The LastPass hack saga just keeps getting worse

Already smarting from a breach that stole customer vaults, LastPass has more bad news.

Already smarting from a breach that put partially encrypted login data into a threat actor’s hands, LastPass on Monday said that the same attacker hacked an employee’s home computer and obtained a decrypted vault available to only a handful of company developers.

Although an initial intrusion into LastPass ended on August 12, officials with the leading password manager said the threat actor “was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activity” from August 12 to August 26. In the process, the unknown threat actor was able to steal valid credentials from a senior DevOps engineer and access the contents of a LastPass data vault. Among other things, the vault gave access to a shared cloud-storage environment that contained the encryption keys for customer vault backups stored in Amazon S3 buckets.

“This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware,” LastPass officials wrote. “The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”

The hacked DevOps engineer was one of only four LastPass employees with access to the corporate vault. Once in possession of the decrypted vault, the threat actor exported the entries, including the “decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.”

Monday’s update comes two months after LastPass issued a previous bombshell update that for the first time said that, contrary to previous assertions, the attackers had obtained customer vault data containing both encrypted and plaintext data. LastPass said then that the threat actor had also obtained a cloud storage access key and dual storage container decryption keys, allowing for the copying of customer vault backup data from the encrypted storage container.

The backup data contained both unencrypted data, such as website URLs, as well as website usernames and passwords, secure notes, and form-filled data, which had an additional layer of encryption using 256-bit AES. The new details explain how the threat actor obtained the S3 encryption keys.

Monday’s update said that the tactics, techniques, and procedures used in the first incident were different from those used in the second one and that, as a result, it wasn’t initially clear to investigators that the two were directly related. During the second incident, the threat actor used information obtained during the first one to enumerate and exfiltrate the data stored in the S3 buckets.

“Alerting and logging was enabled during these events, but did not immediately indicate the anomalous behavior that became clearer in retrospect during the investigation,” LastPass officials wrote. “Specifically, the threat actor was able to leverage valid credentials stolen from a senior DevOps engineer to access a shared cloud-storage environment, which initially made it difficult for investigators to differentiate between threat actor activity and ongoing legitimate activity.”

LastPass learned of the second incident from Amazon’s warnings of anomalous behavior when the threat actor tried to use Cloud Identity and Access Management (IAM) roles to perform unauthorized activity.

According to a person briefed on a private report from LastPass who spoke on the condition of anonymity, the media software package that was exploited on the employee’s home computer was Plex. Interestingly, Plex reported its own network intrusion on August 24, just 12 days after the second incident commenced. The breach allowed the threat actor to access a proprietary database and make off with password data, usernames, and emails belonging to some of its 30 million customers. Plex is a major provider of media streaming services that allow users to stream movies and audio, play games, and access their own content hosted on home or on-premises media servers.

It’s not clear if the Plex breach has any connection to the LastPass intrusions. Representatives of LastPass and Plex didn’t respond to emails seeking comment for this story.

The threat actor behind the LastPass breach has proven especially resourceful, and the revelation that it successfully exploited a software vulnerability on the home computer of an employee further reinforces that view. As Ars advised in December, all LastPass users should change their master passwords and all passwords stored in their vaults. While it’s not clear whether the threat actor has access to either, the precautions are warranted.

Sources: https://arstechnica.com/information-technology/2023/02/lastpass-hackers-infected-employees-home-computer-and-stole-corporate-vault/

All In One SEO WordPress Plugin Vulnerability Affects Up To 3+ Million

All In One SEO WordPress plugin versions up to and including 4.2.9 are vulnerable to stored cross-site scripting attacks

The United States National Vulnerability Database published an advisory about two vulnerabilities discovered in the All In One SEO WordPress plugin.

All In One SEO (AIOSEO) plugin, which has over three million active installations, is vulnerable to two Cross-site scripting (XSS) attacks.

The vulnerabilities affect all versions of AIOSEO up to and including version 4.2.9.

