Category Archives: Vulnerability

This broken ransomware can’t decrypt your files, even if you pay the ransom

Posted on

Researchers warn this badly built ransomware will destroy your files, so don’t pay up.

Victims of a recently uncovered form of ransomware are being warned not to pay the ransom demand, simply because the ransomware isn’t able to decrypt files – it just destroys them instead. 

Coded in Python, Cryptonite ransomware first appeared in October as part of a free-to-download open-source toolkit – available to anyone with the skills required to deploy it in attacks against Microsoft Windows systems, with phishing attacks believed to be the most common means of delivery.

But analysis of Cryptonite by cybersecurity researchers at Fortinet has found that the ransomware only has “barebones” functionality and doesn’t offer a means of decrypting files at all, even if a ransom payment is made. 

Instead, Cryptonite effectively acts as wiper malware, destroying the encrypted files, leaving no way of retrieving the data. 

But rather than this being an intentionally malicious act of destruction by design, researchers suggest that the reason Cryptonite does this is because the ransomware has been poorly put together.  

A basic design and what’s described as a “lack of quality assurance” means the ransomware doesn’t work correctly because a flaw in the way it’s been put together means if Cryptonite crashes or is just closed, it leaves no way to recover encrypted files. 

There’s also no way to run it in decryption-only mode – so every time the ransomware is run, it re-encrypts everything with a different key. This means that, even if there was a way to recover the files, the unique key probably wouldn’t work – leaving no way to recover the encrypted data. 

“This sample demonstrates how a ransomware’s weak architecture and programming can quickly turn it into a wiper that does not allow data recovery,” said Gergely Révay, security researcher at Fortinet’s FortiGuard Labs. 

“Although we often complain about the increasing sophistication of ransomware samples, we can also see that oversimplicity and a lack of quality assurance can also lead to significant problems,” he added. 

It’s the victim of the ransomware attack that feels those problems, as they’re left with no means of restoring their network – even if they’ve made a ransom payment.  

The case of Cryptonite ransomware also serves as a reminder that paying a ransom is never a guarantee that the cyber criminals will provide a decryption key, or if it will work properly.   

Cyber agencies, including CISA, the FBI and the NCSC, recommend against paying the ransom because it only serves to embolden and encourage cyber criminals, particularly if they can acquire ransomware at a low cost or for free. 

The slightly good news is that it’s now harder for wannabe cyber criminals to get their hands on Cryptonite, as the original source code has been removed from GitHub. 

In addition to this, the simple nature of the ransomware also means that it’s easy for antivirus software to detect – so it’s recommended antivirus software is installed and kept up to date. 

Source: https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/

Android phone owner accidentally finds a way to bypass lock screen

Posted on

Cybersecurity researcher David Schütz accidentally found a way to bypass the lock screen on his fully patched Google Pixel 6 and Pixel 5 smartphones, enabling anyone with physical access to the device to unlock it.

Exploiting the vulnerability to bypass the lock screen on Android phones is a simple five-step process that wouldn’t take more than a few minutes.

Google has fixed the security issue on the latest Android update released last week, but it has remained available for exploitation for at least six months.

Source and more details: https://www.bleepingcomputer.com/news/security/android-phone-owner-accidentally-finds-a-way-to-bypass-lock-screen/

Missing Authorization Vulnerability in Blog2Social Plugin

Posted on

The Wordfence Threat Intelligence team responsibly disclosed a Missing Authorization vulnerability in Blog2Social, a WordPress plugin installed on over 70,000 sites that allows users to set up post sharing to various social networks. Vulnerable versions of the plugin make it possible for authenticated attackers with minimal permissions, such as subscribers, to change the plugin’s settings.

Blog2Social: Social Media Auto Post & Scheduler is a plugin offered by Blog2Social/Adenion that provides content-creators with the ability to quickly share site content to their social media accounts. It offers automatic post sharing as well as optimized scheduling and also extends some of its features to subscribers, enabling them to share posts to their own social media accounts.

As part of the plugin’s functionality, there are some more advanced settings that can be managed. Unfortunately, this was implemented insecurely making it possible for authenticated attackers to update these settings even without the authorization to do so.

Source & more details: https://www.wordfence.com/blog/2022/11/missing-authorization-vulnerability-in-blog2social-plugin

Chrome extensions with 1.4M installs covertly track visits and inject code

Posted on

If you’ve installed any of these extensions, manually remove them stat.

Google has removed browser extensions with more than 1.4 million downloads from the Chrome Web Store after third-party researchers reported they were surreptitiously tracking users’ browsing history and inserting tracking code into specific ecommerce sites they visited.

The five extensions flagged by McAfee purport to offer various services, including the ability to stream Netflix videos to groups of people, take screenshots, and automatically find and apply coupon codes. Behind the scenes, company researchers said, the extensions kept a running list of each site a user visited and took additional actions when users landed on specific sites.

