US govt warns orgs to patch massively exploited Confluence bug

US Cyber Command (USCYBERCOM) has issued a rare alert today urging US organizations to patch a massively exploited Atlassian Confluence critical vulnerability immediately.

“Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate,” said Cyber National Mission Force (CNMF). 

The USCYBERCOM unit also stressed the importance of patching vulnerable Confluence servers as soon as possible: “Please patch immediately if you haven’t already— this cannot wait until after the weekend.”

This warning comes after Deputy National Security Advisor Anne Neuberger encouraged organizations “to be on guard for malicious cyberactivity in advance of the holiday weekend” during a Thursday White House press briefing.

It’s the second alert of this kind in the last 12 months, the previous one (from June) notifying that CISA was aware that threat actors might attempt to exploit a remote code execution vulnerability affecting all vCenter Server installs.

CISA also urged users and admins today to immediately apply the Confluence security updates recently issued by Atlassian.

Original article: https://www.bleepingcomputer.com/news/security/us-govt-warns-orgs-to-patch-massively-exploited-confluence-bug/amp/

Estonian Citizen Pleads Guilty to Computer Fraud and Abuse

At least 60 devices and internet routers were compromised in Alaska

ANCHORAGE – An Estonian national pleaded guilty today in the District of Alaska to two counts of computer fraud and abuse.   

According to court documents, Pavel Tsurkan, 33, operated a criminal proxy botnet by remotely accessing and compromising more than 1,000 computer devices and internet routers worldwide, including at least 60 victims in Alaska. He used the victims’ devices to build and operate an Internet of Things (IoT)-based botnet dubbed the “Russian2015” using the domain Russian2015.ru. He modified the operation of each compromised internet router so it could be used as a proxy to transmit third-party internet traffic without the owners’ knowledge or consent. He then sold access to global cybercriminals who channeled their traffic through the victims’ home routers, using the victims’ devices to engage in spam campaigns and other criminal activity. The Alaska victims experienced significant data overages even when there were no home computers connected to the victims’ home networks. The data overages resulted in hundreds to thousands of dollars per victim.   

“Today’s cybercriminals rely on increasingly sophisticated techniques to hijack computers and personal electronic devices for their criminal activities. Botnets like the ‘Russian2015’ are a dangerous threat to all Americans and today’s guilty plea demonstrates we can and will hold accountable foreign cybercriminals and their enablers,” said Acting U.S. Attorney Bryan Wilson, District of Alaska. “Our success in disrupting this botnet was the result of a strong partnership between private industry experts and law enforcement.”

Tsurkan is scheduled to be sentenced on November 10, 2021 and faces a maximum penalty of 10 years in prison. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.

The FBI’s Anchorage Field Office is investigating the case with support from GCI and Palo Alto Networks Unit 42. The FBI’s New Haven, Connecticut, Field Office provided assistance during the investigation.

Assistant U.S. Attorney Adam Alexander and Trial Attorney Alden Pelker of the Criminal Division’s Computer Crime and Intellectual Property Section are prosecuting the case.

Press release from: https://www.justice.gov/usao-ak/pr/estonian-citizen-pleads-guilty-computer-fraud-and-abuse

Sucuri: Malware Disables Security Plugins to Avoid Detection

An alarm or monitoring system is a great tool that can be used to improve the security of a home or website, but what if an attacker can easily disable it?

Sucuri recently described an exploit in which hackers gain access to the site and then immediately disable any of a list of well known security plugins which are installed. If you security plugins are turned off, they’re not going to scan your site for malware and they’re not going to email you a warning.

“If a user tries to reactivate one of the disabled security plugins, it will momentarily appear to activate only for the malware to immediately disable it again. This behavior will prevail until the malware is fully removed from the compromised environment, making it more difficult to detect malicious behavior on the website.”

Ideally your sites are locked down well enough that the hackers can’t gain access in the first place. But keep an eye on your site and if you see any behavior similar to what’s described, contact us and we’ll clean it up.

https://blog.sucuri.net/2020/09/wordpress-malware-disables-security-to-avoid-detection.html

Redirection Hack: a case study

Several hacked sites we recently repaired had the same exploit, which can be tricky to detect by most site owners. We’ve seen this one enough that we feel it is important to let you know what to look for.

A good friend of ours mentioned as an aside that his site kept getting hacked and though his more technically adept relative had cleaned up the immediate problem, whenever someone attempted to look up his site on a search engine they were met with a list of spam sites (viagra ads and the like) all listing HIS site as the web address. He had no idea how that happened, much less how to fix it.

Here’s what was going on: There’s a file at the root of most websites named “.htaccess”. This file has a bunch of specific directives on how to handle various traffic to your website – for instance, if you redesign your site and change some of the page names (for instance, from “mysite.com/contact.html” to “mysite.com/contact/”) it can be used to redirect visitors to the new page. Without redirecting the visitor would end up on your Not Found page, which is frustrating for them and not a good customer service practice.

