Friday, May 2, 2025
Home Blog Page 905

WordPress Update 4.9.2 – Fix for XSS Vulnerability and 21 Other Bugs

WordPress Update 4.9.2 – Fix for XSS Vulnerability and 21 Other Bugs

New WordPress update (4.9.2) released yesterday covering the fix for XSS vulnerability and 21 other bugs. The Vulnerability resides with the Flash fallback files in MediaElement plugin. It impacts all the WordPress version since WordPress 3.7.

Flash Fallback is a media element with WordPress library and now it has been removed from WordPress, also MediaElement released a new version of the plugin that contains the bug fix.

Also, the update includes other 21 bug fixes, you can refer the Codex page for all the issues fixed with WordPress update (4.9.2).

Also Read Most Important Considerations Check to Setup Your WordPress Security

XSS is a very commonly exploited vulnerability type which is very widely spread and easily detectable.An attacker can inject untrusted snippets of JavaScript into your application without validation. This JavaScript is then executed by the victim who is visiting the target site.Read More about XSS

Mitigations

WordPress update (4.9.2) released with the security patches users are recommended to update their sites immediately.

WordPress Update

WordPress update (4.9.2) contains 21 maintenance fixes to the 4.9.1 release series. Updates are simple Dashboard >> Updates >> Update Now.

It is always a good idea to backup your WordPress before proceeding with the update, if there are any issues, you can restore your website.

Self-Destructive KillDisk Malware Overwrites then Deletes files and Force a Reboot

Self-Destructive KillDisk Malware Overwrites then Deletes files and Force a Reboot

A new variant of disk-wiping KillDisk malware affecting Windows machine attempts to overwrite and deletes files. Security researchers from TrendMicro detected it as TROJ_KILLDISK.IUB.

The new variant found targetting Financial organizations in Latin America does not include a ransom note as like Petya or WannaCry. Recovering the scrambled files in question because it wipes out the disk and doesn’t store the encryption keys on disk or online.

KillDisk malware used in various cyber attacks against energy sector, banking, rail, and mining industries. TrendMicro published an Initial analysis of this threat.

Also Read Critical Flaw in Popular BitTorrent Transmission Client Leads to an Attacker Perform Remote Hack into Your PC

How it enters and delete files

Its file path is hardcoded and could be dropped intentionally by the attacker or any other process.The new variant goes through all the logical drives mounted(fixed and removable). With system directory, it exempted following files from deletion.

WINNT
Users
Windows
Program Files
Program Files (x86)
ProgramData
Recovery (case-sensitive check)
$Recycle.Bin
System Volume Information
old
PerfLogs

“Before a file is deleted, it is first randomly renamed. KillDisk will overwrite the first 0x2800 bytes of the file and another block that’s 0x2800-bytes big with 0x00”.

KillDisk

Disk Wiping

The malware attempts to wipe \\.\PhysicalDrive0 to \\.\PhysicalDrive4 and then it reads the information available with the Master Boot Record (MBR) and does further damage to the partitions.

“If the partition it finds is not an extended one, it overwrites the first 0x10 and last sectors of the actual volume. If it finds an extended partition, it will overwrite the Extended Boot Record (EBR) along with the two extra partitions it points to” TrendMicro said.

Forcing a Reboot – KillDisk

It consists of a numeric parameter which indicates the number of minutes(15 minutes) it will wait before shutting down the affected machine.

And it certainly can be done by tricking the user into restarting the machine or forcing a restart.It also uses the ExitWindowsEx function to forcefully restart the machine.

It will terminate the following process to restart the machine.

Client/server run-time subsystem (csrss.exe)
Windows Start-Up Application (wininit.exe)
Windows Logon Application (winlogon.exe)
Local Security Authority Subsystem Service (lsass.exe)

IOC- Hash (SHA-256):

  • 8a81a1d0fae933862b51f63064069aa5af3854763f5edc29c997964de5e284e5 — TROJ_KILLDISK.IUB

Phishing Campaign Targeting Your Netflix Account ask for Login Details, Credit card and Photo ID

Phishing Campaign Targeting Your Netflix Account ask for Login Details, Credit card and Photo ID

Phishing is one of the most common problems for Internet Users, hackers find a new innovative method to create believable URL’s to trick users. According to Google research, more than 15% accounts hijacked by using these social engineering methods. Crooks ran a Netflix phishing campaign to hijack user accounts.