The extensions sent the name of each site visited to the developer-designated site d.langhort.com, along with a unique identifier and the country, city, and zip code of the visiting device. If the site visited matched a list of ecommerce sites, the developer domain instructed the extensions to insert JavaScript into the visited page. The code modified the cookies for the site so that the extension authors receive affiliate payment for any items purchased.

To help keep the activity covert, some of the extensions were programmed to wait 15 days after installation before beginning the data collection and code injection. The extensions McAfee identified are:

NameExtension IDUsers
Netflix Partymmnbenehknklpbendgmgngeaignppnbe800,000
Netflix Party 2flijfnhifgdcbhglkneplegafminjnhn300,000
FlipShope – Price Tracker Extension adikhbfjdbjkhelbdnffogkobkekkkej80,000
Full Page Screenshot Capture – Screenshotting pojgkmkfincpdkdgjepkmdekcahmckjp200,000
AutoBuy Flash Salesgbnahglfafmhaehbdmjedfhdmimjcbed20,000

As of early September, all five extensions have been removed from the Chrome Web Store, a Google spokesperson said. Removing the extensions from its servers isn’t the same as uninstalling the extensions from the 1.4 million infected devices. People who have installed the extensions should manually inspect their browsers and ensure they no longer run.

Source: Chrome extensions with 1.4M installs covertly track visits and inject code | Ars Technica

Zero-Day Vulnerability in WPGateway Actively Exploited in the Wild

Posted on

On September 8, 2022, the Wordfence Threat Intelligence team became aware of an actively exploited zero-day vulnerability being used to add a malicious administrator user to sites running the WPGateway plugin. They released a firewall rule to Wordfence Premium customers to block the exploit on the same day, September 8, 2022. (Consider upgrading to WordFence Premium: $81/year)

Sites still running the free version of Wordfence will receive the same protection 30 days later, on October 8, 2022. The Wordfence firewall has successfully blocked over 4.6 million attacks targeting this vulnerability against more than 280,000 sites in the past 30 days.

The WPGateway plugin is a premium plugin tied to the WPGateway cloud service, which offers its users a way to setup and manage WordPress sites from a single dashboard. Part of the plugin functionality exposes a vulnerability that allows unauthenticated attackers to insert a malicious administrator.

The Wordfence team obtained a current copy of the plugin on September 9, 2022, and determined that it is vulnerable, at which time they contacted the plugin vendor with their initial disclosure. Wordfence has reserved vulnerability identifier CVE-2022-3180 for this issue.

As this is an actively exploited zero-day vulnerability, and attackers are already aware of the mechanism required to exploit it, we are releasing this public service announcement (PSA) to all of our users. We are intentionally withholding certain details to prevent further exploitation. As a reminder, an attacker with administrator privileges has effectively achieved a complete site takeover.

Source and more details: https://www.wordfence.com/blog/2022/09/psa-zero-day-vulnerability-in-wpgateway-actively-exploited-in-the-wild

Here’s why you need to update your Google Chrome right now

Posted on

Google has just released a new version of Chrome, and it’s crucial that you get your browser updated as soon as possible.

The patch was deployed to fix a major zero-day security flaw that could potentially pose a risk to your device. The latest update is now available for Windows, Mac, and Linux — here’s how to make sure your browser is safe.

The vulnerability, now referred to as CVE-2022-3075, was discovered by an anonymous security researcher and reported straight to Google. It was caused by sub-par data validation in Mojo, which is a collection of runtime libraries. Google doesn’t say much beyond that, and that makes sense — the vulnerability is still out in the wild, so it’s better to not make the exact details public just yet.

What we do know is that the vulnerability was assigned a high priority level, which means that it could potentially be dangerous if abused. Suffice it to say that it’s better if you update your browser right now.

Although Google is keeping the information close right now, this is an active vulnerability, and once spotted, it could be taken advantage of on devices that haven’t downloaded the latest patch. The patch, said to fix the problem, is included in version 105.0.5195.102 of Google Chrome. Google predicts that it might take a few days or even weeks until the entire user base receives automatic access to the new fix.

Your browser should download the update automatically the next time you open it. If you want to double-check and make sure you’re up to date, open up your Chrome Menu and then follow this path: Help -> About Google Chrome. Alternatively, you can simply type “Update Chrome” into the address bar and then click the result that pops up below your search, before you even confirm it.

You will be asked to re-launch the browser once the update has been downloaded. If it’s not available to you yet, make sure to check back shortly, as Google will be rolling it out to more and more users.

Google Chrome continues to be a popular target for various cyberattacks and exploits. It’s not even just the browser itself that is often targeted, but its extensions, too. To that end, make sure to only download and use extensions from reputable companies, and don’t be too quick to stack too many of them at once.