Stored Cross-Site Scripting

Cross-site scripting (XSS) attacks are a form of injection exploit that involves malicious scripts executing in a user’s browser which then can lead to access to cookies, user sessions and even a site takeover.

The two most common forms of Cross-Site Scripting attacks are:

  • Reflected Cross-Site Scripting
  • Stored Cross-Site Scripting

A Reflected XSS relies on sending a script to a user who clicks on it, which goes to the vulnerable site which then “reflects” the attack back at the user.

A Stored XSS is when the malicious script is on the vulnerable site itself.

Hackers take advantage of any form of input to the website like a contact form, image upload form, any area where someone can upload or make a submission.

The vulnerability arises when there are insufficient security checks to block unwanted inputs.

The two issues affecting the AIOSEO plugin are both Stored Cross-Site Scripting vulnerabilities.

CVE-2023-0585

Vulnerabilities are assigned numbers to keep track of them. The first one was assigned, CVE-2023-0585.

This vulnerability arises from a failure to sanitize inputs. This means that insufficient filtering is done to prevent a hacker from uploading a malicious script.

The National Vulnerability Database (NVD) notice describes it like this:

“The All in One SEO Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 4.2.9 due to insufficient input sanitization and output escaping.

This makes it possible for authenticated attackers with Administrator role or above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.”

The vulnerability was assigned a threat level of 4.4 (out of ten), which is a medium level.

An attacker must first acquire administrator privileges or higher to perpetrate this attack.

CVE-2023-0586

This attack is similar to the first one. The main difference is that an attacker needs to assume at least a contributor level of website access privilege.

A contributor level role has the ability to create content but not to publish it.

The vulnerability is also a medium level threat but it is assigned a higher vulnerability score of 6.4.

This is the description:

“The All in One SEO Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 4.2.9 due to insufficient input sanitization and output escaping.

This makes it possible for authenticated attackers with Contributor+ role to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.”

Recommended Action

The first vulnerability requires administrator level privileges and is assigned a relatively low medium threat level score of 4.4.

But the second vulnerability only requires a lower level of privilege and is rated higher at 6.4.

It’s generally a good policy to update all vulnerable plugins. AIOSEO plugin version 4.3.0 is the one containing the security fix, referred to in the official AIOSEO changelog as additional “security hardening.”

Read details of the two vulnerabilities:

CVE-2023-0585

CVE-2023-0586

Source: https://www.searchenginejournal.com/aioseo-wordpress-plugin-vulnerabilities/480949/

Strong Testimonials <= 3.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes

The Strong Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s shortcode(s) in versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Source: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/strong-testimonials/strong-testimonials-302-authenticated-contributor-stored-cross-site-scripting-via-shortcodes

GoDaddy: Hackers stole source code, installed malware in multi-year breach

Web hosting giant GoDaddy says it suffered a breach where unknown attackers have stolen source code and installed malware on its servers after breaching its cPanel shared hosting environment in a multi-year attack.

While GoDaddy discovered the security breach following customer reports in early December 2022 that their sites were being used to redirect to random domains, the attackers had access to the company’s network for multiple years.

“Based on our investigation, we believe these incidents are part of a multi-year campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy,” the hosting firm said in an SEC filing.

The company says that previous breaches disclosed in November 2021 and March 2020 are also linked to this multi-year campaign.

The November 2021 incident led to a data breach affecting 1.2 million Managed WordPress customers after attackers breached GoDaddy’s WordPress hosting environment using a compromised password.

They gained access to the email addresses of all impacted customers, their WordPress Admin passwords, sFTP and database credentials, and SSL private keys of a subset of active clients.

After the March 2020 breach, GoDaddy alerted 28,000 customers that an attacker used their web hosting account credentials in October 2019 to connect to their hosting account via SSH.

GoDaddy is now working with external cybersecurity forensics experts and law enforcement agencies worldwide as part of an ongoing investigation into the root cause of the breach.

Links to attacks targeting other hosting companies

GoDaddy says it also found additional evidence linking the threat actors to a broader campaign targeting other hosting companies worldwide over the years.