Phishing campaigns run by crooks hijacking top brands and almost it is impossible to stop, With Recent Google research, they found 12.4 million potential victims of phishing kits; and 1.9 billion usernames and passwords exposed via data breaches and traded on black market forums.

Netflix Phishing Campaign

Netflix phishing campaign made a big news last week, it tricks the user to hand over login credentials, Credit card information and Photo ID.

Netflix phishing

Sophos team detailed on how this Phishing works, it starts with the Email coming from the reputed Netflix Email address with the warning that your account is “On hold”.

In the subject, attackers wrote Greek Letter Chi instead of “x”, the NETFLIX, word in the subject spelled with wired character.

The Email consist of “update now” button, on clicking it takes to a malicious site that posses like a legitimate site and asks victims to update their billing address, payment card details, Identity Info in successive steps.

Also Read Real-Time Intelligence Feed to Catch Malicious Phishing Domains SSL Certificate

To note the crooks made a convincing start that the Phishing website is HTTPS enabled with a green padlock, we should not trust HTTPS blindly and the TLS certificate is only to encrypt the connection between the browser and server.

Crooks tricked the victims with the faked Verified by VISA page to steal the payment card details, then attacks to upload your selfie to confirm your identity.

Once the crooks had all the details they redirect victims to the real Netflix login page. You can Copy the URL to analyzers that available over the Internet and ensure it’s Integrity. If it is a shortened URL you can unshorten it with the site and then analyze the actual URL.

To protect users IBM introduced a DNS security solution Quad9 that uses to protect users against most common cyber threats and their privacy.It keeps blocking you against known malicious domains and prevents your computer and IoT devices from connecting to malware or phishing sites.

Phishing and Keylogging are one of the most common problems for Internet Users, hackers keep on finding a new innovative method to create believable URL’s to trick users.

Critical Flaw in Popular BitTorrent Transmission Client Leads to an Attacker Perform Remote Hack into Your PC

Critical Flaw in Popular BitTorrent Transmission Client Leads to an Attacker Perform Remote Hack into Your PC

A critical flaw discovered in BitTorrent Transmission client app that allows an attacker can remotely control the victims PC by using a method called DNS Rebinding which leads to Transmission control can remotely access by an attacker via a malicious website.

This bug was discovered by Google Researcher Tavis Ormandy and it serving under google zero-day project, it also belongs to 90-day disclosure deadline.

We can securely access the torrent using various VPN Servers and proxies and here is the ultimate torrent guide to reachout the torrent related website safely.

Bit Torrent Transmission Client performing download an seeding operation using Client and server architecture with helping of the daemon.

Tavis was tested his proof of concept on Firefox / Chrome and another platform that confirmed it exploit all the browsers.

Aso Read: Beware of Fake Spectre and Meltdown Patches Pushing Malware – Smoke Loader

How Does this Vulnerability Works in BitTorrent Client

Bit Torrent Transmission client app Interact with daemon by sending an JSON RPC and Daemon communicate to web servers that listen using 9091 port. in this case, daemon only accepts the request that coming from the local host.

In this case, based on the HTTP PRC scheme any website can send requests to the daemon with XMLHttpRequest, “but the theory is they will be ignored because requests must read and request a specific header, X-Transmission-Session-Id.”

But this method will be working if attacker using “DNS Rebinding” Attack that resolving the local host by any website can simply create a DNS name that they are authorized to communicate.

Tavis Explain the attack that working by following way.

1. A user visits http://attacker.com.
2. attacker.com has an <iframe> to attack.attacker.com, and have configured their DNS server to respond alternately with 127.0.0.1 and 123.123.123.123 (an address they control) with a very low TTL.
3. When the browser resolves to 123.123.123.123, they serve HTML that waits for the DNS entry to expire, then they XMLHttpRequest to attack.attacker.com and have permission to read and set headers.

Also, he Demonstrates the Transmission DNS Rebinding based on users transmission running in the default configuration.

So when users visited a malicious site BitTorrent Transmission client interface can be accessed remotely by an attacker.

Proof-of-concept in Public

Since its an open source project vulnerability, Ormandy fixed the bug and released the patch in public and also he released a POC that helps to test for DNS rebinding vulnerabilities in software.

