Threat actors are exploiting a WordPress plugin to insert malicious PHP code in e-commerce sites and steal credit card data.

Sucuri researchers observed threat actors using a PHP snippet WordPress plugin to install malicious code in WooCommerce e-stores and harvest credit card details.

In the campaign spotted by the experts, attackers use a very obscure WordPress plugin called Dessky Snippets, which has only a few hundred active installations at the time of writing.

Dessky Snippets is a lightweight and simple plugin that gives users the ability to easily add custom PHP code from WordPress admin.

The campaign occurred on May 11th, and the researchers observed a surge in downloads of the Dessky Snippets plugin from that same day. At this time, the WordPress plugin has over 200 active installations.

Attackers exploited the Dessky Snippets plugin to insert a server-side PHP credit card e-skimmer.

“This malicious code was saved in the dnsp_settings option in the WordPress wp_options table and was designed to modify the checkout process in WooCommerce by manipulating the billing form and injecting its own code.” reads the analysis published by Sucuri.

The malware has two main components. The first part uses a fake function named “twentytwenty_get_post_logos()” to hook into WooCommerce’s billing form. The function adds additional fields to the billing form to request credit card details earlier than usual. The second part involves an obfuscated credit card skimmer that monitors POST data for specific parameters. When the malware detects these parameters, it sends all the collected billing and credit card information to a third-party URL “hxxps://2of[.]cc/wp-content/”.

The researchers noticed that the billing form associated with the overlay used by the attackers has the autocomplete feature disabled, The fields are set with autocomplete=”off”.

Disabling the auto-fill feature on the fake checkout form is an evasion trick that reduces the chances of the browser warning users about entering sensitive information. The fields remain blank until manually filled out, making them look like regular, necessary inputs for the transaction and reducing user suspicion.

“In essence, ecommerce sites are prime targets for hackers due to the valuable data they handle.” concludes the report. “Here’s a simple guide to protect your online store:

1. Keep your software patched: Regularly update your CMS, plugins, themes, and any third-party components to patch vulnerabilities.
2. Use strong passwords: Ensure all accounts, including admin, sFTP, and database credentials, have strong and unique passwords.
3. Select trusted scripts: Only integrate third-party JavaScript from reputable sources. Avoid unnecessary third-party scripts.
4. Monitor for threats: Regularly check your site for signs of malware, unauthorized changes, or any indicators of compromise.
5. Implement a firewall: Use a web application firewall to block malicious bots, virtually patch known vulnerabilities, and filter harmful traffic.
6. Set up a CSP: Establish a Content Security Policy (CSP) to protect against clickjacking, cross-site scripting (XSS), and other threats.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress)

Researchers warn of a critical remote code execution vulnerability in TP-Link Archer C5400X gaming router.

Researchers at OneKey discovered a a critical remote code execution (RCE) vulnerability, tracked as CVE-2024-5035 (CVSS score 10.0), in TP-Link Archer C5400X gaming router.

A remote, unauthenticated, attacker can exploit the vulnerability to execute commands on the device.

The TP-Link Archer C5400X is a high-performance gaming router designed for demanding applications such as online gaming and streaming.

The vulnerability resides in a binary called “rftest” that is executed during device startup. The researchers discovered that the binary exposes a network service that is susceptible to unauthenticated command injection and buffer overflows on TCP ports 8888, 8889, and 8890

“By successfully exploiting this flaw, remote unauthenticated attacker can gain arbitrary command execution on the device with elevated privileges.” reads the report published by the OneKey. “It’s unclear whether the binary is always launched and whether it is always exposed on LAN/WAN interfaces. We reproduced the issue within an emulator, but production device may behave differently. We put our trust in TP-Link in assessing the actual exposure of this vulnerability.“

The experts noticed that upon executing the binary, it starts a TCP server on port 8888, accepting commands from clients. The binary only accepts commands starting with “wl” or “nvram get”. However, this limitation can be bypassed for command injection by appending shell meta-characters like “;”, “&”, or “|”.

TP-Link addressed the issue by discarding any command containing shell meta-characters.

The issue affects firmware versions, through 1.1.1.6, Archer C5400X(EU)_V1_1.1.7 Build 20240510 addressed the flaw.