“We have evidence, and law enforcement has confirmed, that this incident was carried out by a sophisticated and organized group targeting hosting services like GoDaddy,” the hosting company said in a statement.

“According to information we have received, their apparent goal is to infect websites and servers with malware for phishing campaigns, malware distribution and other malicious activities.”

GoDaddy is one of the largest domain registrars, and it also provides hosting services to over 20 million customers worldwide.

A GoDaddy spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.

Source: GoDaddy: Hackers stole source code, installed malware in multi-year breach (bleepingcomputer.com) and GoDaddy says a multi-year breach hijacked customer websites and accounts | Ars Technica

.

Multiple Vulnerabilities Patched in Quick Restaurant Menu Plugin

Quick Restaurant Menu plugin for WordPress is vulnerable to Missing Authorization, Insecure Direct Object Reference, Cross-Site Request Forgery as well as Cross-Site Scripting in versions up to, and including 2.0.2.

The WordFence team found that contact information was not readily available for the vendor, so they reached out to the WordPress Plugin Security Team team directly on January 16, 2023 to report the security issues. The team acknowledged receipt of their email on January 18, 2023. All issues were addressed in version 2.1.0, which was released on January 20, 2023. Unfortunately, the plugin is still closed for downloads at this point, so we recommend manually downloading the patched version from this link and updating the plugin, or uninstalling the plugin completely until the plugin has been reinstated.

WordFence released a firewall rule addressing the lack of authorization checks on January 16, 2023.

Due to the nature of Cross-Site Request Forgery vulnerabilities, which involve tricking administrators into performing actions they are allowed to perform, it is not possible to provide full protection without blocking legitimate requests. As such, we recommend updating as soon as possible to ensure that your site is fully protected against any exploits that may target the Cross-Site Request Forgery vulnerability.

Source and more details: https://www.wordfence.com/blog/2023/02/multiple-vulnerabilities-patched-in-quick-restaurant-menu-plugin

~11,000 sites have been infected with malware that’s good at avoiding detection

It’s not clear precisely how the WordPress sites become infected in the first place.

Nearly 11,000 websites in recent months have been infected with a backdoor that redirects visitors to sites that rack up fraudulent views of ads provided by Google Adsense, researchers said.

All 10,890 infected sites, found by security firm Sucuri, run the WordPress content management system and have an obfuscated PHP script that has been injected into legitimate files powering the websites. Such files include “index.php,” “wp-signup.php,” “wp-activate.php,” “wp-cron.php,” and many more. Some infected sites also inject obfuscated code into wp-blog-header.php and other files. The additional injected code works as a backdoor that’s designed to ensure the malware will survive disinfection attempts by loading itself in files that run whenever the targeted server is restarted.

“These backdoors download additional shells and a Leaf PHP mailer script from a remote domain filestack[.]live and place them in files with random names in wp-includes, wp-admin and wp-content directories,” Sucuri researcher Ben Martin wrote. “Since the additional malware injection is lodged within the wp-blog-header.php file it will execute whenever the website is loaded and reinfect the website. This ensures that the environment remains infected until all traces of the malware are dealt with.”

Sneaky and determined

The malware takes pains to hide its presence from operators. When a visitor is logged in as an administrator or has visited an infected site within the past two or six hours, the redirections are suspended. As noted earlier, the malicious code is also obfuscated, using Base64 encoding.

The mass website infection has been ongoing since at least September. In a post published in November that first alerted people to the campaign, Martin warned:

“At this point, we haven’t noticed malicious behavior on these landing pages. However, at any given time site operators may arbitrarily add malware or start redirecting traffic to other third-party websites.”

For now, the entire objective of the campaign appears to be generating organic-looking traffic to websites that contain Google Adsense ads. Adsense accounts engaging in the scam include:

en[.]rawafedpor[.]comca-pub-8594790428066018
plus[.]cr-halal[.]comca-pub-3135644639015474
eq[.]yomeat[.]comca-pub-4083281510971702
news[.]istisharaat[.]comca-pub-6439952037681188
en[.]firstgooal[.]comca-pub-5119020707824427
ust[.]aly2um[.]comca-pub-8128055623790566
btc[.]latest-articles[.]comca-pub-4205231472305856
ask[.]elbwaba[.]comca-pub-1124263613222640
ca-pub-1440562457773158

To make the visits evade detection from network security tools and to appear to be organic—meaning coming from real people voluntarily viewing the pages—the redirections occur through Google and Bing searches.

