Yoast SEO <= 20.2 – Authenticated (Contributor+) DOM-Based Cross-Site Scripting

Please note: The Wordfence team is still assessing this vulnerability, and will add more details as it becomes available. The Yoast SEO plugin for WordPress is vulnerable to DOM-based Cross-Site Scripting via individual post SEO details in versions up to, and including, 20.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level requirements and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PYWP clients have already been updated to the latest (patched) version.

Source and more details: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wordpress-seo/yoast-seo-202-authenticated-contributor-dom-based-cross-site-scripting

The LastPass hack saga just keeps getting worse

Already smarting from a breach that stole customer vaults, LastPass has more bad news.

Already smarting from a breach that put partially encrypted login data into a threat actor’s hands, LastPass on Monday said that the same attacker hacked an employee’s home computer and obtained a decrypted vault available to only a handful of company developers.

Although an initial intrusion into LastPass ended on August 12, officials with the leading password manager said the threat actor “was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activity” from August 12 to August 26. In the process, the unknown threat actor was able to steal valid credentials from a senior DevOps engineer and access the contents of a LastPass data vault. Among other things, the vault gave access to a shared cloud-storage environment that contained the encryption keys for customer vault backups stored in Amazon S3 buckets.

“This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware,” LastPass officials wrote. “The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”

The hacked DevOps engineer was one of only four LastPass employees with access to the corporate vault. Once in possession of the decrypted vault, the threat actor exported the entries, including the “decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.”

Monday’s update comes two months after LastPass issued a previous bombshell update that for the first time said that, contrary to previous assertions, the attackers had obtained customer vault data containing both encrypted and plaintext data. LastPass said then that the threat actor had also obtained a cloud storage access key and dual storage container decryption keys, allowing for the copying of customer vault backup data from the encrypted storage container.

The backup data contained both unencrypted data, such as website URLs, as well as website usernames and passwords, secure notes, and form-filled data, which had an additional layer of encryption using 256-bit AES. The new details explain how the threat actor obtained the S3 encryption keys.

Monday’s update said that the tactics, techniques, and procedures used in the first incident were different from those used in the second one and that, as a result, it wasn’t initially clear to investigators that the two were directly related. During the second incident, the threat actor used information obtained during the first one to enumerate and exfiltrate the data stored in the S3 buckets.

“Alerting and logging was enabled during these events, but did not immediately indicate the anomalous behavior that became clearer in retrospect during the investigation,” LastPass officials wrote. “Specifically, the threat actor was able to leverage valid credentials stolen from a senior DevOps engineer to access a shared cloud-storage environment, which initially made it difficult for investigators to differentiate between threat actor activity and ongoing legitimate activity.”

LastPass learned of the second incident from Amazon’s warnings of anomalous behavior when the threat actor tried to use Cloud Identity and Access Management (IAM) roles to perform unauthorized activity.

According to a person briefed on a private report from LastPass who spoke on the condition of anonymity, the media software package that was exploited on the employee’s home computer was Plex. Interestingly, Plex reported its own network intrusion on August 24, just 12 days after the second incident commenced. The breach allowed the threat actor to access a proprietary database and make off with password data, usernames, and emails belonging to some of its 30 million customers. Plex is a major provider of media streaming services that allow users to stream movies and audio, play games, and access their own content hosted on home or on-premises media servers.

It’s not clear if the Plex breach has any connection to the LastPass intrusions. Representatives of LastPass and Plex didn’t respond to emails seeking comment for this story.

The threat actor behind the LastPass breach has proven especially resourceful, and the revelation that it successfully exploited a software vulnerability on the home computer of an employee further reinforces that view. As Ars advised in December, all LastPass users should change their master passwords and all passwords stored in their vaults. While it’s not clear whether the threat actor has access to either, the precautions are warranted.

Sources: https://arstechnica.com/information-technology/2023/02/lastpass-hackers-infected-employees-home-computer-and-stole-corporate-vault/

All In One SEO WordPress Plugin Vulnerability Affects Up To 3+ Million

All In One SEO WordPress plugin versions up to and including 4.2.9 are vulnerable to stored cross-site scripting attacks

The United States National Vulnerability Database published an advisory about two vulnerabilities discovered in the All In One SEO WordPress plugin.

