached the company’s firewall to get to the sensitive information. Australia’s Information Commissioner has been notified.

The Australian government has said Optus should pay for new passports for those who entrusted Optus with their data, and Prime Minister Antony Albanese has already suggested it may lead to “better national laws, after a decade of inaction, to manage the immense amount of data collected by companies about Australians – and clear consequences for when they do not manage it well.”

September 20
American Airlines Data Breach: The personal data of a “very small number” of American Airlines customers has been accessed by hackers after they broke into employee email accounts, the airline has said. Information accessed could have included customers’ date of birth, driver’s license, passport numbers, and even medical information, they added.

September 19
Kiwi Farms Data Breach: Notorious trolling and doxing website Kiwi Farms – known for its vicious harassment campaigns that target trans people and non-binary people – has been hacked. According to site owner Josh Moon, whose administrator account was accessed, all users should “assume your password for the Kiwi Farms has been stolen”, “assume your email has been leaked”, as well as “any IP you’ve used on your Kiwi Farms account in the last month”.

Revolut Data Breach: Revolut has suffered a cyberattack that facilitated an unauthorized third party accessing personal information pertaining to tens of thousands of the app’s clients. 50,150 customers have reportedly been impacted. The State Data Protection Inspectorate in Lithuania, where Revolut holds a banking license, said that email addresses, full names, postal addresses, phone numbers, limited payment card data, and account data were likely exposed.

September 18
Rockstar Data Breach: Games company Rockstar, the developer responsible for the Grand Theft Auto series, was victim of a hack which saw footage of its unreleased Grand Theft Auto VI game leaked by the hacker. In addition, the hacker also claims to have the game’s source code, and is purportedly trying to sell it. The breach is thought to have been caused through social engineering, with the hacker gaining access to an employee’s Slack account. The hacker also claims to be responsible for the Uber attack earlier in the month.

In a statement, Rockstar said: “We recently suffered a network intrusion in which an unauthorized third party illegally accessed and downloaded confidential information from our systems, including early development footage for the next Grand Theft Auto.”

September 15
Uber Data Breach: Uber’s computer network has been breached, with several engineering and comms systems taken offline as the company investigates how the hack took place. Dubbed a “total compromise” by one researcher, email, cloud storage, and code repositories have already been sent to security firms and The New York Times by the perpetrator.

Uber employees found out their systems had been breached after the hacker broke into a staff member’s slack account and sent out messages confirming they’d successfully compromised their network.

September 14
Fishpig Data breach: Ecommerce software developer Fishpig, which over 200,000 websites currently use, has informed customers that a distribution server breach has allowed threat actors to backdoor a number of customer systems. “We are quite used to seeing automated exploits of applications and perhaps that is how the attackers initially gained access to our system” lead developer Ben Tideswell said of the incident.

September 7
North Face Data Breach: roughly 200,000 North Face accounts have been compromised in a credential stuffing attack on the company’s website. These accounts included full names
purchase histories, billing addresses, shipping addresses, phone numbers, account holders’ genders, and XPLR Pass reward records. No credit card information is stored on site. All account passwords have been reset, and account holders have been advised to change their passwords on other sites where they have used the same password credentials.

September 6
IHG/Holiday Inn Data Breach: IHG released a statement saying they became aware of “unauthorized access” to its systems. The company is assessing the “nature, extent and impact of the incident”, with the full extent of the breach yet to be made clear.

September 3
TikTok Data Breach Rumour: Rumours started circulating that TikTok had been breached after a Twitter user claimed to have stolen the social media site’s internal backend source code. However, after inspecting the code, a number of security experts have dubbed the evidence “inconclusive”, including haveibeenpwned.com’s Troy Hunt. Users commenting on YCombinator’s Hacker News, on the other hand, suggested the data is from some sort of ecommerce application that integrates with TikTok.

Responding to a request for comment from Bloomberg UK, a spokesperson for TikTok said that the company’s “security team investigated this statement and determined that the code in question is completely unrelated to TikTok’s backend source code.”

September 2
Samsung Data Breach: Samsung announced that they’d fallen victim to a “cybersecurity incident” when an unauthorized party gained access to their systems in July. In August, they learned some personal information was impacted, including names, contact information, demographics, birth dates as well as product registration information. Samsung is contacting everyone whose data was compromised during the breach via email.

August 2022
August 29
Nelnet Servicing Data Breach: Personal information pertaining to 2.5 million people who took out student loans with the Oklahoma Student Loan Authority (OSLA) and/or EdFinancial has been exposed after threat actors breached Nelnet Servicing’s systems. The systems were compromised in June and the unauthorized party, who remained on the network until late July.

August 27
Facebook/Cambridge Analytica Data Breach Settlement: Meta agreed on this date to settle a lawsuit that alleged Facebook illegally shared data pertaining to its users with the UK analysis firm Cambridge Analytica. The data was subsequently used by political campaigns in the UK and US during 2016, a year which saw Donald Trump become president and Britain leave the EU via referendum.

