Compromised WordPress sites launch DDoS on Ukrainian websites

Threat actors compromised WordPress sites to deploy a script that was used to launch DDoS attacks, when they are visited, on Ukrainian websites.

MalwareHunterTeam researchers discovered the malicious script on a compromised WordPress site, when the users were visiting the website the script launched a DDoS attack against ten Ukrainian sites.

The JavaScript was designed to perform thousands of HTTP GET requests to the targeted sites.

The only evidence of the ongoing attack is the slowing down of the browser performance.

According to BleepingComputer, which first reported the discovery, DDoS attacks targeted pro-Ukrainian sites and Ukrainian government agencies, including think tanks, recruitment sites for the International Legion of Defense of Ukraine, and financial sites.

The script generates random requests to avoid that they are served through a caching service.

In an interesting twist, BleepingComputer discovered that the same script is being used by the pro-Ukrainian site to launch attacks against Russian websites.

“When visiting the site, users’ browsers are used to conduct DDoS attacks on 67 Russian websites.” states BleepingComputer.

Source: https://securityaffairs.co/wordpress/129597/hacking/wordpress-compromsied-sites-ddos-ukraine.html

Massive attack against 1.6 million WordPress sites underway

Wordfence analysts report having detected a massive wave of attacks in the last couple of days, originating from 16,000 IPs and targeting over 1.6 million WordPress sites.

The threat actors target four WordPress plugins and fifteen Epsilon Framework themes, one of which has no available patch.

Some of the targeted plugins were patched all the way back in 2018, while others had their vulnerabilities addressed as recently as this week.

The affected plugins and their versions are:

  • PublishPress Capabilities
  • Kiwi Social Plugin
  • Pinterest Automatic
  • WordPress Automatic

The targeted Epsilon Framework themes are:

  • Shapely
  • NewsMag
  • Activello
  • Illdy
  • Allegiant
  • Newspaper X
  • Pixova Lite
  • Brilliance
  • MedZone Lite
  • Regina Lite
  • Transcend
  • Affluent
  • Bonkers
  • Antreas
  • NatureMag Lite – No patch available

“In most cases, the attackers are updating the users_can_register option to enabled and setting the default_role option to administrator,” Wordfence explains.

“This makes it possible for attackers to register on any site as an administrator effectively taking over the site.”

Source: https://www.bleepingcomputer.com/news/security/massive-attack-against-16-million-wordpress-sites-underway/

Hackers infect random WordPress plugins to steal credit cards

Credit card swipers are being injected into random plugins of e-commerce WordPress sites, hiding from detection while stealing customer payment details.

With the Christmas shopping season in full swing, card-stealing threat actors raise their efforts to infect online shops with stealthy skimmers, so administrators ought to remain vigilant.

The latest trend is injecting card skimmers into WordPress plugin files, avoiding the closely-monitored ‘wp-admin’ and ‘wp-includes’ core directories where most injections are short-lived.

According to a new report by Sucuri, hackers performing credit card theft are first hacking into WordPress sites and injecting a backdoor into the website for persistence.

Full article at https://www.bleepingcomputer.com/news/security/hackers-infect-random-wordpress-plugins-to-steal-credit-cards/

AWS Attacks Targeting WordPress Increase 5X

The Wordfence Threat Intelligence team has been tracking a huge increase in malicious login attempts against WordPress sites in our network. Since November 17, 2021, the number of attacks targeting login pages has doubled.

WordFence have seen a global increase in attacks against WordPress sites during the past week, and more than a quarter of all of the malicious login attempts we’re tracking are now originating from Amazon Web Services (AWS) EC2 instances.

While AWS makes it easy for businesses to move to the cloud, attackers are also utilizing the  scale provided by cloud services, including AWS, in increasing numbers.

Many site owners still reuse the same password in multiple locations, and data breaches, such as the recent GoDaddy breach, are frequently a source of compromised passwords. These compromised passwords are used by attackers to attempt to login to even more sites and services. Using this technique, attackers may guess your login correctly on the first try.

We also recommend that everyone use 2-factor authentication wherever possible, as it is an incredibly effective way of protecting your site even if an attacker has your password. The free version of Wordfence includes 2-factor authentication as a feature.

Full article at https://www.wordfence.com/blog/2021/11/aws-attacks-targeting-wordpress-increase-5x

WooCommerce Extension – Reflected XSS Vulnerability

A vulnerability was discovered in “Preview E-mails for WooCommerce”, a WordPress plugin that is an extension for WooCommerce, installed on over 20,000 sites. This flaw made it possible for an attacker to inject malicious JavaScript into a page that would execute if the attacker successfully tricked a site’s administrator into performing an action like clicking on a link.

Preview E-mails for WooCommerce is a simple plugin designed to give site owners the ability to preview the emails that are sent to customers via WooCommerce. Unfortunately, the plugin had a flaw that made it possible for attackers to inject malicious web scripts into the `digthis-woocommerce-preview-emails` page.

Details from WordFence: https://www.wordfence.com/blog/2021/11/woocommerce-extension-reflected-xss-vulnerability

Over 1 Million Sites Impacted by Vulnerability in Starter Templates Plugin

The Starter Templates plugin allows site owners to import prebuilt templates and blocks for various page builders, including Elementor.

Starter Templates plugin, which is installed on over 1 Million WordPress websites was found to have a vulnerability which could allow for malicious javascript to be inserted and then used to overwrite any post or page by sending an AJAX request.