All In One SEO (AIOSEO) plugin, which has over three million active installations, is vulnerable to two Cross-site scripting (XSS) attacks.

The vulnerabilities affect all versions of AIOSEO up to and including version 4.2.9.

Stored Cross-Site Scripting

Cross-site scripting (XSS) attacks are a form of injection exploit that involves malicious scripts executing in a user’s browser which then can lead to access to cookies, user sessions and even a site takeover.

The two most common forms of Cross-Site Scripting attacks are:

  • Reflected Cross-Site Scripting
  • Stored Cross-Site Scripting

A Reflected XSS relies on sending a script to a user who clicks on it, which goes to the vulnerable site which then “reflects” the attack back at the user.

A Stored XSS is when the malicious script is on the vulnerable site itself.

Hackers take advantage of any form of input to the website like a contact form, image upload form, any area where someone can upload or make a submission.

The vulnerability arises when there are insufficient security checks to block unwanted inputs.

The two issues affecting the AIOSEO plugin are both Stored Cross-Site Scripting vulnerabilities.


Vulnerabilities are assigned numbers to keep track of them. The first one was assigned, CVE-2023-0585.

This vulnerability arises from a failure to sanitize inputs. This means that insufficient filtering is done to prevent a hacker from uploading a malicious script.

The National Vulnerability Database (NVD) notice describes it like this:

“The All in One SEO Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 4.2.9 due to insufficient input sanitization and output escaping.

This makes it possible for authenticated attackers with Administrator role or above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.”

The vulnerability was assigned a threat level of 4.4 (out of ten), which is a medium level.

An attacker must first acquire administrator privileges or higher to perpetrate this attack.


This attack is similar to the first one. The main difference is that an attacker needs to assume at least a contributor level of website access privilege.

A contributor level role has the ability to create content but not to publish it.

The vulnerability is also a medium level threat but it is assigned a higher vulnerability score of 6.4.

This is the description:

“The All in One SEO Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 4.2.9 due to insufficient input sanitization and output escaping.

This makes it possible for authenticated attackers with Contributor+ role to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.”

Recommended Action

The first vulnerability requires administrator level privileges and is assigned a relatively low medium threat level score of 4.4.

But the second vulnerability only requires a lower level of privilege and is rated higher at 6.4.

It’s generally a good policy to update all vulnerable plugins. AIOSEO plugin version 4.3.0 is the one containing the security fix, referred to in the official AIOSEO changelog as additional “security hardening.”

Read details of the two vulnerabilities:



Source: https://www.searchenginejournal.com/aioseo-wordpress-plugin-vulnerabilities/480949/

~11,000 sites have been infected with malware that’s good at avoiding detection

It’s not clear precisely how the WordPress sites become infected in the first place.

Nearly 11,000 websites in recent months have been infected with a backdoor that redirects visitors to sites that rack up fraudulent views of ads provided by Google Adsense, researchers said.

All 10,890 infected sites, found by security firm Sucuri, run the WordPress content management system and have an obfuscated PHP script that has been injected into legitimate files powering the websites. Such files include “index.php,” “wp-signup.php,” “wp-activate.php,” “wp-cron.php,” and many more. Some infected sites also inject obfuscated code into wp-blog-header.php and other files. The additional injected code works as a backdoor that’s designed to ensure the malware will survive disinfection attempts by loading itself in files that run whenever the targeted server is restarted.

“These backdoors download additional shells and a Leaf PHP mailer script from a remote domain filestack[.]live and place them in files with random names in wp-includes, wp-admin and wp-content directories,” Sucuri researcher Ben Martin wrote. “Since the additional malware injection is lodged within the wp-blog-header.php file it will execute whenever the website is loaded and reinfect the website. This ensures that the environment remains infected until all traces of the malware are dealt with.”

Sneaky and determined

The malware takes pains to hide its presence from operators. When a visitor is logged in as an administrator or has visited an infected site within the past two or six hours, the redirections are suspended. As noted earlier, the malicious code is also obfuscated, using Base64 encoding.