Ormandy said, I’m finding it frustrating that the transmission developers are not responding on their private security list, I suggested moving this into the open so that distributions can apply the patch independently. I suspect they won’t reply, but let’s see.

“I’ve never had an opensource project take this long to fix a vulnerability before, so I usually don’t even mention the 90-day limit if the vulnerability is in an open source project. I would say the average response time is measured in hours rather months if we’re talking about open source.”

You can also find the Mitigate for DNS rebinding attacks against daemon in GitHub

Four Malicious Chrome Extensions Impacted More than Half a Million Users

Four Malicious Chrome Extensions Impacted More than Half a Million Users

Security researchers from Cybersecurity firm ICEBRG detected four malicious chrome extensions that impacted more than half a million people.

The initial investigation started after they noticed an unusual traffic flow in one of their client workstation, it appears like attackers use the extensions to conduct click fraud for generating more revenue or for SEO purpose.

Four Malicious Chrome Extensions

Change HTTP Request Header

Researchers identified the HTTP traffic is to the domain change-request[dot]info from the malicious chrome extension “Change HTTP Request Header”. And the control server at change-request[dot]info returns obfuscated Javascript.

The Javascript creates a WebSocket tunnel with change-request[dot]info control server and the WebSocket to proxy victim browser traffic. Attackers utilized it for running a click fraud ad campaign. ICEBRG published a detailed report on extension behaviors.

Malicious Chrome Extensions

Nyoogle – Custom Logo for Google and Lite Bookmarks

Like Change HTTP Request Header, Nyoogle and Lite Bookmarks utilize a similar mix of allowing ‘unsafe-eval’ through the CSP with periodical configuration

Stickies – Chrome’s Post-it Notes

It also enables the ‘unsafe-eval’ via the CSP but uses obfuscation methods to retrieve the external javascript.

Chrome Extensions continue to get compromised, the initial compromise on Aug1, attackers used Copyfish extension to spread spam. Malware files have a size far beyond the ordinary and far beyond what is usually inspected for anti-virus solutions.

Now even the Chrome extension started mining cryptocurrency, a chrome extension Archive Poster with more than 105,000 users Caught injecting an in-browser cryptocurrency miner.

Chrome announced site isolation with Chrome 63 which allows each website to have a dedicated process isolated from other sites, allows to Whitelist or Blacklist specific extensions.

Beware of Fake Spectre and Meltdown Patches Pushing Malware – Smoke Loader

Beware of Fake Spectre and Meltdown Patches Pushing Malware – Smoke Loader

Crooks trying to take advantage of the infamous bug Meltdown and Spectre which affects almost all the modern processors and pushes Smoke Loader malware as a patch.

Security researchers from Malwarebytes spotted a phishing campaign targetted German users appears to come from the German Federal Office for Information Security (BSI).

Smoke Loader
Researchers said “the domain was recently registered and it consists of various external links and details about Meltdown and Spectre” and the phishing site has SSL enabled.

The malicious site consists of a zip file Intel-AMD-SecurityPatch-11-01bsi.zip which consist of the malware file Intel-AMD-SecurityPatch-10-1-v1.exe.

Once the malicious file is executed users will infect themselves with Smoke Loader and it downloads additional malware, it posts infection is encrypted and attempting to connect with various domains. Malware published technical analysis report.

They contacted Cloudflare to report the abuse and the site was taken down by Cloudflare in minutes.”This particular one is interesting because people were told to apply a patch, which is exactly what the crooks are offering under disguise” researchers said.

It is evident that we should not trust HTTPS blindly and the TLS certificate is only to encrypt the connection between the browser and server.

Malicious websites available everywhere over the Internet, it is very difficult to find a trustworthy website. If the URL received from an unknown source, we would recommend cross-checking the URL before clicking on it.

Also Read Is it a Legitimate Website: How to Check if a Website is Safe

Copy the URL to analyzers that available over the Internet and ensure it’s Integrity. If it is a shortened URL you can unshorten it with the site and then analyze the actual URL.