Below is the timeline for this flaw:

• 2024-02-16 –Report submitted to TP-Link PSIRT through encrypted email.
• 2024-02-19 –Case opened by TP-Link PSIRT.
• 2024-04-10 –TP-Link shares a beta version of 1.1.7p1 for validation.
• 2024-04-17 –Patch confirmed by ONEKEY.
• 2024-05-27 –Release ONEKEY advisory in coordination with TP-Link

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, TP-Link Archer C5400X)

Prescription service firm Sav-Rx disclosed a data breach that potentially impacted over 2.8 million people in the United States.

Prescription service company Sav-Rx disclosed a data breach after 2023 cyberattack. The company is notifying 2,812,336 individuals impacted by the security breach in the United States.

A&A Services, which operates as Sav-RX, shared with the Maine Attorney General’s office the data breach notification letter sent to the impacted individuals.

The investigation conducted by the company with the help of external cybersecurity experts revealed that threat actors first gained access to the IT System on or around October 3, 2023.

“On October 8, 2023, we identified an interruption to our computer network. As a result, we immediately took steps to secure our systems and engaged third-party cybersecurity experts. Our information technology systems (“IT System”) were restored the next business day, and prescriptions were shipped on time without delay.” reads the letter sent to the impacted individuals. “As part of the investigation, we learned that an unauthorized third party was able to access certain non-clinical systems and obtained files that contained health information. After an extensive review with third-party experts, on April 30, 2024, we discovered that some of the data accessed or acquired by the unauthorized third party may have contained your protected health information.”

Compromised data includes full name, date of birth, Social Security Number (SSN), email address, physical address, phone number, eligibility data, and insurance identification number.

Sav-Rx took eight months to notify impacted individuals to avoid impacting patient care with its investigation.

“Our initial priority was restoring systems to minimize any interruption to patient care.” states the company. “The incident did not affect our pharmacy systems, including those systems related to our mail order pharmacy. Not all customers were impacted, and not all health plan participants were impacted.”

The company promptly notified law enforcement authorities. Sav-Rx worked with external cybersecurity experts to contain the incident and ensure any data stolen from the company was destroyed and not further disseminated.

The firm pointed out that the incident had a limited impact on its operations, its IT system was restored
the next business day and there was no delay in the shipment of prescriptions.

The prescription service provider also announced it has enhanced its security protocols, controls, technology, and training.

Sav-Rx is offering impacted individuals complimentary access to 24 months of credit monitoring and identity theft restoration services provided by Equifax.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

Organizations had to re-examine the traditional business perimeter and migrate to cloud-based tools to support distributed workforces. Which is the impact?

The almost overnight shift to remote work, driven by the COVID-19 pandemic, has profoundly impacted how businesses use technology. Organizations across the globe had to adapt and adapt quickly.  They had to re-examine the traditional business perimeter and migrate to cloud-based tools to support distributed workforces.

Cloud-based applications and services can be accessed from anywhere via an internet connection, facilitating seamless collaboration among remote workers. The cloud can be scaled up or down based on demand, providing the flexibility to support varying workloads and user numbers and eliminating the danger of under or over-provisioning.

In addition, by moving to the cloud, companies can reduce the capital expenditure associated with maintaining on-premises infrastructure. Cloud-based tools such as Microsoft Teams, Slack, and Google Workspace also boost collaboration and communication among remote teams, driving productivity and innovation.

Cloud Security Challenges

However, adopting cloud computing significantly expanded the attack surface for businesses, effectively dissolving the traditional network perimeter. This shift introduced new vulnerabilities, and conventional security measures designed to protect a well-defined, centralized perimeter were no longer enough.

Enterprises typically use multiple cloud services from a wide range of vendors for business applications, development environments, and IT infrastructure management. This multi or hybrid cloud strategy can introduce unexpected complexities and challenges, which are exacerbated when different business units and teams adopt cloud solutions without the approval or knowledge of the central IT department.

Storing data in the cloud also comes with a heightened risk of data breaches. These environments house a significant amount of valuable and sensitive information, making them attractive to malicious actors. Moreover, cloud platforms store vast amounts of data in centralized repositories, and this concentration of data creates a single point of failure that, if breached, can lead to major data loss and exposure.