The mass website infection has been ongoing since at least September. In a post published in November that first alerted people to the campaign, Martin warned:

“At this point, we haven’t noticed malicious behavior on these landing pages. However, at any given time site operators may arbitrarily add malware or start redirecting traffic to other third-party websites.”

For now, the entire objective of the campaign appears to be generating organic-looking traffic to websites that contain Google Adsense ads. Adsense accounts engaging in the scam include:


To make the visits evade detection from network security tools and to appear to be organic—meaning coming from real people voluntarily viewing the pages—the redirections occur through Google and Bing searches.

The final destinations are mostly Q&A sites that discuss Bitcoin or other cryptocurrencies. Once a redirected browser visits one of the sites, the crooks have succeeded. Martin explained:

Essentially, website owners place Google-sanctioned advertisements on their websites and get paid for the number of views and clicks that they get. It doesn’t matter where those views or clicks come from, just so long as it gives the impression to those that are paying to have their ads seen that they are, in fact, being seen.

Of course, the low-quality nature of the websites associated with this infection would generate basically zero organic traffic, so the only way that they are able to pump traffic is through malicious means.

In other words: Unwanted redirects via fake short URL to fake Q&A sites result in inflated ad views/clicks and therefore inflated revenue for whomever is behind this campaign. It is one very large and ongoing campaign of organized advertising revenue fraud.

According to Google AdSense documentation, this behavior is not acceptable and publishers must not place Google-served ads on pages that violate the Spam policies for Google web search.

Essentially, website owners place Google-sanctioned advertisements on their websites and get paid for the number of views and clicks that they get. It doesn’t matter where those views or clicks come from, just so long as it gives the impression to those that are paying to have their ads seen that they are, in fact, being seen.

Of course, the low-quality nature of the websites associated with this infection would generate basically zero organic traffic, so the only way that they are able to pump traffic is through malicious means.

In other words: Unwanted redirects via fake short URL to fake Q&A sites result in inflated ad views/clicks and therefore inflated revenue for whomever is behind this campaign. It is one very large and ongoing campaign of organized advertising revenue fraud.

According to Google AdSense documentation, this behavior is not acceptable and publishers must not place Google-served ads on pages that violate the Spam policies for Google web search.

Source: https://arstechnica.com/information-technology/2023/02/sneaky-malware-infecting-1000-sites-is-redirecting-visitors-to-scam-pages/

Apple patches a major Mac security flaw in macOS Ventura 13.2.1

It’s time to update your Mac.

Apple on Monday released macOS Ventura 13.2.1, a small update to the latest version of the Mac operating system. The update does not contain any new features, but the update presumably contains several bug fixes and performance optimizations. Most notably, however, it includes three security updates, at least one of which has been actively exploited.


  • Impact: An app may be able to execute arbitrary code with kernel privileges
  • Description: A use after free issue was addressed with improved memory management.
  • CVE-2023-23514: Xinru Chi of Pangu Lab, Ned Williamson of Google Project Zero


  • Impact: An app may be able to observe unprotected user data
  • Description: A privacy issue was addressed with improved handling of temporary files.
  • CVE-2023-23522: Wenchao Li and Xiaolong Bai of Alibaba Group


  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
  • Description: A type confusion issue was addressed with improved checks.
  • WebKit Bugzilla: 251944
  • CVE-2023-23529: an anonymous researcher

The WebKit fix is is also available for macOS Big Sur and macOS Monterey via Safari 16.3.1. macOS Version 13.2.1 comes three weeks after Apple released Ventura 13.2 to the public. 13.2 includes several new security features, such as support for physical FIDO-certified security keys and the implementation of the Rapid Security Response updates. Apple will likely begin testing macOS Ventura 13.3 shortly for release in the spring.

Source: Apple patches a major Mac security flaw in macOS Ventura 13.2.1 | Macworld and Apple fixes new WebKit zero-day exploited to hack iPhones, Macs (bleepingcomputer.com) and https://thehackernews.com/2023/02/patch-now-apples-ios-ipados-macos-and.html

High-Severity XSS Vulnerability in Metform Elementor Contact Form Builder

On January 4, 2023, independent security researcher Mohammed Chemouri reached out to the Wordfence Vulnerability Disclosure program to responsibly disclose and request a CVE ID for a vulnerability in Metform Elementor Contact Form Builder, a WordPress plugin with over 100,000 installations.