August 25
DoorDash Data Breach: “We recently became aware that a third-party vendor was the target of a sophisticated phishing campaign and that certain personal information maintained by DoorDash was affected,” DoorDash said in a blog post.

The delivery service went on to explain that “the information accessed by the unauthorized party primarily included [the] name, email address, delivery address and phone number” of a number of DoorDash customers, whilst other customers had their “basic order information and partial payment card information (i.e., the card type and last four digits of the card number)” accessed.

LastPass Breach: The password manager disclosed to its customers that it was compromised by an “unauthorized party”. The company assured customers that this took place in its development environment and that no customer details are at risk. A September update confirmed that LastPass’s security measures prevented customer data from being breached, and the company reminded customers that they do not have access to or store users’ master passwords.

August 24
Plex Data Breach: Client-server media streaming platform Plex is enforcing a password reset on all of its user accounts after “suspicious activity” was detected on one of its databases. Reports suggest that usernames, emails, and encrypted passwords were accessed.

August 20
DESFA Data Breach: Greece’s largest natural gas distributor confirmed that a ransomware attack caused an IT system outage and some files were accessed. However, a quick response from the organization’s IT team – including deactivating online servers – meant that the damage caused by the threat was minimal.

August 10
Cisco Data Breach: Multi-national technology conglomerate Cisco confirmed that the Yanluowang ransomware gang had breached its corporate network after the group published data stolen during the breach online. Security experts have suggested the data is not of “great importance or sensitivity”, and that the threat actors may instead be looking for credibility.

August 4
Twilio Data Breach: Messaging behemoth Twilio confirmed on this date that data pertaining to 125 customers was accessed by hackers after they tricked company employees into handing over their login credentials by masquerading as IT department workers.

July 2022
July 26
Uber Data Breach Cover-Up: Although this data breach actually took place way back in 2016 and was first revealed in November 2017, it took Uber until July 2022 to finally admit it had covered up an enormous data breach that impacted 57 million users, and even paid $100,000 to the hackers just to ensure it wasn’t made public. The case will see Uber’s former chief security officer, Joe Sullivan, stand trial for the breach – the first instance of an executive being brought to the dock for charges related to a data breach.

July 22
Twitter Data Breach: The first reports that Twitter had suffered a data breach concerning phone numbers and email addresses attached to 5.4 million accounts started to hit the headlines on this date, with the company confirming in August that the breach was indeed genuine. The vulnerability that facilitated the breach was known by Twitter at the turn of the year and had been patched by January 13, 2022, so data theft must have happened within that short window.

July 19
Neopets Data Breach: On this date, a hacker going by the alias “TarTaX” put the source code and database for the popular game Neopet’s website up for sale on an online forum. The database contained account information for 69 million users, including names, email addresses, zip codes, genders, and dates of birth.

July 18
Cleartrip Data Breach: Travel booking company Cleartrip – which is massively popular in India and majority-owned by Walmart – confirmed its systems had been breached after hackers claimed to have posted its data on an invite-only dark web forum. The full extent of the data captured from the company’s internal servers is unknown.

July 13
Infinity Rehab and Avamere Health Services Data Breach: The Department of Health and Human Services was notified by Infinity Rehab that 183,254 patients had had their personal data stolen. At the same time, Avamere Health Services informed the HHS that 197,730 patients had suffered a similar fate. Information stolen included names, addresses, driver’s license information, and more. On August 16, Washington’s MultiCare revealed that 18,165 more patients were affected in the same breach.

July 12
Deakin University Data Breach: Australia’s Deakin University confirmed on this date that it was the target of a successful cyberattack that saw the personal information of 46,980 students stolen, including recent exam results. Around 10,000 of the university’s students received scam text messages shortly after the data breach occurred.

July 5
Marriot Data Breach: The Hotel group – which is no stranger to a data breach – confirmed its second high-profile data breach of recent years had taken place in June, after a hacking group tricked an employee and subsequently gained computer access. According to databreaches.net, the group claimed to be in possession 20 GB of data stolen from the BWI Airport Marriott’s server in Maryland. Marriot would be notifying 300-400 individuals regarding the breach.

June 2022
June 29
OpenSea Data Breach: NFT marketplace OpenSea – that lost $1.7 million of NFTs in February to phishers – suffered a data breach after an employee of Customer.io, the company’s email delivery vendor, “misused their employee access to download and share email addresses provided by OpenSea users… with an unauthorized external party”. The company said that anyone with an email account they shared with OpenSea should “assume they are affected”.