Cloud environments are also highly dynamic, complex, and distributed, which can obscure visibility into assets, data flows, and security postures. Furthermore, many cloud services operate on a multi-tenant model, where multiple customers share the same infrastructure. Although cloud providers implement stringent isolation mechanisms, the shared nature of the infrastructure can introduce vulnerabilities that, if exploited, can affect multiple customers.

In addition to these challenges, cloud security adds a new form of security alert for analysts to triage and investigate, adding to the overall costs. Managing cloud alerts effectively requires overcoming the unique complexities introduced by cloud architectures. The sheer volume of alerts generated by various cloud resources can easily overwhelm security teams. Each cloud service has its own set of security and audit logs, which often provide data in non-standard formats, adding to the complexity of monitoring and analysis.

Furthermore, the lack of clear visibility across different cloud platforms and services can hinder effective response strategies, as security teams struggle to correlate alerts across a fragmented ecosystem. This situation demands robust automation and integration of security tools to ensure comprehensive coverage and swift response to potential threats in cloud environments.

Compliance Across Jurisdictions

Compliance is another challenge. Ensuring compliance with industry regulations and standards in a cloud environment can be complex. Different industries and regions have specific regulatory requirements, such as the General Data Protection Regulation (GDPR) for data protection in the EU, the Health Insurance Portability and Accountability Act (HIPAA) for healthcare information in the US, and the Payment Card Industry Data Security Standard (PCI-DSS) for credit card information. These regulations have unique requirements for data handling, security controls, and reporting.

The cloud landscape constantly evolves, with new services, features, and configurations continuously introduced. Maintaining compliance in a dynamic setting requires continuous monitoring and adaptation to ensure that all deployed services comply with regulatory standards.

Misconfigurations Exposing Data

Cloud misconfigurations are another major cause of security vulnerabilities. They often result from human error or a lack of understanding of complex cloud environments. These misconfigurations can expose sensitive data and systems to unauthorized access and breaches.

For example, setting overly permissive access controls can inadvertently expose sensitive data to the public internet or unauthorized users. This could include misconfigured storage buckets, databases, and virtual machines. Also, failure to change default security settings can leave cloud resources vulnerable to exploitation. Default settings often lack adequate security and should be customized to meet the organization’s specific security requirements.

 Poor network segmentation is another culprit, and once bad actors gain a foothold, it can allow them to move laterally within a cloud environment. Properly segmenting networks can contain potential breaches and limit the spread of attacks.

Understanding Responsibilities

Security in the cloud operates on a shared responsibility model, where the cloud service provider and the customer have distinct security obligations. This model outlines security duties, ensuring that both parties contribute to a secure cloud environment.

Cloud service providers are typically responsible for the security of the cloud infrastructure, including physical security, network infrastructure, and the hypervisor layer. They ensure that the foundational services are secure and reliable. However, customers are responsible for securing their data, managing user access, and configuring security settings for their applications and services that run in the cloud.

Organizations must clearly understand their responsibilities within this model to implement appropriate security measures. This includes data encryption, identity and access management, regular patching, and compliance with relevant regulatory requirements. Failure to understand and act upon these responsibilities can lead to security vulnerabilities and data breaches.

A Proactive Approach

The shift to remote work and the migration to cloud-based solutions have transformed the traditional security perimeter. While these trends offer numerous benefits, they also introduce new challenges and risks.

Traditional security approaches, which rely on static defenses, are insufficient to address the evolving threat landscape in the cloud. The cloud’s dynamic and interconnected nature demands a more automated approach, where the SOC teams enforce security best practices that emphasize efficiency in threat detection using AI-enabled automation tools.

By adopting a proactive approach to security, organizations can successfully navigate this new world and ensure the secure and efficient operation of their distributed workforces. 

About the Author:  Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications. She is also a regular writer at Bora.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, cybersecurity)

Experts warn of a new ATM malware family that is advertised in the cybercrime underground, it was developed to target Europe.

A threat actor is advertising a new ATM malware family that claims to be able of compromised 99% of devices in Europe. The threat actor is offering the malware for $30,000, he claims that the “EU ATM Malware” is designed from scratch and that can also target approximately 60% of ATMs worldwide.