The vulnerability, an unauthenticated stored cross-site scripting vulnerability, is arguably the most dangerous variant of cross-site scripting as it provides the easiest path to site takeover, and has been assigned an identifier of CVE-2023-0084.

Mohammed reached out to the plugin developer independently the same day and a patched version was made available a few days later, on January 8, 2023. [PYWP clients have already been upgraded to the patched version — billc]

All Wordfence users are protected against this vulnerability by the Wordfence Firewall’s built-in Cross-Site Scripting protection. However, the Wordfence Threat Intelligence team became aware of a possible bypass and released a firewall rule to Wordfence Premium users on February 3, 2023.

This additional protection will become available to Wordfence free users after 30 days, on March 5, 2023, but Wordfence free users can simply update the Metform plugin to the latest version which is 3.2.1 at the time of this writing to gain protection against this vulnerability.

Source & more details: https://www.wordfence.com/blog/2023/02/high-severity-xss-vulnerability-in-metform-elementor-contact-form-builder/

Holiday Attack Spikes Target Ancient Vulnerabilities and Hidden Webshells

Source and more details: WordFence

Winter brings a number of holidays in a short period of time, and many organizations shut down or run a skeleton crew for a week or more at the end of the year and beginning of the new year. This makes it easier for would-be attackers to find success as systems are not as closely monitored. This means that during major holidays it is not uncommon to see spikes in attack attempts.

We observed spikes in attack traffic for two of our firewall rules over the Christmas and New Year holidays, which are discussed in more detail below. The spikes in these rules look rather different when compared to each other. What they have in common is that the best defenses are proactively securing your website and keeping WordPress core, themes, and plugins updated.

Targeted Spikes: Downloads Manager Plugin
There were two spikes specifically targeting the Downloads Manager plugin by Giulio Ganci. The first spike was on December 24, 2022, with a second spike on January 4, 2023. In the 30-day reporting period, only 17 attempts to scan for readme.txt or debug.log files did not target the Downloads Manager plugin. On average, the rule that blocks these scans typically blocks an average of 7,515,876 scan attempts per day. The first spike saw 92,546,995 scan attempts, and the second spike soared to 118,780,958 scan attempts in a single day.

chart of blocked attack attempts targeting the Downloads Manager plugin by day

Over the reporting period, we tracked 466,827 attacking IP addresses. These IP addresses attempted to exploit vulnerabilities on 2,663,905 protected websites. The top 10 IP addresses were responsible for 90,693,836 exploit attempts over the course of the reporting period.

chart of the top ten IP addresses targeting the Downloads Manager plugin

The observed user-agent strings were largely known legitimate user-agents, though some appear to have been modified. The top ten user-agents accounted for 306,845,888 of the total exploit attempts during this time period.

During these spikes, the scans were specifically looking for readme.txt files within the /wp-content/plugins/downloads-manager/ directory of the website. When found, they are primarily attempting to upload the Mister Spy Bot V7 shell with a filename similar to up__jpodv.php, where the last five characters of the name are random letters, or the Saber BOT V1 shell with a filename of saber.php as the malicious payload.

The vulnerability would-be attackers are attempting to exploit is an arbitrary file upload vulnerability found in Downloads Manager <= 0.2. A lack of adequate validation made it possible for files to be uploaded and run on a vulnerable website. This could lead to remote code execution on some sites. The vulnerability was publicly published in 2008, and was never patched. The plugin has since been closed and is no longer available. If this plugin is still being used, it should be removed immediately. Take note that this is not the WordPress Download Manager plugin by W3 Eden, which is still actively being developed and should simply be kept updated with the latest releases as they are published.

