28,000 GoDaddy Hosting Accounts Compromised

Public service announcement (PSA) from the Wordfence team regarding a security issue which may impact some of our customers. On May 4, 2020, GoDaddy, one of the world’s largest website hosting providers, disclosed that the SSH credentials of approximately 28,000 GoDaddy hosting accounts were compromised by an unauthorized attacker.

SSH, while extremely secure if configured correctly, can allow logins with either a username/password combination, or a username and a public/private key pair. In the case of this breach, it appears likely that an attacker placed their public key on the affected accounts so that they could maintain access even if the account password was changed.

It is unclear which of GoDaddy’s hosting packages were affected by this breach. According to GoDaddy’s public statement:

“On April 23, 2020, we identified SSH usernames and passwords had been compromised by an unauthorized individual in our hosting environment. This affected approximately 28,000 customers. We immediately reset these usernames and passwords, removed an authorized SSH file from our platform, and have no indication the individual used our customers’ credentials or modified any customer hosting accounts. The individual did not have access to customers’ main GoDaddy accounts.”

The breach itself appears to have occurred on October 19, 2019.

See https://www.wordfence.com/blog/2020/05/28000-godaddy-hosting-accounts-compromised/ for suggested actions

Note that breaches like this can create a prime target for attackers who use phishing campaigns as a means to infect users. If you are a GoDaddy user, be extra wary of any emails you may receive.

Nearly a Million WP Sites Targeted in Large-Scale Attacks

The WordFence Threat Intelligence Team has been tracking a sudden uptick in attacks targeting Cross-Site Scripting(XSS) vulnerabilities that began on April 28, 2020 and increased over the next few days to approximately 30 times the normal volume we see in our attack data.

The majority of these attacks appear to be caused by a single threat actor, based on the payload they are attempting to inject – a malicious JavaScript that redirects visitors and takes advantage of an administrator’s session to insert a backdoor into the theme’s header.

After further investigation, we found that this threat actor was also attacking other vulnerabilities, primarily older vulnerabilities allowing them to change a site’s home URL to the same domain used in the XSS payload in order to redirect visitors to malvertising sites.

Full details at https://www.wordfence.com/blog/2020/05/nearly-a-million-wp-sites-targeted-in-large-scale-attacks/

iOS Mail Zero-day

UPDATE: A patch has been issued in iOS 13.4.5 beta, with an expected final release soon.  No word on patches for earlier iOS versions.

Source: https://threatpost.com/apple-patches-two-ios-zero-days-abused-for-years/155042/

A zero-day exploit has been discovered in the iOS Mail app.  The security hole has existed as far back as iOS 6 (September 2012), and extends to the current iOS (13.x).

As of today (4/22/2020) this has NOT been patched.  It is recommended that you DISABLE iOS mail at this time.

We advise that you update as soon as an iOS patch is available.

Full details at https://blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/

 

Emerging Threat Mounts Mass iPhone Surveillance Campaign

From Threatpost

A recently discovered, mass-targeted watering hole campaign has been aiming at Apple iPhone users in Hong Kong – infecting website visitors with a newly developed custom surveillance malware.

The malware specifically targets vulnerabilities in versions 12.1 and 12.2 of Apple’s iOS.

The campaign uses links posted on multiple forums that purport to lead to various news stories that would be of interest to Hong Kong residents, according to a pair of research notes from Kaspersky and Trend Micro. The links lead to both newly created websites set up specifically for this campaign by the operators, as well as legitimate sites that have been compromised. In both cases, a hidden iframe is used to load and execute malicious code.

Continue reading…

COVID-19: Hackers Exploit “Fearware” to Target Victims

We’ve all heard about the guy in Tennessee who bought 17,000 bottles of hand sanitizer, then tried to sell them at highly inflated prices.

Some people are going to try to make a buck off anything that happens, without regard to the rest of society.  Hackers and scammers are some of those kind of people, and they’re playing the COVID-19 fears just like they do any other opportunity they find.

So it’s no surprise that we’re seeing reports of multiple COVID-19 related scams.

One form of attack involves well-crafted phishing emails that appear to come from health authorities but instead contain malicious software that can steal a person’s data or hijack their device. Be sure that the source is real, and are who they say they are.

One hacking attack saw Russian-language criminals share an interactive map of coronavirus infections and deaths, which had originally been created by John Hopkins University to offer real-time information about the pandemic. Anyone opening the map sent by the hackers would be infected by a form of password-stealing malware that had been hidden within the map.

Fake websites, phishing emails, and malware-laden “tools” abound, so be careful where you go and what you open.

https://arstechnica.com/information-technology/2020/03/the-internet-is-drowning-in-covid-19-related-malware-and-phishing-scams/

https://threatpost.com/apt36-taps-coronavirus-as-golden-opportunity-to-spread-crimson-rat/153776/

https://www.independent.co.uk/life-style/gadgets-and-tech/news/coronavirus-hackers-covid-19-china-fearware-malware-a9400141.html

https://www.darktrace.com/en/blog/how-antigena-email-caught-a-fearware-attack-that-bypassed-the-gateway/

https://www.webarxsecurity.com/covid-19-cyber-attacks/

https://threatpost.com/hackers-hijack-routers-to-spread-malware-via-coronavirus-apps/154170/

 

Why You Shouldn’t Use Free Versions of Paid Plugins or Themes!