If the claims are true, this malware poses a significant threat to the global banking industry. According to the announcement, the ATM malware can target machines manufactured by multiple leading vendors, including Diebold Nixdorf, Hyosung, Oki, Bank of America, NCR, GRG, and Hitachi.

“The developers of this malware claim that it can generate up to $30,000 per ATM, making it a lucrative tool for cybercriminals.” reported the website DailyDarkweb. “The malware is fully automated, simplifying its deployment and operation.”

The malware is fully automated, making its deployment and operation straightforward and efficient, however, it also supports a manual operation mode.

The seller is offering the malware with multiple payment options, including a monthly subscription and an initial fee plus a share of the profits from successful jackpotting operations.

The threat actors also give customers a test payload option valid for three days.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

Cisco addressed a SQL injection vulnerability in the web-based management interface of the Firepower Management Center (FMC) Software. 

Cisco addressed a vulnerability, tracked as CVE-2024-20360 (CVSS score 8.8), in the web-based management interface of the Firepower Management Center (FMC) Software. 

The vulnerability is a SQL injection issue, an attacker can exploit the flaw to obtain any data from the database, execute arbitrary commands on the underlying operating system, and elevate privileges to root. The attacker can exploit this vulnerability only if it has at least Read Only user credentials.

“A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system.” reads the advisory. “This vulnerability exists because the web-based management interface does not adequately validate user input. An attacker could exploit this vulnerability by authenticating to the application and sending crafted SQL queries to an affected system. A successful exploit could allow the attacker to obtain any data from the database, execute arbitrary commands on the underlying operating system, and elevate privileges to root. To exploit this vulnerability, an attacker would need at least Read Only user credentials.”

Cisco states that there are no workarounds that address this vulnerability. The IT giant has confirmed that this vulnerability does not affect Adaptive Security Appliance (ASA) Software or Firepower Threat Defense (FTD) Software.

The Cisco Product Security Incident Response Team (PSIRT) is not aware attacks in the wild exploiting this vulnerability.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, SQL Injection)

The Ukraine CERT-UA warns of a concerning increase in cyberattacks attributed to the financially-motivated threat actor UAC-0006.

The Computer Emergency Response Team of Ukraine (CERT-UA) warned of surge in in cyberattacks linked to the financially-motivated threat actor UAC-0006.

UAC-0006 has been active since at least 2013. The threat actors focus on compromising accountants’ PCs (which are used to support financial activities, such as access to remote banking systems), stealing credentials, and making unauthorized fund transfers.

The government experts reported that the group carried out at least two massive campaigns since May 20, threat actors aimed at distributing SmokeLoader malware via email.

SmokeLoader acts as a loader for other malware, once it is executed it will inject malicious code into the currently running explorer process (explorer.exe) and downloads another payload to the system.

“Starting from May 20th, hackers have launched at least two massive campaigns with emails containing the SmokeLoader malware.” read the advisory published by CERT-UA.

The attackers sent out emails with ZIP archives containing an IMG files that serves as decoys for hidden EXE malware and ACCDB documents. The documents are weaponized Microsoft Access files, upon enabling the malicious macros they execute PowerShell commands to download and run EXE files.

The researchers observed that following the initial infection, additional malware such as TALESHOT and RMS are downloaded onto the targeted PC.

The UAC-0006 actor is using a botnet composed of several hundred infected machines.

“Currently, UAC-0006’s bot network consists of several hundred infected machines. CERT-UA believes that hackers may soon activate fraudulent schemes using remote banking systems.” continues the report.

CERT-UA warned Ukrainian CEOs to enhance cybersecurity measures for accountants’ automated workplaces. IT shared indicators of compromise for this campaign and is urging to implement proper security policies and protection mechanisms.

In May 2023, Ukraine’s CERT-UA warned of another phishing campaign aimed at distributing the SmokeLoader malware in the form of a polyglot file.

UAC-0006 is the most active financially-motivated threat actor targeting Ukraine businesses, has already attempted to steal tens of million hryvnias through mass online theft campaigns in August-October 2023.

CERT-UA published an article that provides more details of the group’s TTPs.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box.

Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press.