June 17
Flagstar Bank Data Breach: 1.5 million customers were reportedly affected in a data breach that was first noticed by the company on June 2, 2022. “We have no evidence that any of the information has been misused. Nevertheless, out of an abundance of caution, we want to make you aware of the incident” a letter from Flagstar bank to affected customers read.

June 14
Baptist Medical Center and Resolute Health Hospital Data Breach: The two health organizations – based in San Antonio and New Braunfels respectively – disclosed that a data breach had taken place between March 31 and April 24. Data lifted from its systems by an “unauthorized third party” included the social security numbers, insurance information, and full names of patients.

June 11
Choice Health Insurance Data Breach: On this date, Choice Health Insurance started to notify customers of a data breach caused by “human error” after it realized an unauthorized individual was offering to make data belonging to Choice Health available online. This had actually been publicly available since May 2022. The data dump consisted of 600MB of data with 2,141,006 files with labels such as “Agents” and “Contacts”.

June 7
Shields Health Care Group Data Breach: It was reported in early June that Massachusetts-based healthcare company Shields was the victim of a data breach that affected 2,000,000 people across the United States. The breach was first discovered on March 28, 2022, and information such as Social Security numbers, Patient IDs, home addresses, and information about medical treatments was stolen. A class action lawsuit was filed against the company shortly after.

May 2022
May 26
Verizon Data Breach: A threat actor got their hands on a database full of names, email addresses, and phone numbers of a large number of Verizon employees in this Verizon data breach. Vice/Motherboard confirmed these numbers were legitimate by ringing the numbers contained in the databases and confirming they currently (or used to) work at Verizon. According to Vice, the hacker was able to infiltrate the system after convincing an employee to give them remote access in a social engineering scam.

May 23
Texas Department of Transportation Data Breach: According to databreaches.net, personal records belonging to over 7,000 individuals had been acquired by someone who hacked the Texas Dept. for Transportation.

May 20
Alameda Health System Data Breach: Located in Oakland, California, Alameda Health System notified the Department of Health and Human Services that around 90,000 individuals had been affected by a data breach after suspicious activity was detected on some employee email accounts, which was later found to be an unauthorized third party.

May 17
National Registration Department of Malaysia Data Breach: A group of hackers claimed to hold the personal details of 22.5 million Malaysians stolen from myIDENTITI API, a database that lets government agencies like the National Registration Department access information about Malaysian citizens. The hackers were looking for $10,000 worth of Bitcoin for the data.

Cost Rican Government: In one of the most high-profile cyberattacks of the year, the Costa Rican government – which was forced to declare a state of emergency – was hacked by the Conti ransomware gang. Conti members breached the government’s systems, stole highly valuable data, and demanded $20 million in payment to avoid it being leaked. 90% of this data – amounting to around 670GB of the data – was posted to a leak site on May 20.

May 7
SuperVPN, GeckoVPN, and ChatVPN Data Breach: A breach involving a number of widely used VPN companies led to 21 million users having their information leaked on the dark web, Full names, usernames, country names, billing details, email addresses, and randomly generated passwords strings were among the information available. Unfortunately, this is not the first time supposedly privacy-enhancing VPNs have made the headlines for a data breach.

April 2022
April 4
Cash App Data Breach: A Cash App data breach affecting 8.2 million customers was confirmed by parent company Block on April 4, 2022 via a report to the US Securities and Exchange Commission. The breach had actually occurred way back in December 2021, with customer names and brokerage account numbers among the information taken.

Emma Sleep Data Breach: First reported on April 4, customer credit card information was skimmed using a “Magecart attack”. “This was a sophisticated, targeted cyber-attack on the checkout process on our website and personal information entered, including credit card data, may have been stolen” an email to customers read.

March 2022
March 30
Apple & Meta Data Breach: According to Bloomberg, in late March, two of the world’s largest tech companies were caught out by hackers pretending to be law enforcement officials. Apple and Meta provided the threat actors with customer addresses, phone numbers, and IP addresses in mid-2021. The hackers had already gained access to police systems to send out fraudulent demands for the data. Some of the hackers were thought to be members of the Lapsus$ hacking group, who reportedly stole the Galaxy source code from Samsung earlier in the month.

March 26
US Department of Education Data Breach: It was revealed that 820,000 students in New York had their data stolen in January 2022, with demographic data, academic information, and economic profiles all accessed. Chancellor David Banks blamed software company Illuminate Education for the incident.

March 24
Texas Department of Insurance Data Leak: The state agency confirmed on March 24 that it had become aware of a “data security event” in January 2022, which had been ongoing for around three years. “Types of information that may have been accessible”, the TDI said in a statement in March, included “names, addresses, dates of birth, phone numbers, parts or all of Social Security numbers, and information about injuries and workers’ compensation claims. 1.8 million Texans are thought to have been affected.