Full article: An inside look at WP-VCD, today’s largest WordPress hacking operation

According to the folks at WordFence, the worst malware threat out there for WordPress sites comes from a series of sites hawking free versions of premium (paid) plugins and themes.  Here’s their basic modus operandi:

They offer compromised plugins and themes for free to unsuspecting webmaster who think they’re getting a great deal.

Those plugins/themes then insert backlinks and otherwise promote the source sites of the hacked goods, improving their search engine ranking and thus increasing their likelihood of being found and guaranteeing a continuous stream of victims.

They immediately insert malicious code into any other themes the site has available, so even if the pirated theme isn’t in use, the active theme gets infected.

So now they have a self-generating network of infected sites, and they use them to run malware ads (their income source).

WordPress site owners should keep in mind that when something is free, then “you’re the product” — in this case, your site, which has now been corralled into a cybercrime operation.

See also the original WordFence report.

Malware redirecting visitors found on 2,000 WordPress sites

More than 2,000 WordPress sites have been infected with malicious JavaScript that redirects visitors to scam websites and sets the stage for additional malware to be downloaded at a later time.

The Sucuri team said access is gained to WordPress sites through plugin vulnerabilities, including Simple Fields and CP Contact Form with PayPal. [ed note: None of the sites we manage are subject to these infections, as the security plugins we use protect against exploits of this type. And no sites under our management currently use the known vulnerable plugins. ] A large uptick in this activity was picked up during the third week of January.

Source:  https://www.scmagazine.com/home/security-news/malware/malware-redirecting-visitors-found-on-2000-wordpress-sites/?fbclid=IwAR3dUryf3c0OOK4VGXJsOhTSdPkik70RF0-5Tsg4rfmPgfyl6NLtEie8ViE

10% of All Macs Shlayered

Many people think that malware only targets Windows and that Macs are safe, but a new report shows how a single Apple malware called Shlayer has attacked over 10% of all Apple computers monitored by an antivirus company.

Instead of distributing the Shlayer Trojan via phishing attacks or through other malware, the threat actors focus on trending events or popular shows and then build fake web sites surrounding them.

Apple users visit these fake sites through search results, links in YouTube videos, and even links in Wikipedia articles. When visiting these sites, instead of being greeted with a video to watch, they are told they need to first update Flash Player.

These Flash Player updates, though, are the Shlayer Trojan and when executed will install a malware cocktail onto the computer.

When browsing the web, if any site states that you must install an update to watch a video or perform an activity, immediately leave that site.

Source:  https://www.bleepingcomputer.com/news/security/10-percent-of-all-macs-shlayered-malware-cocktail-served/

More at: https://threatpost.com/shlayer-mac-youtube-wikipedia/152146/

Hacker Uses NSA-Discovered Vulnerability In Windows To Spoof NSA

As a part of its latest Patch Tuesday update, Microsoft fixed a critical Windows 10 CryptoAPI vulnerability (CVE-2020-0601) that was discovered by the National Security Agency (NSA).

However, a security researcher named Saleem Rashid didn’t take much time to demonstrate the havoc it could have caused – in a funny way, though.

The researcher rickrolled the NSA and GitHub by spoofing their HTTPS-secured websites and showed how anyone could masquerade them. Rickrolling is a familiar gesture used to demo security flaws by playing Rick Astley’s music video “Never Gonna Give You Up,” which Rashid did on the websites of NSA and GitHub.

Affected Windows versions can be secured using the patch that’s already available. So, it’s recommended that you install it if haven’t done it already. At the same time, Google is also in the process of pushing a fix for Chrome that is currently being tested in beta releases.

Full story

Database Reset Plugin Bugs Let Hackers Wipe or Takeover Your Site

Critical bugs found in the WordPress Database Reset plugin used by over 80,000 sites allow attackers to drop all users and get automatically elevated to an administrator role and to reset any table in the database.

The two vulnerabilities tracked as CVE-2020-7048 and CVE-2020-7047, rated as Critical and High severity, were patched with the release of WP Database Reset 3.15, a week after the initial disclosure from WordFence, the WordPress security firm that discovered the flaw.

Successful exploitation of the two flaws on unpatched WordPress sites could lead to full site takeover and/or database reset.

Disclosure Timeline

January 7th, 2020 – Vulnerability initially discovered and analyzed.
January 8th, 2020 – Full details disclosed to plugin developer and custom firewall rule released to Wordfence premium users.
January 13th, 2020 – Developer responds and notifies us that a patch will be released the next day.
January 14th, 2020 – Patch released.
January 16th, 2020 – Public disclosure.

Full details here and here.