(The full name of the WordPress plugin is “Starter Templates — Elementor, Gutenberg & Beaver Builder Templates”)

Versions 2.7.0 and older of this plugin contain a vulnerability that allows Contributor-level users to completely overwrite any page on the site with malicious JavaScript.

Full details at: https://www.wordfence.com/blog/2021/11/over-1-million-sites-impacted-by-vulnerability-in-starter-templates-plugin/

“I Was Hacked. The Spyware Used Against Me Makes Us All Vulnerable.”

Invasive hacking software sold to countries to fight terrorism is easily abused. Researchers say my phone was hacked twice, probably by Saudi Arabia.

Ben Hubbard in the New York Times.

in a world where we store so much of our personal and professional lives in the devices we carry in our pockets, and where surveillance software continues to become ever more sophisticated, we are all increasingly vulnerable.

As it turned out, I didn’t even have to click on a link for my phone to be infected.

To try to determine what had happened, I worked with Citizen Lab, a research institute at the Munk School of Global Affairs at the University of Toronto that studies spyware.

Continue reading: https://www.nytimes.com/2021/10/24/insider/hacking-nso-surveillance.html

Google Crushes YouTube Cookie-Stealing Channel Hijackers

Google has caught and brushed off a bunch of cookie-stealing YouTube channel hijackers who were running cryptocurrency scams on the ripped-off channels.

In a Wednesday post, Ashley Shen, with Google’s Threat Analysis Group (TAG), said that TAG attributes the assaults to a group of attackers recruited from a Russian-speaking forum. Since late 2019, they’ve been luring targets with fake collaboration come-ons, including requests to purchase ads on their targets’ channels.

(The collaboration pitch is similar to how [now-shuttered] Twitter accounts have been used to catfish security researchers by setting their traps with zero days and collaboration invitations.)

The YouTube channel hijackers are financially motivated, Shen said, looking to either auction off the stolen channels or use them to broadcast cryptocurrency scams.

Cookie Monsters

In order to elbow rightful channel owners out of the way, the attackers have been targeting YouTubers with cookie theft malware.

Cookie theft, which is also called session hijacking or pass-the-cookie attack, involves a crook inserting themself between a computer and a server in order to steal what’s known as a magic cookie: a session that authenticates a user to a remote server. After stealing the cookie, an intruder can monitor and potentially capture everything from the account and can take full control of the connection.

Cookie thieves can, for example, change existing codes, modify server settings or install new programs in order to steal data, set up a back-door entry for attackers, and lock legitimate users out of their own accounts.

More at: https://threatpost.com/google-youtube-channel-hijackers-cryptocurrency-scams/175617/

Company that routes SMS for all major US carriers was hacked for five years

As of 10/5/21 Syniverse hasn’t revealed whether text messages were exposed.

Syniverse, a company that routes hundreds of billions of text messages every year for hundreds of carriers including Verizon, T-Mobile, and AT&T, revealed to government regulators that a hacker gained unauthorized access to its databases for five years. Syniverse and carriers have not said whether the hacker had access to customers’ text messages.

filing with the Securities and Exchange Commission last week said that “in May 2021, Syniverse became aware of unauthorized access to its operational and information technology systems by an unknown individual or organization. Promptly upon Syniverse’s detection of the unauthorized access, Syniverse launched an internal investigation, notified law enforcement, commenced remedial actions and engaged the services of specialized legal counsel and other incident response professionals.”

Syniverse said that its “investigation revealed that the unauthorized access began in May 2016” and “that the individual or organization gained unauthorized access to databases within its network on several occasions, and that login information allowing access to or from its Electronic Data Transfer (‘EDT’) environment was compromised for approximately 235 of its customers.”

Syniverse isn’t revealing more details

When contacted by Ars today, a Syniverse spokesperson provided a general statement that mostly repeats what’s in the SEC filing. Syniverse declined to answer our specific questions about whether text messages were exposed and about the impact on the major US carriers.

“Given the confidential nature of our relationship with our customers and a pending law enforcement investigation, we do not anticipate further public statements regarding this matter,” Syniverse said.

More at: https://arstechnica.com/information-technology/2021/10/company-that-routes-sms-for-all-major-us-carriers-was-hacked-for-five-years/

US govt warns orgs to patch massively exploited Confluence bug

US Cyber Command (USCYBERCOM) has issued a rare alert today urging US organizations to patch a massively exploited Atlassian Confluence critical vulnerability immediately.

“Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate,” said Cyber National Mission Force (CNMF). 

The USCYBERCOM unit also stressed the importance of patching vulnerable Confluence servers as soon as possible: “Please patch immediately if you haven’t already— this cannot wait until after the weekend.”

This warning comes after Deputy National Security Advisor Anne Neuberger encouraged organizations “to be on guard for malicious cyberactivity in advance of the holiday weekend” during a Thursday White House press briefing.

It’s the second alert of this kind in the last 12 months, the previous one (from June) notifying that CISA was aware that threat actors might attempt to exploit a remote code execution vulnerability affecting all vCenter Server installs.

CISA also urged users and admins today to immediately apply the Confluence security updates recently issued by Atlassian.

Original article: https://www.bleepingcomputer.com/news/security/us-govt-warns-orgs-to-patch-massively-exploited-confluence-bug/amp/