Source: https://www.digitaltrends.com/computing/google-chrome-new-update-fixes-zero-day-vulnerability/

WordPress Core 6.0.2 Security & Maintenance Release – What You Need to Know

Posted on

On August 30, 2022, the WordPress core team released WordPress version 6.0.2, which contains patches for 3 vulnerabilities, including a High Severity SQLi vulnerability in the Links functionality as well as two Medium Severity Cross-Site Scripting vulnerabilities.

These patches have been backported to every version of WordPress since 3.7. WordPress has supported automatic core updates for security releases since WordPress 3.7, and the vast majority of WordPress sites should receive a patch for their major version of WordPress automatically over the next 24 hours. We recommend verifying that your site has been automatically updated to one of the patched versions. Patched versions are available for every major version of WordPress since 3.7, so you can update without risking compatibility issues. If your site has not been updated automatically we recommend updating manually.

Vulnerability Analysis

As with every WordPress core release containing security fixes, the Wordfence Threat Intelligence team analyzed the code changes in detail to evaluate the impact of these vulnerabilities on our customers, and to ensure our customers remain protected.

They have determined that these vulnerabilities are unlikely to be targeted for exploitation due to the special cases needed to exploit. In most circumstances these vulnerabilities require either elevated privileges, such as those of an administrator, or the presence of a separate vulnerable or malicious plugin. Nonetheless, the Wordfence firewall should protect against any exploits that do not require administrative privileges. In nearly all cases administrators already have the maximum level of access and attackers with that level of access are unlikely to use convoluted and difficult exploits when simpler paths to making configuration changes or obtaining sensitive information are readily available.

Source and more details at: https://www.wordfence.com/blog/2022/08/wordpress-core-6-0-2-security-maintenance-release-what-you-need-to-know

Cross-Site Request Forgery Vulnerability Patched in Ecwid Ecommerce Shopping Cart Plugin

Posted on

On June 24, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for a Cross-Site Request Forgery vulnerability we discovered in Ecwid Ecommerce Shopping Cart, a WordPress plugin installed on over 30,000 sites. This vulnerability made it possible for attackers to modify some of the plugin’s more advanced settings via a forged request.

We attempted to reach out to the developer on June, 24, 2022 via their ticketing system. After several plugin updates did not address the issue and we received no response from the developer, we disclosed this vulnerability to the plugins team on July 11, 2022. The vulnerabilities were fixed a few days later in version 6.10.24 on July 13, 2022.

Due to the nature of Cross-Site Request Forgery vulnerabilities, which involve tricking administrators into performing actions they are allowed to perform, it is not possible to provide adequate protection for these vulnerabilities without blocking legitimate requests. As such, we highly recommend updating to version 6.10.24 or higher of Ecwid Ecommerce Shopping Cart to ensure that your site is protected against any exploits targeting this vulnerability.

Source and more details: https://www.wordfence.com/blog/2022/08/cross-site-request-forgery-vulnerability-patched-in-ecwid-ecommerce-shopping-cart-plugin

WordPress Plugin Duplicator 1.4.6 – Unauthenticated Backup Download

Posted on 
 Date: 07.27.2022
# Exploit Author: SecuriTrust
# Vendor Homepage: https://snapcreek.com/
# Software Link: https://wordpress.org/plugins/duplicator/
# Version: < 1.4.7
# Tested on: Linux, Windows
# CVE : CVE-2022-2551
# Reference: https://securitrust.fr
# Reference: https://github.com/SecuriTrust/CVEsLab/CVE-2022-2551

#Product:
WordPress Plugin Duplicator < 1.4.7

#Vulnerability:
1-It allows an attacker to download the backup file.

#Proof-Of-Concept:
1-Backup download.
The backup file can be downloaded using the "is_daws" parameter.
http://[PATH]/backups-dup-lite/dup-installer/main.installer.php

Source: https://www.exploit-db.com/exploits/50992

Attackers scan 1.6 million WordPress sites for vulnerable plugin

Posted on

Security researchers have detected a massive campaign that scanned close to 1.6 million WordPress sites for the presence of a vulnerable plugin that allows uploading files without authentication.

The attackers are targeting the Kaswara Modern WPBakery Page Builder, which has been abandoned by its author before receiving a patch for a critical severity flaw tracked as CVE-2021-24284.

The vulnerability would allow an unauthenticated attacker to inject malicious Javascript to sites using any version of the plugin and perform actions like uploading and deleting files, which could lead to complete takeover of the site.

While the size of the campaign is impressive, with 1,599,852 unique sites being targeted, only a small portion of them are running the vulnerable plugin.

Researchers at Defiant, the maker of the Wordfence security solution for WordPress, observed an average of almost half a million attack attempts per day against customer sites they protect.

Indistinct large-scale attacks

Based on Wordfence telemetry data, the attacks started on July 4 and continue to this day. and are still ongoing today at an average of 443,868 attempts every day.

Source and more details: https://www.bleepingcomputer.com/news/security/attackers-scan-16-million-wordpress-sites-for-vulnerable-plugin/