The final destinations are mostly Q&A sites that discuss Bitcoin or other cryptocurrencies. Once a redirected browser visits one of the sites, the crooks have succeeded. Martin explained:

Essentially, website owners place Google-sanctioned advertisements on their websites and get paid for the number of views and clicks that they get. It doesn’t matter where those views or clicks come from, just so long as it gives the impression to those that are paying to have their ads seen that they are, in fact, being seen.

Of course, the low-quality nature of the websites associated with this infection would generate basically zero organic traffic, so the only way that they are able to pump traffic is through malicious means.

In other words: Unwanted redirects via fake short URL to fake Q&A sites result in inflated ad views/clicks and therefore inflated revenue for whomever is behind this campaign. It is one very large and ongoing campaign of organized advertising revenue fraud.

According to Google AdSense documentation, this behavior is not acceptable and publishers must not place Google-served ads on pages that violate the Spam policies for Google web search.

Essentially, website owners place Google-sanctioned advertisements on their websites and get paid for the number of views and clicks that they get. It doesn’t matter where those views or clicks come from, just so long as it gives the impression to those that are paying to have their ads seen that they are, in fact, being seen.

Of course, the low-quality nature of the websites associated with this infection would generate basically zero organic traffic, so the only way that they are able to pump traffic is through malicious means.

In other words: Unwanted redirects via fake short URL to fake Q&A sites result in inflated ad views/clicks and therefore inflated revenue for whomever is behind this campaign. It is one very large and ongoing campaign of organized advertising revenue fraud.

According to Google AdSense documentation, this behavior is not acceptable and publishers must not place Google-served ads on pages that violate the Spam policies for Google web search.

Source: https://arstechnica.com/information-technology/2023/02/sneaky-malware-infecting-1000-sites-is-redirecting-visitors-to-scam-pages/

Apple patches a major Mac security flaw in macOS Ventura 13.2.1

It’s time to update your Mac.

Apple on Monday released macOS Ventura 13.2.1, a small update to the latest version of the Mac operating system. The update does not contain any new features, but the update presumably contains several bug fixes and performance optimizations. Most notably, however, it includes three security updates, at least one of which has been actively exploited.

Kernel

  • Impact: An app may be able to execute arbitrary code with kernel privileges
  • Description: A use after free issue was addressed with improved memory management.
  • CVE-2023-23514: Xinru Chi of Pangu Lab, Ned Williamson of Google Project Zero

Shortcuts

  • Impact: An app may be able to observe unprotected user data
  • Description: A privacy issue was addressed with improved handling of temporary files.
  • CVE-2023-23522: Wenchao Li and Xiaolong Bai of Alibaba Group

WebKit

  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
  • Description: A type confusion issue was addressed with improved checks.
  • WebKit Bugzilla: 251944
  • CVE-2023-23529: an anonymous researcher

The WebKit fix is is also available for macOS Big Sur and macOS Monterey via Safari 16.3.1. macOS Version 13.2.1 comes three weeks after Apple released Ventura 13.2 to the public. 13.2 includes several new security features, such as support for physical FIDO-certified security keys and the implementation of the Rapid Security Response updates. Apple will likely begin testing macOS Ventura 13.3 shortly for release in the spring.