March 18
Morgan Stanley Client Data Breach: US investment bank Morgan Stanley disclosed that a number of clients had their accounts breached in a Vishing (voice phishing) attack in February 2022, in which the attacker claimed to be a representative of the bank in order to breach accounts and initiate payments to their own account. This was, however, not the fault of Morgan Stanley, who confirmed its systems “remained secure”.

February 2022
February 25
Nvidia Data Breach: Chipmaker Nvidia confirmed in late February that it was investigating a potential cyberattack, which was subsequently confirmed in early March. In the breach, information relating to more than 71,000 employees was leaked. Hacking group Lapsus$ claimed responsibility for the intrusion into Nvidia’s systems.

February 20
Credit Suisse Data Leak: Although this is technically a “data leak”, it was orchestrated by a whistleblower against the company’s wishes and one of the more significant exposures of customer data this year. Information relating to 18,000 Credit Suisse accounts was handed over to German publication Süddeutsche Zeitung, and showed the Swiss company had a number of high-profile criminals on their books. The incident kickstarted a fresh conversation about the immorality of Switzerland’s banking secrecy laws.

January 2022
January 20
Crypto.com Data Breach: On January 20, 2022, Crypto.com made the headlines after a data breach led to funds being lifted from 483 accounts. Roughly $30 million is thought to have been stolen, despite Crypto.com initially suggesting no customer funds had been lost.

January 19
Red Cross Data Breach: In January, it was reported that the data of more than 515,000 “extremely vulnerable” people, some of whom were fleeing from warzones, had been seized by hackers via a complex cyberattack. The data was lifted from at least 60 Red Cross and Red Crescent societies across the globe via a third-party company that the organization uses to store data.

January 6
Flexbooker Data Breach: On January 6, 2022, data breach tracking site HaveIBeenPwned.com revealed on Twitter that 3.7 million accounts had been breached in the month prior. Flexbooker only confirmed that customer names, phone numbers, and addresses were stolen, but HaveIBeenPwned.com said “partial credit card data” was also included. Interestingly, 69% of the accounts were already in the website’s database, presumably from previous breaches.

Data Breaches vs Data Leaks vs Cyberattacks
This article largely concerns data breaches. A data breach occurs when a threat actor breaks into (or breaches) a company, organization, or entity’s system and purposefully lifts sensitive, private, and/or personally identifiable data from that system. When this happened, companies are sometimes forced to pay ransoms, or their information is stolen ad posted online. According to one estimate, 5.9 billion accounts were targeted in data breaches last year.

This is different from a data leak, which is when sensitive data is unknowingly exposed to the public/members of the public, such as the Texas Department for Insurance leak mentioned above. The term “data leak” is often used to describe data that could, in theory, have been accessed by people it shouldn’t of, or data that fell into the hands of people via non-malicious means. A government employee accidentally sending someone an email with sensitive data is usually described as a leak, rather than a breach.

Although all data breaches fall under the umbrella of a “cyber attack“, cyber attacks are not limited to data breaches. Some cyber attacks have different motivations – such as slowing a website or service down or causing some other sort of other disruption. Not all cyberattacks lead to the exfiltration of data, but many do.

How Can I Protect My Organization From Cyber-Attacks?
Ensuring you take steps to protect your company from the sorts of cyber attacks that lead to financially fatal data breaches is one of the most crucial things you can do. It’s not just businesses that are at risk, however – schools and colleges are some of the most frequently targeted organizations that suffer huge financial losses.

Some companies and organizations – like Lincoln College – have had to shut down due to the fallout costs of a cyberattack. There has never been more of an onus on companies, colleges, and other types of organizations to protect themselves.

Unauthorized access to networks is often facilitated by weak business account credentials. So, whilst passwords are still in use, the best thing you can do is get your hands on a password manager for yourself and the rest of your staff team. This will allow you to create robust passwords that are sufficiently long and different for every account you hold. However, you’ll also need to use additional security measures, like 2-Factor Authentication, wherever possible, to create a second line of defense.

Another thing you must do is ensure your staff has sufficient training to spot suspicious emails and phishing campaigns. 70% of cyberattacks target business email accounts, so having staff that can recognize danger when it’s present is just as important as any software.

Source: https://tech.co/news/data-breaches-2022-so-far

PSA: Your Site Isn’t Hacked By This Bitcoin Scam, Keep the Money

On January 19th, 2023, a member of the Wordfence Threat Intelligence team received an email from their personal blog, claiming the site had been hacked, and we received two reports from Wordfence users who received the same message. The email claimed that the site had been hacked due to a vulnerability on the site. The email went on to demand about $3,000 worth of Bitcoin to prevent the malicious actor from damaging the site’s reputation. This is of course only a scare tactic, and not a true cause for concern. The site was not actually hacked.

This campaign appears to have begun on or around January 18, 2023, and while our data on it is light, the campaign is ongoing. The messages are being sent by a threat actor or a bot they control to submit the message through a contact form on a website. As we do not have data on emails submitted directly through a contact form, this attack campaign is likely to be significantly more prolific than the numbers we have available.

