Cl0p’s use of MOVEit exploits. RedDelta focuses on Eastern Europe. TOITOIN Trojan targets Latin America. Big Head ransomware. Read More
The CyberWire
The all in one place for non-profit security aid.
Cl0p’s use of MOVEit exploits. RedDelta focuses on Eastern Europe. TOITOIN Trojan targets Latin America. Big Head ransomware. Read More
The CyberWire
Hackers Actively Exploiting WP Automatic Updates Plugin Vulnerability
[[{“value”:”
Hackers often target WordPress plugins as they have security loopholes that they can exploit to hack into sites without permission.
Once they have found them, threat actors can insert corrupted scripts into these loopholes to compromise the system, obtain secret data, and carry out any other attack that serves their requirements.
Cybersecurity researchers at WPScan recently discovered that hackers have been actively exploiting the WP Automatic updates plugin vulnerability, tracked as “CVE-2024-27956.”
CVE ID: CVE-2024-27956
WP‑Automatic Vulnerable Versions: < 3.9.2.0
CVSSv3.1: 9.8
CVSS severity: High
Fixed in: 3.92.1
Classification: SQL Injection
Patch priority: High
This critical flaw in the WP-Automatic plugin allows threat actors to bypass authentication, create admin accounts, upload malicious files, and potentially compromise affected websites through a SQL injection vulnerability that was discovered a few weeks ago.
The problem is due to incorrect user authentication handling, which permits the injection of harmful SQL queries.
Is Your Network Under Attack? – Read CISO’s Guide to Avoiding the Next Breach – Download Free Guide
On 13 March, PatchStack released it publicly and recorded over 5.5 million attempts at attack, which peaked on 31 March after gradually increasing. This security hole is very dangerous as it can result in a complete site takeover.
Attackers exploit the SQL Injection (SQLi) vulnerability by injecting malicious SQL queries that create admin accounts, upload web shells and backdoors, and rename the plugin file being exploited for continuous use.
Afterward, they install plugins that allow more code editing and file uploads while hiding their tracks.
Owners, security tools, and other threat actors can be blocked and remain undetected by renaming the plugin file.
Persistence is achieved through full control as threat actors apply backdoors to control them using different malicious plugins or themes.
Here below, we have mentioned all the mitigations recommended by the cybersecurity analysts:-
Make sure to keep the WP‑Automatic plugin updated to the latest version to patch any known vulnerabilities and ensure security.
Regularly audit WordPress user accounts to remove unauthorized or suspicious admin users, which helps reduce the risk of unauthorized access.
Always utilize robust security monitoring tools like Jetpack Scan to detect and respond to malicious activity promptly.
Maintain up-to-date backups of your website data to enable quick restoration in case of a compromise, ensuring minimal downtime and data loss.
Administrator user with name starting with xtw.
The vulnerable file “/wp‑content/plugins/wp‑automatic/inc/csv.php” renamed to something as “/wp‑content/plugins/wp‑automatic/inc/csv65f82ab408b3.php”
The following SHA1 hashed files dropped in your site’s filesystem:
b0ca85463fe805ffdf809206771719dc571eb052 web.php
8e83c42ffd3c5a88b2b2853ff931164ebce1c0f3 index.php
Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo
The post Hackers Actively Exploiting WP Automatic Updates Plugin Vulnerability appeared first on Cyber Security News.
“}]] Read More
Cyber Security News
Samstealer Attacking Windows Systems To Steal Sensitive Data
Hackers mainly aim at Windows systems as they are widely adopted and dominate the market, consequently, threat actors will achieve maximum financial gain or theft of data from them compared to other operating systems.
In addition, the presence of numerous entry points due to the complexity of the Windows operating system and the diversity of applications running on it creates various vulnerabilities that can be adopted for explorations.
Also, the presence of hacking tools and malware that exclusively affect only Windows-based machines is a contributing factor to their popularity among threat actors.
Cybersecurity researchers at CYFIRMA recently detected that Samstealer had been actively attacking Windows systems to steal sensitive data.
ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service
A new .NET malware named “SamsStealer” spreads through Telegram with the aim of stealing sensitive files on Windows.
It creates a temp folder and then proceeds to steal passwords, cookies, and other information from different browsers such as Chrome, Edge, and cryptocurrency wallets.
It also focuses on stealing account details about Telegram, Discord, etc., including tokens or wallet content. Cyfirma said the stolen data is saved in a temporary folder and converted into exfiltration files.
Detailed knowledge would enable users to detect evolving info stealer threats by determining its ability for data theft on numerous applications.
Here below we have mentioned cryptocurrency wallets that are targeted:-
Bitcoin: Located in ‘%appdata%Bitcoinwallets’
Zcash: Located in ‘%appdata%Zcash’
Armory: Located in ‘%appdata%Armory’
Bytecoin: Located in ‘%appdata%Bytecoin’
Jaxx: Located in ‘%appdata%com.liberty.jaxxIndexedDBfile_0.indexeddb.leveldb’
Exodus: Located in ‘%appdata%Exodusexodus.wallet’
Ethereum: Located in ‘%appdata%Ethereumkeystore’
Electrum: Located in ‘%appdata%Electrumwallets’
AtomicWallet: Located in ‘%appdata%atomicLocal Storageleveldb’
Guarda: Located in ‘%appdata%GuardaLocal Storageleveldb’
Coinomi: Located in ‘%localappdata%CoinomiCoinomiwallets’
As soon as the data is stolen, SamsStealer empties temporary files, packs all that is stolen into “Backup.zip,” and erases the parent directory.
Then it uploads Backup.zip to gofile.io and shares the download link via Telegram with a message reading “New goat Detected, Join Now: @SamsExploit.”
This silent malware effectively steals a variety of sensitive data across browsers, applications, and crypto wallets on Windows devices targeted by users.
Knowing these emerging threats is important in structuring defensive strategies to prevent possible intrusions that may lead to compromising privacy and data breaches.
Here below we have mentioned all the recommendations:-
Deploy advanced endpoint security with threat detection and prevention.
Use robust antivirus/anti-malware to detect and remove malicious payloads.
Regularly update systems, apps, and security software.
Implement network segmentation to limit lateral movement.
Train employees on identifying phishing and social engineering tactics.
Configure firewalls to block malicious IPs and C2 communications.
Monitor for suspicious processes, network activity, and data exfiltration.
Enforce application whitelisting to prevent unauthorized executables.
Have an incident response plan for malware infections.
Stay updated on the latest threats and indicators of compromise (IOCs).
Maintain regular backups to minimize ransomware/data loss impact.
Follow least privilege principles to restrict user permissions.
Build defenses based on threat intel and provide rules/IOCs.
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers
The post Samstealer Attacking Windows Systems To Steal Sensitive Data appeared first on Cyber Security News.
Mike Hamilton, former CISO from Seattle and CISO of cybersecurity firm, Critical Insight, discusses what you need to know about NIST 2.0.
This interview from June 30th, 2023 originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Dave Bittner sits down with Mike Hamilton, former CISO from Seattle and CISO of cybersecurity firm, Critical Insight, to discuss what you need to know about NIST 2.0. Read More
The CyberWire