Mister Spy Bot V7
The Mister Spy shell returns some basic information about the operating system the website is running on, and the location of the site root on that system, and allows for files to be uploaded. In addition to these features, Mister Spy payloads typically include a reverse shell that allows a successful attacker to obtain additional information about the content management system being used on the website, install additional shells, deface the website, register malicious users on the website, and collect configuration details, among other features.

screenshot of Mister Spy Bot Webshell

Saber BOT V1
Saber BOT gives a successful attacker the ability to view files, and modify their permissions and filenames, as well as edit or delete the files. The current path is displayed in the web interface, and an upload form is provided as well. While not as sophisticated as Mister Spy Bot V7, Saber BOT V1 can still lead to remote code execution due to the file upload capabilities.

Screenshot of Saber BOT webshell

Untargeted Spikes: Known User-Agents
The attack attempts we saw that did not target a specific plugin were blocked due to the use of known malicious user-agent strings. These spikes were not as pronounced as the targeted spikes we saw and occurred on slightly different days. The total number of blocked attacks rose beginning on December 22, 2022, and stayed slightly higher throughout the remainder of the reporting period. Within this time we also saw three spikes on December 23rd and 24th, December 29th, and January 2nd. The January 2, 2023 peak was the largest peak, reaching 183,097,778 blocked attack attempts. This put the peak at nearly three times as many attempts as the average of 66,669,317 blocked per day.

chart of blocked attack attempts by known malicious user-agents by day

The attack attempts blocked by this firewall rule were much more varied, and did not show an increase in specific payloads or intrusion vectors. Instead, the increase appears to have been a simple rise in the volume of attack attempts across all attack types from actors using known malicious user-agents. One of the most common attack types blocked for using a known malicious user-agent string is probing for hidden webshells.

Cyber Observables
The following observables can be used in conjunction with other indicators as an indication that a compromise may have occurred.

The filename for Mister Spy Bot V7 follows a pattern of up__xxxxx.php, where xxxxx is replaced with a random set of five lowercase letters. Saber BOT V1 was consistently named saber.php in these spikes.


Spikes in exploit and other attack attempts are common around holidays, as is highlighted by spikes we observed in probing attempts against the Downloads Manager plugin and blocked known malicious user-agents. These spikes occurred on or near the Christmas and New Year holidays. Fortunately for Wordfence users, firewall rules were already in place to block these attack attempts, even for Wordfence Free users. In addition to having a firewall and malware scanning in place, it is also important to ensure that all components of a website are updated with the latest security releases, and vulnerable plugins with no updates should be removed.

Hundreds of WordPress sites infected by recently discovered backdoor

People who use WordPress should check their sites for unpatched plugins.

Malware that exploits unpatched vulnerabilities in 30 different WordPress plugins has infected hundreds if not thousands of sites and may have been in active use for years, according to a writeup published last week.

The Linux-based malware installs a backdoor that causes infected sites to redirect visitors to malicious sites, researchers from security firm Dr.Web said. It’s also able to disable event logging, go into standby mode, and shut itself down. It gets installed by exploiting already-patched vulnerabilities in plugins that website owners use to add functionality like live chat or metrics-reporting to the core WordPress content management system.

“If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted web pages are injected with malicious JavaScripts,” Dr.Web researchers wrote. “As a result, when users click on any area of an attacked page, they are redirected to other sites.”

Searches such as this one indicate that more than 1,300 sites contain the JavaScript that powers the backdoor. It’s possible that some of those sites have removed the malicious code since the last scan. Still, it provides an indication of the reach of the malware.

The plugins exploited include:

WP Live Chat Support Plugin
WordPress – Yuzo Related Posts
Yellow Pencil Visual Theme Customizer Plugin
WP GDPR Compliance Plugin
Newspaper Theme on WordPress Access Control (vulnerability CVE-2016-10972)
Thim Core
Google Code Inserter
Total Donations Plugin
Post Custom Templates Lite
WP Quick Booking Manager
Facebook Live Chat by Zotabox
Blog Designer WordPress Plugin
WordPress Ultimate FAQ (vulnerabilities CVE-2019-17232 and CVE-2019-17233)
WP-Matomo Integration (WP-Piwik)
WordPress ND Shortcodes For Visual Composer
WP Live Chat
Coming Soon Page and Maintenance Mode
Brizy WordPress Plugin
FV Flowplayer Video Player
WordPress Coming Soon Page
WordPress theme OneTone
Simple Fields WordPress Plugin
WordPress Delucks SEO plugin
Poll, Survey, Form & Quiz Maker by OpinionStage
Social Metrics Tracker
WPeMatico RSS Feed Fetcher
Rich Reviews plugin