International Press – Newsletter

Cybercrime

Healthcare company WebTPA discloses breach affecting 2.5 million people    

Cybercriminals Are Targeting Elections In India With Influence Campaigns 

Laundering cash from healthcare, romance scams lands US man in prison for a decade

He Trained Cops to Fight Crypto Crime—and Allegedly Ran a $100M Dark-Web Drug Market  

Man behind deepfake Biden robocall indicted on felony charges, faces $6M fine

Dark Web Profile: Dispossessor Ransomware   

Malware

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns  

GitCaught: Threat Actor Leverages GitHub Repository for Malicious Infrastructure 

Spyware found on US hotel check-in computers 

A Catalog of Hazardous AV Sites – A Tale of Malware Hosting   

CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack  

Malware Transmutation! – Unveiling the Hidden Traces of BloodAlchemy

Hacking 

Two Santa Cruz students uncover security bug that could let millions do their laundry for free 

QNAP QTS zero-day in Share feature gets public RCE exploit

Linguistic Lumberjack: Attacking Cloud Services via Logging Endpoints (Fluent Bit – CVE-2024-4323)

Positive Technologies detects a series of attacks via Microsoft Exchange Server      

Usage of TLS in DDNS Services leads to Information Disclosure in Multiple Vendors

Infiltrating Defenses: Abusing VMware in MITRE’s Cyber Intrusion  

Google fixes eighth actively exploited Chrome zero-day this year

Intelligence and Information Warfare 

IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders

Russia’s New Counterspace Weapon Is in the Same Orbit as a US Satellite 

Operational Monitoring and Control Of Small Arms Weapons Within the People’s Liberation Army 

Deep Dive Into Unfading Sea Haze: A New Threat Actor in the South China Sea        

Putin hijacked Austria’s spy service. Now he’s going after its government  

Cybersecurity   

Palantir’s Military AI Tech Conference Sounds Absolutely Terrifying  

UK watchdog looking into Microsoft AI taking screenshots

Wargames director Jackie Schneider on why cyber is one of ‘the most interesting scholarly puzzles’   

US Looks to Create Paranoia Amongst Hackers to Fight Ransomware Gangs, but How?       

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

Malicious actors compromised the JAVS Viewer installer to deliver the RustDoor malware in a supply chain attack.

Rapid7 researchers warned that threat actors added a backdoor to the installer for the Justice AV Solutions JAVS Viewer software.

The attackers were able to inject a backdoor in the JAVS Viewer v8.3.7 installer that is being distributed from the JAVS’ servers.

Justice AV Solutions (JAVS) is a U.S.-based company providing digital audio-visual recording solutions for courtroom settings and other environments, including jails, councils, and lecture rooms. The JAVS Viewer has over 10,000 installations globally. The backdoor delivered by the researchers allows attackers to gain full control of infected systems. Rapid7 experts recommend to re-image the affected systems, reset associated credentials, and install the latest version of JAVS Viewer (v8.3.8 or higher).

The researchers noticed that the installer for JAVS Viewer Setup 8.3.7.250-1.exe was digitally signed with an unexpected Authenticode signature and included a binary called fffmpeg.exe. The binary executed encoded PowerShell scripts, Rapid7 linked fffmpeg.exe to the GateDoor/Rustdoor malware, which was identified by security firm S2W.

“Both the fffmpeg.exe binary and the installer binary are signed by an Authenticode certificate issued to “Vanguard Tech Limited”. This is unexpected, as it was noted that other JAVS binaries which appear legitimate are signed by a certificate issued to “Justice AV Solutions Inc”.” reads the report published by Rapid7. “Searching VirusTotal for other files signed by “Vanguard Tech Limited” shows the following.

“The above suggests that there may be one other version of the malicious installer (SHA1: b8e97333fc1b5cd29a71299a8f82a541cabf4d59) and one other malicious fffmpeg.exe (SHA1: b9d13055766d792abaf1d11f18c6ee7618155a0e). These binaries were first seen on the VirusTotal platform April 1, 2024.”

The researchers discovered two malicious JAVS Viewer packages on the vendor’s server, they were signed with a certificate issued on February 10.

On April 2, 2024, the X user @2RunJack2 first reported of the implant distributed by the official JAVS downloads page.