IoC – Smoke Loader

Malicious Website

sicherheit-informationstechnik[.]bid

Smoke Loaded SHA256

CD17CE11DF9DE507AF025EF46398CFDCB99D3904B2B5718BFF2DC0B01AEAE38C

FakeBank Malware Layered Obfuscation Technique Replace a Default SMS App to Stealing Highly Sensitive Data

FakeBank Malware Layered Obfuscation Technique Replace a Default SMS App to Stealing Highly Sensitive Data

A New persistent malware family called FakeBank spreading across Russian speaking nations and targetting Russian banks with sophisticated Obfuscation technique to steal highly sensitive information.

Identified samples are mainly abusing Legitimate SMS and MMS based management applications.

This malware specifically targeting to gain the financial information from the SMS applications and periodically gathering pieces of information from the mobile banking system.

This critical malware has been detected in few countries such as Russia, China, Ukraine, Romania, Germany and other Russian speaking countries.

Also Read:  Fourth Fappening – Hacker Pleads Guilty to Hacking into iCloud accounts of Celebrities

FakeBank Malware Intercepting the Victims SMS

Once the user gets infected, this tricky malware will be connected to the internet and establish a connection to its Command & Control server.

Later it used to gathering an information about the antivirus software with this target machine before it starts its malicious behavior.

Once its find and antivirus software then it simply exits without performing any malicious activities using its persistent capability which helps to remain flying under the radar.

This malware stealing the information such as phone numbers, a list of installed banking apps, the balance on any linked bank card, and even location information, later it will upload the collected information to Its C&C server.

once this Malware installed on the Victims machine, an Icon of this malware app has to display in apps screen and ask for some sensitive permissions such as device administration.

Later it asks user to replace the default SMS app and once the replacement will done then it silently disappears from the screen and malicious behavior gets started.

According to Trend Micro, all this access to the device’s SMS gives the malware an avenue to silently steal money from users’ bank account. Since users bind their bank accounts to their device and receive notifications on the same device, the malware can intercept sensitive account information. It can then reset bank account passwords through received security code messages and start transferring money.

Layered Obfuscation

It also using 2 Layers that provides more obfuscation techniques to evade the detection.

First Layer used for shell protection that provides to APKs to avoid the shellcode detection.

Second layer confusion tactic to make the code harder to understand and also it encrypts all the string, system calls, functions and class name. it using (DES/BASE64)  standard encryption technique.

“The malware has registered numerous C&C domains and many of the domain names are recent, with some still alive.

These C&C domains have common IP addresses (195.22.126.81 and 195.22.126.160) that are located in Poland Warmia-Masuria. Other IP addresses (185.110.132.0 &  185.110.132.255) are located in Russia.” Trend Micro said.

Fourth Fappening – Hacker Pleads Guilty to Hacking into iCloud accounts of Celebrities

Fourth Fappening – Hacker Pleads Guilty to Hacking into iCloud accounts of Celebrities

Fourth Fappening Hacker George Garofano,26 plead guilty in Federal court for computer hacking offense and the 26-year-old is going to face a maximum sentence of five years in Federal prison.

He conducted a Spear Phishing attack to obtain the username and password of Celebrities iCloud accounts. “US Department of Justice says Garofano agreed to plead guilty to one count of unauthorized access to a protected computer to obtain information“.

US DoJ says Garofano the Fappening hacker involved in the Phishing activity between April 2013 through October 2014 to obtain the login credentials of Celebrities iCloud accounts.

Garofano admitted that he sent e-mails to victims that appeared to be from security accounts of Apple and encouraged the victims to send him their usernames and passwords or to enter them on a third-party website, where he would later retrieve them.

He later used the credentials to access the victim accounts and to steal information such as private photos and videos from the Celebrities iCloud accounts, also he traded the credentials and sensitive information of victims to other individuals reads plea agreement.

Also Read A Man Used Fruitfly macOS Malware over 13 Years For Spying Thousand of Computers

Most of the Garofano victims are members of the entertainment industry in Los Angeles and many non-celebrities from Connecticut, he illegally gained access to more than 250 accounts.

Sensitive photos of Celebrities are being uploaded online very often these days, maybe they are obtained as part of Fappening hack or other recent hacks and data breaches.

Lenovo Discovered a Backdoor in Network Switches Which Allows Attacker Could Perform DDOS

Lenovo Discovered a Backdoor in Network Switches Which Allows Attacker Could Perform DDOS

Lenovo discovered a backdoor in network switches that powered by Enterprise Network Operating System firmware during the security audit by Lenovo in the Telnet and Serial Console management interfaces.