The message in question, which can be seen below in its email form, is a scare tactic that is used to trick victims into paying to prevent a leak of sensitive data, damage to the website, or whatever other potential consequences the vague threat may conjure up in the site owner’s mind.

From: Manie Hedin hacker@sludgepool.org
Subject: Your Site Has Been Hacked

Message Body:
Your Site Has Been Hacked

PLEASE FORWARD THIS EMAIL TO SOMEONE IN YOUR COMPANY WHO IS ALLOWED TO MAKE IMPORTANT DECISIONS!

We have hacked your website https://.com and extracted your databases.

How did this happen?

Our team has found a vulnerability within your site that we were able to exploit. After finding the vulnerability we were able to get your database credentials and extract your entire database and move the information to an offshore server.

What does this mean?

We will systematically go through a series of steps of totally damaging your reputation. First your database will be leaked or sold to the highest bidder which they will use with whatever their intentions are. Next if there are e-mails found they will be e-mailed that their information has been sold or leaked and your https://.com was at fault thusly damaging your reputation and having angry customers/associates with whatever angry customers/associates do. Lastly any links that you have indexed in the search engines will be de-indexed based off of blackhat techniques that we used in the past to de-index our targets.

How do I stop this?

We are willing to refrain from destroying your site’s reputation for a small fee. The current fee is $3000 in bitcoins (0.14 BTC).

The amount(approximately): $3000 (0.14 BTC)
The Address Part 1: bc1qe4xvhksgapl3p76mm
The Address Part 2: fz7thdnmkeuxry08kjhcn

So, you have to manually copy + paste Part1 and Part2 in one string made of 42 characters with no space between the parts that start with “b” and end with “n” is the actually address where you should send the money to.

Once you have paid we will automatically get informed that it was your payment. Please note that you have to make payment within 72 hours after receiving this message or the database leak, e-mails dispatched, and de-index of your site WILL start!

How do I get Bitcoins?

You can easily buy bitcoins via several websites or even offline from a Bitcoin-ATM.

What if I don’t pay?

If you decide not to pay, we will start the attack at the indicated date and uphold it until you do, there’s no counter measure to this, you will only end up wasting more money trying to find a solution. We will completely destroy your reputation amongst google and your customers.

This is not a hoax, do not reply to this email, don’t try to reason or negotiate, we will not read any replies. Once you have paid we will stop what we were doing and you will never hear from us again!

Please note that Bitcoin is anonymous and no one will find out that you have complied.

While this extortion campaign may not pose any real danger, it is still important to take website security seriously. WordPress core, themes, and plugins need to be updated with the latest security updates to patch known vulnerabilities. Even with everything updated, there may be vulnerabilities that are not publicly known and do not have an available patch. For this reason, a website security solution that includes a web application firewall (WAF) that can block common exploits, such as Wordfence, should be implemented.

Cyber Observables
While this extortion campaign is still in its early stages, there are some observables that can be used to identify and block these extortion attempts.

Email Address
hacker@sludgepool[.]org

Bitcoin Address
bc1qe4xvhksgapl3p76mmfz7thdnmkeuxry08kjhcn

IP Addresses
138.199.18.140
138.199.18.61
212.102.57.5
216.24.216.249
212.102.57.24

Conclusion
In this post, we discussed an emerging extortion campaign where emails are being sent to site owners through contact forms. This campaign does not pose an actual threat to the website, but serves as a reminder to keep websites updated and implement a website security solution.

Source: https://www.wordfence.com/blog/2023/01/psa-your-site-isnt-hacked-by-this-bitcoin-scam-keep-the-money/

PayPal: 35,000 customers breached in credential stuffing attack

People who use same passwords across many online sites are recommended to change to unique, secure passwords for each one. A strong password often has at least 12 characters, including symbols and alphanumeric characters.

Commenting on the incident, Ilia Kolochenko, founder of ImmuniWeb and a member of Europol Data Protection Experts Network, said: “It is at least surprising why MFA authentication is not enforced by default for such a sensitive service as PayPal.”

“Moreover, any unusual activity, such as login from an unknown location or new device should be rapidly reported to the user and the account may be temporarily suspended unless the user takes an action.

“Modern MFA technologies cost almost nothing to implement and should be enabled by default by financial service providers as a foundational security control. In the meantime, all users should urgently enable MFA everywhere, especially in view of the recent LastPass data breach.”

Source and more details: https://www.immuniweb.com/media/paypal-35000-customers-breached-in-credential-stuffing-attack.html

See also: Thousands Of PayPal Accounts Hacked—Is Yours One Of Them?