Source: Apple patches a major Mac security flaw in macOS Ventura 13.2.1 | Macworld and Apple fixes new WebKit zero-day exploited to hack iPhones, Macs (bleepingcomputer.com) and https://thehackernews.com/2023/02/patch-now-apples-ios-ipados-macos-and.html

Auto YouTube Importer <= 1.0.3 – Cross-Site Request Forgery

The Auto YouTube Importer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.3. This is due to missing or incorrect nonce validation when changing plugin settings. This makes it possible for unauthenticated attackers to change plugin settings, via forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Details: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/auto-youtube-importer/auto-youtube-importer-103-cross-site-request-forgery

Malicious Google ads sneak AWS phishing sites into search results

A new phishing campaign targeting Amazon Web Services (AWS) logins is abusing Google ads to sneak phishing sites into Google Search to steal your login credentials.

The campaign was discovered by Sentinel Labs, whose analysts observed the malicious search results on January 30, 2023. The bad ads ranked second when searching for “aws,” right behind Amazon’s own promoted search result.

Initially, the threat actors linked the ad directly to the phishing page. However, at a later phase, they added a redirection step, likely to evade detection by Google’s ad fraud detection systems.

The malicious Google ads take the victim to a blogger website (“us1-eat-a-w-s.blogspot[.]com”) under the attackers’ control, which is a copy of a legitimate vegan food blog. 

The site uses ‘window.location.replace’ to automatically redirect the victim to a new website that hosts the fake AWS login page, made to appear authentic.

The victim is prompted to select if they are a root or IAM user and then enter their email address and password. This option helps the threat actors categorize the stolen data into two categories of value and utility.

The phishing domains seen by Sentinel Labs are:

  • aws1-console-login[.]us
  • aws2-console-login[.]xyz
  • aws1-ec2-console[.]com
  • aws1-us-west[.]info

An interesting feature of the phishing pages is that their author has included a JavaScript function to disable right clicks, middle mouse buttons, or keyboard shortcuts.

Sentinel Labs says this is likely a mechanism to prevent users from navigating away from the page, either purposefully or by mistake.

The security firm reports seeing Portuguese used as a language in the JavaScript code comments and variables, while the root page of the blogger domain mimics a Brazilian dessert business. Finally, the Whois details used for registering the domains point to a Brazilian person.

Sentinel Labs reported the abuse to CloudFlare, which protected the phishing sites, and the internet company quickly shut down the account. However, the malicious Google Ads remain, even if the sites they link to are no longer online.

Google Ads have been under massive abuse from cybercriminals of all kinds lately, serving as an alternative method to reach potential victims.

These ads have been used lately for phishing password manager accounts, achieving initial network compromise for ransomware deployment, and malware distribution masquerading legitimate software tools.

Last week, Sentinel Labs discovered a campaign that uses virtualization technology together with Google Ads to spread malware that makes it harder to detect by antivirus tools.

Source: Malicious Google ads sneak AWS phishing sites into search results (bleepingcomputer.com) and Risky Biz News: Google Search and Ads have a major malware problem (substack.com)

High-Severity XSS Vulnerability in Metform Elementor Contact Form Builder

On January 4, 2023, independent security researcher Mohammed Chemouri reached out to the Wordfence Vulnerability Disclosure program to responsibly disclose and request a CVE ID for a vulnerability in Metform Elementor Contact Form Builder, a WordPress plugin with over 100,000 installations.

The vulnerability, an unauthenticated stored cross-site scripting vulnerability, is arguably the most dangerous variant of cross-site scripting as it provides the easiest path to site takeover, and has been assigned an identifier of CVE-2023-0084.

Mohammed reached out to the plugin developer independently the same day and a patched version was made available a few days later, on January 8, 2023. [PYWP clients have already been upgraded to the patched version — billc]

All Wordfence users are protected against this vulnerability by the Wordfence Firewall’s built-in Cross-Site Scripting protection. However, the Wordfence Threat Intelligence team became aware of a possible bypass and released a firewall rule to Wordfence Premium users on February 3, 2023.

This additional protection will become available to Wordfence free users after 30 days, on March 5, 2023, but Wordfence free users can simply update the Metform plugin to the latest version which is 3.2.1 at the time of this writing to gain protection against this vulnerability.

Source & more details: https://www.wordfence.com/blog/2023/02/high-severity-xss-vulnerability-in-metform-elementor-contact-form-builder/