Rapid7 published Indicators of Compromise (IoC) for this attack, below is the attack timeline:

• Feb 10, 2024: A certificate is issued for the subject Vanguard Tech Limited, which the certificate indicates is based in London.
• Feb 21, 2024: The first of the two malicious JAVS Viewer packages is signed with the Vanguard certificate.
• April 2, 2024: The Twitter user @2RunJack2 tweets about malware being served by the official JAVS downloads page. It’s not stated whether the vendor was notified.
• Mar 12, 2024: The second of the two malicious JAVS Viewer packages is signed with the Vanguard certificate.
• May 10, 2024: Rapid7 investigates a new alert in a Managed Detection and Response customer environment. The source of the infection is traced back to an installer that was downloaded from the official JAVS site. The malware file that was downloaded by the victim, the first Viewer package, is not observed to be accessible on the vendor’s download page. It’s unknown who removed the malicious package from the downloads page (i.e., the vendor or the threat actor).
• May 12, 2024: Rapid7 discovers three additional malicious payloads being hosted on the threat actor’s C2 infrastructure over port 8000: chrome_installer.exe, firefox_updater.exe, and OneDriveStandaloneUpdater.exe.
• May 13, 2024: Rapid7 identifies an unlinked installer file containing malware, the second Viewer package, still being served by the official vendor site. This confirms that the vendor site was the source of the initial infection.
• May 17, 2024: Rapid7 discovers that the threat actor removed the binary OneDriveStandaloneUpdater.exe from C2 infrastructure and replaced it with a new binary, ChromeDiscovery.exe. This indicates that the threat actor is actively updating their C2 infrastructure.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, JAVS Viewer)

Threat actors used fake AV websites masquerading as legitimate antivirus products from Avast, Bitdefender, and Malwarebytes to distribute malware.

In mid-April 2024, researchers at Trellix Advanced Research Center team spotted multiple fake AV sites used to distribute info-stealers. The malicious websites hosted sophisticated malicious files such as APK, EXE and Inno setup installer, including Spy and Stealer capabilities.

The fake websites were masquerading as legitimate antivirus products from Avast, Bitdefender, and Malwarebytes.

The sites hosting malware are avast-securedownload.com (Avast.apk), bitdefender-app.com (setup-win-x86-x64.exe.zip), malwarebytes.pro (MBSetup.rar).

Below is the list of malicious websites analyzed by the researchers:

1. avast-securedownload[.]com: Distributes the SpyNote trojan as an Android package file (“Avast.apk”), which, once installed, requests intrusive permissions such as reading SMS messages and call logs, installing and deleting apps, taking screenshots, tracking location, and mining cryptocurrency.
2. bitdefender-app[.]com: Distributes a ZIP archive file (“setup-win-x86-x64.exe.zip”) that was used to deploy the Lumma information stealer.
3. malwarebytes[.]pro: Distributes a RAR archive file (“MBSetup.rar”) that was used to deploy the StealC information stealer malware.

The experts also discovered a malicious Trellix binary that pretends to be Legit (AMCoreDat.exe).

The researchers did not attribute the attacks to a specific threat actor. The report also includes Indicators of Compromise (IoCs) for the attacks employing fake AV websites.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, fake AV websites)

The MITRE Corporation revealed that threat actors behind the December 2023 attacks created rogue virtual machines (VMs) within its environment.

The MITRE Corporation has provided a new update about the December 2023 attack. In April 2024, MITRE disclosed a security breach in one of its research and prototyping networks. The security team at the organization promptly launched an investigation, logged out the threat actor, and engaged third-party forensics Incident Response teams to conduct independent analysis in collaboration with internal experts.

According to the MITRE Corporation, China-linked nation-state actor UNC5221 breached its systems in January 2024 by chaining two Ivanti Connect Secure zero-day vulnerabilities.

MITRE spotted the foreign nation-state threat actor probing its Networked Experimentation, Research, and Virtualization Environment (NERVE), used for research and prototyping. The organization immediately started mitigation actions which included taking NERVE offline. The investigation is still ongoing to determine the extent of information involved.

The organization notified authorities and affected parties and is working to restore operational alternatives for collaboration. 

Despite MITRE diligently following industry best practices, implementing vendor recommendations, and complying with government guidance to strengthen, update, and fortify its Ivanti system, they overlooked the lateral movement into their VMware infrastructure.