Holiday Attack Spikes Target Ancient Vulnerabilities and Hidden Webshells

Source and more details: WordFence

Winter brings a number of holidays in a short period of time, and many organizations shut down or run a skeleton crew for a week or more at the end of the year and beginning of the new year. This makes it easier for would-be attackers to find success as systems are not as closely monitored. This means that during major holidays it is not uncommon to see spikes in attack attempts.

We observed spikes in attack traffic for two of our firewall rules over the Christmas and New Year holidays, which are discussed in more detail below. The spikes in these rules look rather different when compared to each other. What they have in common is that the best defenses are proactively securing your website and keeping WordPress core, themes, and plugins updated.

Targeted Spikes: Downloads Manager Plugin
There were two spikes specifically targeting the Downloads Manager plugin by Giulio Ganci. The first spike was on December 24, 2022, with a second spike on January 4, 2023. In the 30-day reporting period, only 17 attempts to scan for readme.txt or debug.log files did not target the Downloads Manager plugin. On average, the rule that blocks these scans typically blocks an average of 7,515,876 scan attempts per day. The first spike saw 92,546,995 scan attempts, and the second spike soared to 118,780,958 scan attempts in a single day.

chart of blocked attack attempts targeting the Downloads Manager plugin by day

Over the reporting period, we tracked 466,827 attacking IP addresses. These IP addresses attempted to exploit vulnerabilities on 2,663,905 protected websites. The top 10 IP addresses were responsible for 90,693,836 exploit attempts over the course of the reporting period.

chart of the top ten IP addresses targeting the Downloads Manager plugin

The observed user-agent strings were largely known legitimate user-agents, though some appear to have been modified. The top ten user-agents accounted for 306,845,888 of the total exploit attempts during this time period.

During these spikes, the scans were specifically looking for readme.txt files within the /wp-content/plugins/downloads-manager/ directory of the website. When found, they are primarily attempting to upload the Mister Spy Bot V7 shell with a filename similar to up__jpodv.php, where the last five characters of the name are random letters, or the Saber BOT V1 shell with a filename of saber.php as the malicious payload.

The vulnerability would-be attackers are attempting to exploit is an arbitrary file upload vulnerability found in Downloads Manager <= 0.2. A lack of adequate validation made it possible for files to be uploaded and run on a vulnerable website. This could lead to remote code execution on some sites. The vulnerability was publicly published in 2008, and was never patched. The plugin has since been closed and is no longer available. If this plugin is still being used, it should be removed immediately. Take note that this is not the WordPress Download Manager plugin by W3 Eden, which is still actively being developed and should simply be kept updated with the latest releases as they are published.

Mister Spy Bot V7
The Mister Spy shell returns some basic information about the operating system the website is running on, and the location of the site root on that system, and allows for files to be uploaded. In addition to these features, Mister Spy payloads typically include a reverse shell that allows a successful attacker to obtain additional information about the content management system being used on the website, install additional shells, deface the website, register malicious users on the website, and collect configuration details, among other features.

screenshot of Mister Spy Bot Webshell

Saber BOT V1
Saber BOT gives a successful attacker the ability to view files, and modify their permissions and filenames, as well as edit or delete the files. The current path is displayed in the web interface, and an upload form is provided as well. While not as sophisticated as Mister Spy Bot V7, Saber BOT V1 can still lead to remote code execution due to the file upload capabilities.

Screenshot of Saber BOT webshell

Untargeted Spikes: Known User-Agents
The attack attempts we saw that did not target a specific plugin were blocked due to the use of known malicious user-agent strings. These spikes were not as pronounced as the targeted spikes we saw and occurred on slightly different days. The total number of blocked attacks rose beginning on December 22, 2022, and stayed slightly higher throughout the remainder of the reporting period. Within this time we also saw three spikes on December 23rd and 24th, December 29th, and January 2nd. The January 2, 2023 peak was the largest peak, reaching 183,097,778 blocked attack attempts. This put the peak at nearly three times as many attempts as the average of 66,669,317 blocked per day.

chart of blocked attack attempts by known malicious user-agents by day

The attack attempts blocked by this firewall rule were much more varied, and did not show an increase in specific payloads or intrusion vectors. Instead, the increase appears to have been a simple rise in the volume of attack attempts across all attack types from actors using known malicious user-agents. One of the most common attack types blocked for using a known malicious user-agent string is probing for hidden webshells.

Cyber Observables
The following observables can be used in conjunction with other indicators as an indication that a compromise may have occurred.

Filenames
The filename for Mister Spy Bot V7 follows a pattern of up__xxxxx.php, where xxxxx is replaced with a random set of five lowercase letters. Saber BOT V1 was consistently named saber.php in these spikes.

up__jpodv.php
up__bxyev.php
up__izlxc.php
saber.php

Conclusion
Spikes in exploit and other attack attempts are common around holidays, as is highlighted by spikes we observed in probing attempts against the Downloads Manager plugin and blocked known malicious user-agents. These spikes occurred on or near the Christmas and New Year holidays. Fortunately for Wordfence users, firewall rules were already in place to block these attack attempts, even for Wordfence Free users. In addition to having a firewall and malware scanning in place, it is also important to ensure that all components of a website are updated with the latest security releases, and vulnerable plugins with no updates should be removed.