“If one or more vulnerabilities are successfully exploited, the targeted page is injected with a malicious JavaScript that is downloaded from a remote server,” the Dr.Web writeup explained. “With that, the injection is done in such a way that when the infected page is loaded, this JavaScript will be initiated first—regardless of the original contents of the page. At this point, whenever users click anywhere on the infected page, they will be transferred to the website the attackers need users to go to.”

The JavaScript contains links to a variety of malicious domains, including:


The researchers found two versions of the backdoor: Linux.BackDoor.WordPressExploit.1 and Linux.BackDoor.WordPressExploit.2. They said the malware may have been in use for three years.

WordPress plugins have long been a common means for infecting sites. While the security of the main application is fairly robust, many plugins are riddled with vulnerabilities that can lead to infection. Criminals use infected sites to redirect visitors to sites used for phishing, ad fraud, and distributing malware.

People running WordPress sites should ensure that they’re using the most current versions of the main software as well as any plugins. They should prioritize updating any of the plugins listed above.

Source: https://arstechnica.com/information-technology/2023/01/hundreds-of-wordpress-sites-infected-by-recently-discovered-backdoor/

WordPress Anti-Spam Plugin Vulnerability Affects Up To 60,000+ Sites

A vulnerability was discovered in the popular Stop Spammers Security | Block Spam Users, Comments, Forms WordPress plugin.

The purpose of the plugin is to stop spam in comments, forms, and sign-up registrations. It can stop spam bots and has the ability for users to input IP addresses to block.

It is a required practice for any WordPress plugin or form that accepts a user input to only allow specific inputs, like text, images, email addresses, whatever input is expected.

Unexpected inputs should be filtered out. That filtering process that keeps out unwanted inputs is called sanitization.

For example, a contact form should have a function that inspects what is submitted and block (sanitize) anything that is not text.

The vulnerability discovered in the anti-spam plugin allowed encoded input (base64 encoded) which can then trigger a type of vulnerability called a PHP Object injection vulnerability.

The description of the vulnerability published on the WPScan website describes the issue as:

“The plugin passes base64 encoded user input to the unserialize() PHP function when CAPTCHA are used as second challenge, which could lead to PHP Object injection if a plugin installed on the blog has a suitable gadget chain…”

The classification of the vulnerability is Insecure Deserialization.

The non-profit Open Web Application Security Project (OWASP) describes the potential impact of these kinds of vulnerabilities as serious, which may or may not be the case specific to this vulnerability.

Source and more details: https://www.searchenginejournal.com/wordpress-anti-spam-plugin-vulnerability-affects-up-to-60000-sites

New Ransom Payment Schemes Target Executives, Telemedicine

Ransomware groups are constantly devising new methods for infecting victims and convincing them to pay up, but a couple of strategies tested recently seem especially devious. The first centers on targeting healthcare organizations that offer consultations over the Internet and sending them booby-trapped medical records for the “patient.” The other involves carefully editing email inboxes of public company executives to make it appear that some were involved in insider trading.

Alex Holden is founder of Hold Security, a Milwaukee-based cybersecurity firm. Holden’s team gained visibility into discussions among members of two different ransom groups: CLOP (a.k.a. “Cl0p” a.k.a. “TA505“), and a newer ransom group known as Venus.

Last month, the U.S. Department of Health and Human Services (HHS) warned that Venus ransomware attacks were targeting a number of U.S. healthcare organizations. First spotted in mid-August 2022, Venus is known for hacking into victims’ publicly-exposed Remote Desktop services to encrypt Windows devices.

Holden said the internal discussions among the Venus group members indicate this gang has no problem gaining access to victim organizations.

“The Venus group has problems getting paid,” Holden said. “They are targeting a lot of U.S. companies, but nobody wants to pay them.”