The organization said that the core enterprise network or partners’ systems were not affected by this incident.

According to the new update, threat actors exploited zero-day flaws in Ivanti Connect Secure (ICS) and created rogue virtual machines (VMs) within the organization’s VMware environment.

“The adversary created their own rogue VMs within the VMware environment, leveraging compromised vCenter Server access. They wrote and deployed a JSP web shell (BEEFLUSH) under the vCenter Server’s Tomcat server to execute a Python-based tunneling tool, facilitating SSH connections between adversary-created VMs and the ESXi hypervisor infrastructure.” reads the latest update. “By deploying rogue VMs, adversaries can evade detection by hiding their activities from centralized management interfaces like vCenter. This allows them to maintain control over compromised systems while minimizing the risk of discovery.”

The attackers deployed rogue virtual machines (VMs) to evade detection by hiding their activities from centralized management interfaces like vCenter. This tactic allows them to control the compromised systems while minimizing the risk of discovery.

On January 7, 3034, the adversary accessed VMs and deployed malicious payloads, including the BRICKSTORM backdoor and a web shell tracked as BEEFLUSH, enabling persistent access and arbitrary command execution.

The hackers relied on SSH manipulation and script execution to maintain control over the compromised systems. Mitre noted attackers exploiting a default VMware account to list drives and generate new VMs, one of which was removed on the same day. BRICKSTORM was discovered in directories with local persistence setups, communicating with designated C2 domains. BEEFLUSH interacted with internal IP addresses, executing dubious scripts and commands from the vCenter server’s /tmp directory

In the following days, the threat actors deployed additional payloads on the target infrastrcuture, including the WIREFIRE (aka GIFTEDVISITOR) web shell, and the BUSHWALK webshell for data exfiltration.

The threat actors exploited a default VMware account, VPXUSER, to make API calls for enumerating drives. They bypassed detection by deploying rogue VMs directly onto hypervisors, using SFTP to write files and executing them with /bin/vmx. These operations were invisible to the Center and the ESXi web interface. The rogue VMs included the BRICKSTORM backdoor and persistence mechanisms, configured with dual network interfaces for communication with both the Internet/C2 and core administrative subnets.

“Simply using the hypervisor management interface to manage VMs is often insufficient and can be pointless when it comes to dealing with rogue VMs.” continues the update. “This is because rogue VMs operate outside the standard management processes and do not adhere to established security policies, making them difficult to detect and manage through the GUI alone. Instead, one needs special tools or techniques to identify and mitigate the risks associated with rogue VMs effectively.”

MITRE shared two scripts, Invoke-HiddenVMQuery and VirtualGHOST, that allow admins to identify and mitigate potential threats within the VMware environment. The first script, developed by MITRE, Invoke-HiddenVMQuery is written in PowerShell and serves to detect malicious activities. It scans for anomalous invocations of the /bin/vmx binary within rc.local.d scripts.

“As adversaries continue to evolve their tactics and techniques, it is imperative for organizations to remain vigilant and adaptive in defending against cyber threats. By understanding and countering their new adversary behaviors, we can bolster our defenses and safeguard critical assets against future intrusions.” MITRE concludes.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, China)

GitLab addressed a high-severity cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to take over user accounts.

GitLab fixed a high-severity XSS vulnerability, tracked as CVE-2024-4835, that allows attackers to take over user accounts.

An attacker can exploit this issue by using a specially crafted page to exfiltrate sensitive user information.

The vulnerability impacts versions 15.11 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1.

The flaw was addressed with the release of versions 17.0.1, 16.11.3, and 16.10.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).

“A XSS condition exists within GitLab in versions 15.11 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1.” reads the advisory published by the company. “By leveraging this condition, an attacker can craft a malicious page to exfiltrate sensitive user information.”

matanber reported this vulnerability through our HackerOne bug bounty program, he received a $10,270 bounty.

Below is the list of vulnerabilities addressed by the company:

In early May, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a GitLab Community and Enterprise Editions improper access control vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.

The issue, tracked as CVE-2023-7028 (CVSS score: 10.0), is an account takeover via Password Reset. The flaw can be exploited to hijack an account without any interaction.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, XSS)