Hundreds of WordPress sites infected by recently discovered backdoor

People who use WordPress should check their sites for unpatched plugins.

Malware that exploits unpatched vulnerabilities in 30 different WordPress plugins has infected hundreds if not thousands of sites and may have been in active use for years, according to a writeup published last week.

The Linux-based malware installs a backdoor that causes infected sites to redirect visitors to malicious sites, researchers from security firm Dr.Web said. It’s also able to disable event logging, go into standby mode, and shut itself down. It gets installed by exploiting already-patched vulnerabilities in plugins that website owners use to add functionality like live chat or metrics-reporting to the core WordPress content management system.

“If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted web pages are injected with malicious JavaScripts,” Dr.Web researchers wrote. “As a result, when users click on any area of an attacked page, they are redirected to other sites.”

Searches such as this one indicate that more than 1,300 sites contain the JavaScript that powers the backdoor. It’s possible that some of those sites have removed the malicious code since the last scan. Still, it provides an indication of the reach of the malware.

The plugins exploited include:

WP Live Chat Support Plugin
WordPress – Yuzo Related Posts
Yellow Pencil Visual Theme Customizer Plugin
Easysmtp
WP GDPR Compliance Plugin
Newspaper Theme on WordPress Access Control (vulnerability CVE-2016-10972)
Thim Core
Google Code Inserter
Total Donations Plugin
Post Custom Templates Lite
WP Quick Booking Manager
Facebook Live Chat by Zotabox
Blog Designer WordPress Plugin
WordPress Ultimate FAQ (vulnerabilities CVE-2019-17232 and CVE-2019-17233)
WP-Matomo Integration (WP-Piwik)
WordPress ND Shortcodes For Visual Composer
WP Live Chat
Coming Soon Page and Maintenance Mode
Hybrid
Brizy WordPress Plugin
FV Flowplayer Video Player
WooCommerce
WordPress Coming Soon Page
WordPress theme OneTone
Simple Fields WordPress Plugin
WordPress Delucks SEO plugin
Poll, Survey, Form & Quiz Maker by OpinionStage
Social Metrics Tracker
WPeMatico RSS Feed Fetcher
Rich Reviews plugin

“If one or more vulnerabilities are successfully exploited, the targeted page is injected with a malicious JavaScript that is downloaded from a remote server,” the Dr.Web writeup explained. “With that, the injection is done in such a way that when the infected page is loaded, this JavaScript will be initiated first—regardless of the original contents of the page. At this point, whenever users click anywhere on the infected page, they will be transferred to the website the attackers need users to go to.”

The JavaScript contains links to a variety of malicious domains, including:

lobbydesires[.]com
letsmakeparty3[.]ga
deliverygoodstrategies[.]com
gabriellalovecats[.]com
css[.]digestcolect[.]com
clon[.]collectfasttracks[.]com
Count[.]trackstatisticsss[.]com


The researchers found two versions of the backdoor: Linux.BackDoor.WordPressExploit.1 and Linux.BackDoor.WordPressExploit.2. They said the malware may have been in use for three years.

WordPress plugins have long been a common means for infecting sites. While the security of the main application is fairly robust, many plugins are riddled with vulnerabilities that can lead to infection. Criminals use infected sites to redirect visitors to sites used for phishing, ad fraud, and distributing malware.

People running WordPress sites should ensure that they’re using the most current versions of the main software as well as any plugins. They should prioritize updating any of the plugins listed above.

Source: https://arstechnica.com/information-technology/2023/01/hundreds-of-wordpress-sites-infected-by-recently-discovered-backdoor/

Inside a scammers’ lair: Ukraine busts 40 in fake bank call-centre raid

It looks like the sort of meeting room you might find in startups all over the world: diffuse lighting from windows down one wall, alongside a giant poster cityscape of New York’s Brooklyn Bridge, with the Manhattan skyline towering behind it.

The difference in this case is that that the computer workstations around the room are there for a different sort of “entrepreneurial” venture, and the room is empty not because no one showed up for work, but because the “employees” were in the process of being arrested.

This picture comes from the Ukraine Cyber Police, who raided a fraudulent call center just before New Year, where they say the three founders of the scam, plus 37 “staff”, were busted for allegedly operating a large-scale banking fraud.

Playbook + gift of gab = scam
You’re probably familiar with the scamming script they’re said to have used, and you probably know friends or family who have been pestered by scammers of this sort.

Some of you may even have acquaintances who were ripped off this way, because these scammers are well versed in gaining the trust of their victims.