If hackers gain access to this file they can redirect your visitors anywhere they want, and that’s exactly what happened in these cases.

The hackers had written a set of directives which said in essence “If the visitor is coming from Google, Bing, etc (listing all the big search engines), then please redirect them to one of a list of spam sites”. So when the search engines crawled the site they were also redirected, and the web address was associated with the spam sites on the search engine.

So it might be a good idea to search your own site from time to time. If you happen to run into a similar problem on your site – or someone else’s – we can help.

All of the sites managed by ProtectYourWp.com are protected against this kind of hack, of course. The sites alluded to above were running vulnerable versions of WordPress and plugins which were the likely entry for the hackers. The sites are now new clients, being kept up to date by us.

New Virus from the domain “ js.donatelloflowfirstly[.]ga “ is infecting many WordPress sites

This is an advertising injection/redirection javascript which sends your visitors off to malicious domains. The javascript in question is injected into EVERY post on affected sites.

Our clients should be automatically protected against most javascript injections such as this (but let us know if you see something like this on your site!).

A quick search for “donatelloflowfirstly” will bring up a bunch of sites which are affected – and a few with instructions on how to clean up the mess.

Large Scale Attack Campaign Targets Database Credentials

Between May 29 and May 31, 2020, the Wordfence Firewall blocked over 130 million attacks intended to harvest database credentials from 1.3 million sites by downloading their configuration files.

The peak of this attack campaign occurred on May 30, 2020. At this point, attacks from this campaign accounted for 75% of all attempted exploits of plugin and theme vulnerabilities across the WordPress ecosystem.

Sites running Wordfence (all sites managed by ProtectYourWP.com) are protected against this campaign. If your site is not running Wordfence, and you believe you have been compromised, change your database password and authentication unique keys and salts immediately.

Full article at WordFence

One Attacker Outpaces All Others

Starting April 28th, the WordFence team saw a 30 times increase in cross site scripting attack volume, originating from a single attacker, and targeting over a million WordPress sites. WordFence published research detailing the threat actor and attack volume increase on May 5th. By the time they published, the attack volume had dropped back down to baseline levels.

As of May 11, 2020, attacks by this same threat actor have once again ramped up, and are ongoing. This attacker has now attacked over 1.3 million sites in the past month. As of May 12, 2020, attacks by this threat actor have outpaced all other attacks targeting vulnerabilities across the WordPress ecosystem.

What should I do?

As with the previous attacks, the majority of vulnerabilities being targeted are Cross-Site Scripting (XSS) flaws. The Wordfence Firewall’s built-in XSS protection provides protection from these attacks. But you should still insure that all plugins, themes, and WordPress core are up to date.

Full story at https://www.wordfence.com/blog/2020/05/one-attacker-rules-them-all

Nearly a Million WP Sites Targeted in Large-Scale Attacks

The WordFence Threat Intelligence Team has been tracking a sudden uptick in attacks targeting Cross-Site Scripting(XSS) vulnerabilities that began on April 28, 2020 and increased over the next few days to approximately 30 times the normal volume we see in our attack data.

The majority of these attacks appear to be caused by a single threat actor, based on the payload they are attempting to inject – a malicious JavaScript that redirects visitors and takes advantage of an administrator’s session to insert a backdoor into the theme’s header.

After further investigation, we found that this threat actor was also attacking other vulnerabilities, primarily older vulnerabilities allowing them to change a site’s home URL to the same domain used in the XSS payload in order to redirect visitors to malvertising sites.

Full details at https://www.wordfence.com/blog/2020/05/nearly-a-million-wp-sites-targeted-in-large-scale-attacks/

As Zoom Booms, Incidents of ‘ZoomBombing’ Become a Growing Nuisance

With the recent Stay At Home orders resulting from Covid19, many more people are using Zoom and other video chat ware to keep in touch with their colleagues.  Unfortunately, that means many people who are unfamiliar with the platforms and their protocols, and lots of opportunities for bad actors to take advantage.

From Threatpost:

Numerous instances of online conferences being disrupted by pornographic images, hate speech or even threats can be mitigated using some platform tools.

Officials at Zoom have released tips for users of their video-conferencing platform to help avoid getting “Zoom-bombed” by trolls and even more serious threat actors during online meetings.

The developers of the online video-conferencing service cautioned users to avoid sharing Zoom meeting links publicly and widely on social media and to use some simple management tools within the system to help avoid scenarios in which uninvited participants disrupt meetings in unpleasant and threatening ways.

Read more at the original article: https://threatpost.com/as-zoom-booms-incidents-of-zoombombing-become-a-growing-nuisance/154187/