Which might explain why their latest scheme centers on trying to frame executives at public companies for insider trading charges. Venus indicated it recently had success with a method that involves carefully editing one or more email inbox files at a victim firm — to insert messages discussing plans to trade large volumes of the company’s stock based on non-public information.

“We imitate correspondence of the [CEO] with a certain insider who shares financial reports of his companies through which your victim allegedly trades in the stock market, which naturally is a criminal offense and — according to US federal laws [includes the possibility of up to] 20 years in prison,” one Venus member wrote to an underling.

“You need to create this file and inject into the machine(s) like this so that metadata would say that they were created on his computer,” they continued. “One of my clients did it, I don’t know how. In addition to pst, you need to decompose several files into different places, so that metadata says the files are native from a certain date and time rather than created yesterday on an unknown machine.”

Holden said it’s not easy to plant emails into an inbox, but it can be done with Microsoft Outlook .pst files, which the attackers may also have access to if they’d already compromised a victim network.

“It’s not going to be forensically solid, but that’s not what they care about,” he said. “It still has the potential to be a huge scandal — at least for a while — when a victim is being threatened with the publication or release of these records.”

The Venus ransom group’s extortion note. Image: Tripwire.com

Holden said the CLOP ransomware gang has a different problem of late: Not enough victims. The intercepted CLOP communication seen by KrebsOnSecurity shows the group bragged about twice having success infiltrating new victims in the healthcare industry by sending them infected files disguised as ultrasound images or other medical documents for a patient seeking a remote consultation.

The CLOP members said one tried-and-true method of infecting healthcare providers involved gathering healthcare insurance and payment data to use in submitting requests for a remote consultation on a patient who has cirrhosis of the liver.

“Basically, they’re counting on doctors or nurses reviewing the patient’s chart and scans just before the appointment,” Holden said. “They initially discussed going in with cardiovascular issues, but decided cirrhosis or fibrosis of the liver would be more likely to be diagnosable remotely from existing test results and scans.”

While CLOP as a money making collective is a fairly young organization, security experts say CLOP members hail from a group of Threat Actors (TA) known as “TA505,” which MITRE’s ATT&CK database says is a financially motivated cybercrime group that has been active since at least 2014. “This group is known for frequently changing malware and driving global trends in criminal malware distribution,” MITRE assessed.

In April, 2021, KrebsOnSecurity detailed how CLOP helped pioneer another innovation aimed at pushing more victims into paying an extortion demand: Emailing the ransomware victim’s customers and partners directly and warning that their data would be leaked to the dark web unless they can convince the victim firm to pay up.

Security firm Tripwire points out that the HHS advisory on Venus says multiple threat actor groups are likely distributing the Venus ransomware. Tripwire’s tips for all organizations on avoiding ransomware attacks include:

  • Making secure offsite backups.
  • Running up-to-date security solutions and ensuring that your computers are protected with the latest security patches against vulnerabilities.
  • Using hard-to-crack unique passwords to protect sensitive data and accounts, as well as enabling multi-factor authentication.
  • Encrypting sensitive data wherever possible.
  • Continuously educating and informing staff about the risks and methods used by cybercriminals to launch attacks and steal data.

While the above tips are important and useful, one critical area of ransomware preparedness overlooked by too many organizations is the need to develop — and then periodically rehearse — a plan for how everyone in the organization should respond in the event of a ransomware or data ransom incident. Drilling this breach response plan is key because it helps expose weaknesses in those plans that could be exploited by the intruders.

As noted in last year’s story Don’t Wanna Pay Ransom Gangs? Test Your Backups, experts say the biggest reason ransomware targets and/or their insurance providers still pay when they already have reliable backups of their systems and data is that nobody at the victim organization bothered to test in advance how long this data restoration process might take.

“Suddenly the victim notices they have a couple of petabytes of data to restore over the Internet, and they realize that even with their fast connections it’s going to take three months to download all these backup files,” said Fabian Wosar, chief technology officer at Emsisoft. “A lot of IT teams never actually make even a back-of-the-napkin calculation of how long it would take them to restore from a data rate perspective.”

Source: https://krebsonsecurity.com/2022/12/new-ransom-payment-schemes-target-executives-telemedicine/