Typically, the scammers try to convince you that your bank account is under attack from fraudsters (technically, that part is true – the caller is the attacker), and patiently offer to help you “secure” your account and “recover” lost or at-risk funds.

The scammers aim to turn people’s general awareness of banking scams into an excuse, a reason, a playbook, if you like, for carrying out a scam of their own.

Simply put, they call up pretending to be an official from your own bank, using a variety of tricks to make you accept their fictitious credentials as bank staff, and then “advise” you to take a series of disastrous steps.

The scammers’ first job is to convince you that a hacker has already gained access to your account.

The crooks typically use a mix of threatening, scary and urgent language, combined with the sort of attentiveness that you probably wish more call centre staff would show.

Even if you decide to call them back (don’t do it – you’re only reconnecting to the person who just called you, which proves nothing!), you’ll almost certainly find the scammers more prompt and more helpful than you’ve experienced in a long time when calling a real support line…

…so we’re not surprised that this sort of caller makes some people feel comfortable enough to keep on listening, even if they didn’t believe a word at first.

If in doubt, don’t give it out
As you can imagine, once the crooks know you’re starting to believe their cover story, they’ll start to milk you for personal information, often by pretending that they can see it for themselves on the “banking screen” in front of them, yet somehow always coaxing you to say it out loud first.

At that point, of course, they do know the information you just let slip, and they’ll pretend to “confirm” it or to “double-check” it to keep up the pretence.

There are then many ways that the crooks can defraud you or drain your account.

Sometimes, they may simply convince you to login on a fake “security” site as they coach you through the process, including getting you to go through any 2FA (two-factor authentication) process.

The Ukrainian call centre that just got busted seems to have worked that way, with victims being “helpfully” guided through the process of “cancelling” transactions that, in fact, never happened in the first place [automated translation]:

[These scammers] called people in Kazakhstan, pretending to be employees of the security service of banks. These people were notified of suspicious transactions and told that alleged outsiders had gained access to their accounts. Under the guise of “cancelling” transactions, victims were persuaded to provide financial data.

After receiving such information, the perpetrators transferred the victims’ money to account under their own control. They also issued quick loans and appropriated the loan amount.

For the conspiracy, the participants used bank accounts located in offshore zones, and cryptocurrency wallets.

In this way, the criminals defrauded [about 18,000 people].

High and dry
In other scams – this approach, unfortunately, is widely reported in the UK – the crooks present you with a brand-new account number, based at the same bank, which they announce is your “replacement account”.

The idea is that you’re being provided with new account details in the same way that if you were to ask for a new credit card due to fraud, it too would have a brand new number, expiry date and so on.

The crooks then convince you to transfer the funds from your “old, hacked” account to this new one, leading you to believe that the account was created by the bank minutes ago, especially for the purpose of “protecting” you from an active attack.

Of course, this “new account” is just a regular account that was opened recently by accomplices of the crooks, perhaps using fraudulent documentation to pass the bank’s know-your-customer (KYC) process.

So, the account it is already directly under the control of the scammers, and the money will typically be whisked out of that “new” account even before you finish the call.

In cases like this, victims sometimes tragically find themselves left high and dry by their bank, which may claim that because they apparently willingly transferred the funds of their own accord, and properly identified themselves to the online banking system (for example by using 2FA), the funds have technically not been “stolen”, and the bank therefore has no liability.

  • What to do?
  • Never believe anyone who contacts you out of the blue and claims to be “helping” you with a fraud investigation. That person isn’t stopping a fraud, they are starting one.
  • Never use contact details given to you by the other person when cybersecurity is at stake. This cannot possibly prove anything, given that the details probably came from a scammer in the first place. All you get is a false sense of “security”.
  • Never rely on the Caller ID number that shows up on your phone. The number that appears can easily be faked. If the caller tells you to “check the number if you don’t believe them”, you can be sure they’re a scammer.
  • Never let yourself be talked into handing over personal information, especially not to “prove” your identity. After all, it’s the other person who should be proving themselves to you. Visit your bank in person if you possibly can; if you need to call or interact online, look for contact details printed on something you know you received directly from the bank, such as the back of your payment card or a recent statement.
  • Never transfer funds to another account on someone else’s say so. You bank will never call you to ask you to do this, so any call of this sort must be a scam. Worse still, you could find yourself liable for the transfer if you approve it yourself, even if you were tricked into doing so.
  • Look out for friends and family who may be vulnerable. These scammers don’t give up easily, and they can be consummate actors when playing the role of a helpful official. Make sure your friends and family know to hang up right away, and to contact you personally for advice, so they never give the scammers a chance to “vouch” for themselves.

Source: https://nakedsecurity.sophos.com/2023/01/03/inside-a-scammers-lair-ukraine-busts-40-in-fake-bank-call-centre-raid/