An Authentication bypass mechanism Backdoor also called “HP Backdoor” was discovered with some Lenovo and IBM RackSwitch and BladeCenter switch that allows attacker gain the switch management console interface.

This bypass mechanism can be accessed when performing local authentication under specific and unique circumstances.

If the flaw will be perfectly exploited that it gives direct admin levels access to the switch that leads to performing massive DDOS Attack.

Authentication Bypass mechanism added in 2004

This mechanism was added in 2004 to ENOS when its owned by Nortel’s Blade Server Switch Business Unit.

Also Read Cisco ETA – Provides Solution for Detecting Malware in Encrypted Traffic

Lenovo discovered this while source code revision and auditing history as confirmed the same.According to Lenovo Following ENOS interfaces and authentication configurations are vulnerable.

Telnet and Serial Console when performing local authentication, or a combination of RADIUS, TACACS+, or LDAP and local authentication under specific circumstances described below
Web when performing a combination of RADIUS or TACACS+ and local authentication combined with an unlikely condition under specific circumstances described below
SSH for certain firmware released in May 2004 through June 2004 (only) when performing a combination of RADIUS or TACACS+ and local authentication under specific circumstances described below; the vulnerable code is present in more recent firmware, but not used

Circumstances

  • SSH in firmware released after June 2004 are not vulnerable
  • SSH and Web using only local authentication are not vulnerable
  • SSH, Web, Telnet, and Serial Console using LDAP, RADIUS, or TACACS+ without use of local authentication fallback are not vulnerable
  • Other management interfaces, such as SNMP, are not vulnerable

Lenovo Feels, the current authentication mechanism that is used in RackSwitch and  BladeCenter switches are being bypassed is completely unacceptable.

Mitigation – Lenovo

Lenovo Removed the source code that belongs to this authentication bypass mechanism and customers are advised to upgrade to the firmware which eliminates it.

If this firmware upgrade is not suddenly possible then customer adviced to following things.

  • Enable LDAP, RADIUS, or TACAS+ remote authentication AND
  • For any of LDAP, RADIUS, or TACAS+ that are enabled, disable the related “Backdoor” and “Secure Backdoor” local authentication fallback settings AND
  • Disable Telnet AND
  • Restrict physical access to the serial console port.

you can find the affected product version by this backdoor in Lenovo release a CVE() has been assigned( CVE-2017-3765) for this flaw.

Cisco ETA – Provides Solution for Detecting Malware in Encrypted Traffic

Cisco ETA – Provides Solution for Detecting Malware in Encrypted Traffic

Encrypted traffic is one of the biggest challenges in the security Industry and now Cisco comes with a solution for it. Cisco ETA was announced in the last June and now it came for general availability.

Cisco ETA inspects the contents of the encrypted traffic without breaking the packets, it uses network visibility and multi-layer machine learning to look for observable differences.

First, ETA examines the initial data packet of the connection. This by itself may contain valuable data about the rest of the content. Then there is the sequence of packet lengths and times, which offers vital clues into traffic contents beyond the beginning of the encrypted flow. Since this network-based detection process is aided by machine learning, it adapts to change and its efficacy is maintained over time.

Cisco says ETA can identify the quality of encryption, gives visibility and knowledge of what data being encrypted in your network.

Also Read Malicious Code in Kids Game Apps on Google Play Pushing Porn Ads – More than 60 Game Apps Infected

Initially Cisco ETA available only with campus switches, the Catalyst 9300 and 9400 series and now it extended to routing platforms.

  • Integrated Services Router (ISR): 4000 Series, the new 1000 Series, ISRv on ENCS 5000 series.
  • Aggregation Services Router (ASR) 1000 series.
  • Cloud Services Router (CSR) 1000V.

Cisco says it preserves the privacy of legitimate traffic and analyzes encrypted traffic by observing through passive monitoring and it adapts to change and its efficacy is maintained over time.

Gartner report says in 2019 more than 80 percent traffic of corporate traffic is encrypted and more than 50 percent of malware campaigns uses encryption and obfuscation techniques.

Cisco concluded that “We’re excited to bring these much-needed security innovations to our customers and we will be rolling out additional capabilities in the months to come“.

Below is the Cisco ETA video representation

https://youtu.be/KL8SxtZLeqc