Hackers have honed in on a critical WP-Automatic plugin vulnerability, aiming to infiltrate WordPress websites by creating unauthorized admin accounts, according to recent reports. The flaw, identified in versions preceding 3.9.2.0 of the WP Automatic plugin, has prompted cybersecurity experts to issue urgent show more ...
warnings to website owners and administrators. The vulnerability, flagged under the identifier "CVE-2024-27956," has been characterized as a high-severity issue with a CVSS score of 9.8. It pertains to a SQL injection flaw within the plugin's user authentication mechanism, which essentially enables threat actors to circumvent security measures and gain administrative privileges. Decoding WP-Automatic Plugin Vulnerability [caption id="attachment_65416" align="alignnone" width="1172"] Source: WordPress[/caption] Exploiting this vulnerability grants hackers the ability to implant backdoors within websites, ensuring prolonged unauthorized access. Reports indicate that hackers have been actively exploiting this vulnerability, capitalizing on the widespread use of the WP Automatic plugin across more than 30,000 websites. The exploit allows them to execute various malicious activities, including the creation of admin accounts, uploading of corrupted files, and executing SQL injection attacks. Cybersecurity researchers have observed a surge in exploit attempts, with over 5.5 million recorded attacks since the vulnerability was publicly disclosed. The threat landscape escalated rapidly, peaking on March 31st, underscoring the urgency for website owners to take immediate action to secure their online assets. The Technical Side of the WP-Automatic Plugin Vulnerabilities The Automatic Plugin, developed by ValvePress, faces an challenge beyond comprehension since the vulnerability effects thousands of users who downloaded the plugin through WordPress and other WP plugin markets. The vulnerability stemmed from the inc/csv.php file, which allowed unauthenticated users to supply and execute arbitrary SQL queries. Despite initial checks using wp_automatic_trim() function, bypassing them was feasible by providing an empty string as the authentication parameter ($auth) and crafting the MD5 hash of the SQL query to subvert integrity checks. Furthermore, the vulnerability lied within the downloader.php file, where unauthenticated users could provide arbitrary URLs or even local files via the $_GET['link'] parameter for fetching through cURL. This flaw facilitated server-side request forgery (SSRF) attacks. To mitigate the vulnerabilities, the vendor enacted several measures. For the SQL Execution vulnerability, the entire inc/csv.php file was removed. For the File Download and SSRF vulnerability, a nonce check was implemented, coupled with validation checks on the $link variable. Mitigation Against the WP-Automatic Plugin Vulnerability To safeguard against potential compromises, cybersecurity analysts recommend the following measures, including regularly updating the WP-Automatic plugin to its latest version is crucial to patch known vulnerabilities and bolster security measures. Regular audits of WordPress user accounts help identify and remove unauthorized or suspicious admin users, reducing the risk of unauthorized access. Employing robust security monitoring tools aids in detecting and responding promptly to malicious activities, improving threat detection capabilities. It's essential to maintain up-to-date backups of website data to enable swift restoration in case of compromise, minimizing downtime and data loss. Website administrators should watch out for indicators of compromise, including admin accounts with names starting with "xtw," renamed vulnerable file paths, and dropped SHA1 hashed files in the site's filesystem. The exploitation of WP-Automatic plugin vulnerabilities highlights the ongoing cybersecurity threats within WordPress ecosystems. By promptly implementing suggested mitigations and staying alert for potential indicators of compromise, website owners can strengthen their defenses against malicious actors aiming to exploit these vulnerabilities. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
CRIL Researchers observed a new android banking trojan 'Brokewell,' being distributed through a phishing site disguised as the official Chrome update page. The malicious Android Banking Trojan comes equipped with various functionalities such as screen recording, keylogging and over 50 different remote commands. show more ...
Upon further investigation, researchers were able to trace the trojan back to its developer, who described the trojan as capable of bypassing permission restrictions on the latest versions of the Android operating system. Developer Behind Android Banking Trojan Found Distributing Other Spyware Tools CRIL researchers identified the trojan being distributed through the domain “hxxp://makingitorut[.]com” which disguises itself as the official Chrome update website and bears several striking similarities. [caption id="attachment_65312" align="alignnone" width="1557"] Source: Cyble[/caption] The site deceives the user into thinking that an update is required, describing it as being necessary "to secure your browser and fix important vulnerabilities. A download button on the site leads users to download the malicious APK file “Chrome.apk” on to their systems. Upon examination, the downloaded APK file was discovered to be a new android banking trojan, incorporated with over 50 different remote commands such as collecting telephony data, collecting call history, waking the device screen, location gathering, call management, screen and audio recording. The trojan communicated through a remote command and control (C&C) server operating through the “mi6[.]operationanonrecoil[.]ru” domain and hosted on the IP address “91.92.247[.]182”. [caption id="attachment_65315" align="alignnone" width="1354"] Source: Cyble[/caption] The malware was further linked to a git repository, where it was described as being capable of circumventing permission-based restrictions on Android versions 13, 14, and 15. The git repository contained links to profiles on underground forums, a Tor page, and a Telegram channel. The Tor page directed to the malware developers’s personal page, where they took steps to introduce themselves and linked to a site listing various other projects they had developed such as checkers, validators, stealers, and ransomware. Since CRIL researchers did not observe any mentions of the android banking trojan on the site, it is assumed that the trojan is a very recent development which might be listed within the upcoming days. Technical Capabilities of Android Banking Trojan "Brokewell" [caption id="attachment_65324" align="alignnone" width="1501"] Source: Shutterstock[/caption] Researchers note that the Brokewll Banking Trojan is likely in its initial stages of development and thus possesses limited functionalities for the time period. The current attack techniques primarily involves the screen overlay attack, screen/audio capturing or keylogging techniques. However, researchers warn that future versions of the android banking trojan may incorporate additional features. The malware is observed conducting a pre-emptive check to determine whether the host system has been rooted. This stage involves checking for package names of a root check application, network traffic analysis tool and an .apk parsing tool. Once the device is detected to not be rooted, it proceeds with normal execution, first prompting the victim for accessibility permissions. The accessibility service is then abused to grant the application other permissions such as “Display over other apps” “Installation from unknown sources”. [caption id="attachment_65319" align="alignnone" width="385"] Source: Cyble[/caption] After obtaining permissions, the application prompts the user to enter the device pin through a fake PIN screen with German localization. The PIN is then stored to a text file for subsequent usage. The German localization along with several samples of the malware being uploaded to VirusTotal from the German region lead researchers to believe that it is primarily targeting Germany. In addition to German, several strings in Chinese, French, Finnish, Arabic, Indonesian, Swedish, Portuguese, and English were also spotted. These strings suggest that the malware could expand its targets with the emergence of subsequent iterations incorporating additional features. Researchers anticipate increased promotion of the tool on underground forums and through the malware developer’s product portal, underscoring the progressive stage of banking trojans and the need for continuous monitoring over such developments. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
Identity and access management (IAM) services provider Okta has warned of a spike in the "frequency and scale" of credential stuffing attacks aimed at online services. These unprecedented attacks, observed over the last month, are said to be facilitated by "the broad availability of residential proxy services, lists of previously stolen credentials ('combo lists'), and scripting tools," the
Source: www.cybertalk.org – Author: slandau Travais ‘Tee’ Sookoo leverages his 25 years of experience in network security, risk management, and architecture to help businesses of all sizes, from startups to multi-nationals, improve their security posture. He has a proven track record of leading and show more ...
collaborating with security teams and designing secure solutions for diverse industries. […] La entrada Zero Trust strategies for navigating IoT/OT security challenges – Source: www.cybertalk.org se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
Source: www.lastwatchdog.com – Author: bacohido By Zac Amos Critical infrastructure like electrical, emergency, water, transportation and security systems are vital for public safety but can be taken out with a single cyberattack. How can cybersecurity professionals protect their cities? In 2021, a lone hacker show more ...
infiltrated a water treatment plant in Oldsmar, Florida. One of the […] La entrada GUEST ESSAY: Here’s why securing smart cities’ critical infrastructure has become a top priority – Source: www.lastwatchdog.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
Source: www.bleepingcomputer.com – Author: Bill Toulas Image: AI-generated via Midjourney Japanese police placed fake payment cards in convenience stores to protect the elderly targeted by tech support scams or unpaid money fraud. The cards are labeled “Virus Trojan Horse Removal Payment Card” and show more ...
“Unpaid Bill Late Fee Payment Card,” and were created by the Echizen Police […] La entrada Japanese police create fake support scam payment cards to warn victims – Source: www.bleepingcomputer.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
Source: securelist.com – Author: GReAT High-end APT groups perform highly interesting social engineering campaigns in order to penetrate well-protected targets. For example, carefully constructed forum responses on precision targeted accounts and follow-up “out-of-band” interactions regarding underground show more ...
rail system simulator software helped deliver Green Lambert implants in the Middle East. And, in what seems to be […] La entrada Assessing the Y, and How, of the XZ Utils incident – Source: securelist.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
