Fake WordPress Security Updates

Summary: WordPress administrators are being emailed by attackers claiming that a new patch is available for the fictitious CVE-2023-45124. The email states that the WordPress security team has discovered the listed CVE and that a “patch” has been created. It urges users to download and install the plugin to protect their website against the non-existent CVE.

The link leads to a fake WordPress landing page with thousands of fake reviews claiming that the plugin helped their compromised site. Once the plugin is downloaded, a hidden admin user named “wpsecuritypatch” is created and sends information to the attacker’s Command-and-Control server. The plugin then downloads a backdoor which is saved to the website’s root as “wp-autoload.php”. Currently, it is unknown what the goal of the plugin is.

Why it matters: Phishing attempts normally come in the form of emails that lead to websites that trick users into entering their credentials. This attempt instead tricks users into downloading a malicious plug in with fake reviews that were created to increase believability. More interestingly, the attackers created a fake CVE to convince the more technical users that a new dangerous vulnerability has been discovered. Given the market share of WordPress, the possible number of victims of the attack is large and could thus affect many organizations and websites. Although the purpose of the attack is unknown, the presence of the malicious plugin poses a threat to all websites that installed it.

MongoDB Breach

Summary: MongoDB, the NoSQL database company, announced on Saturday December 17, 2023 that an unauthorized party has breached their systems. MongoDB’s investigation as of December 19, 2023 states that the threat actor was unable to breach MongoDB Atlas clusters or its authentication system. However, the threat actor was able to access several corporate systems containing contact information and system logs of one customer. The customer has been contacted and there have been no signs that other customers and their information have been breached.

Currently, MongoDB believes they were the victims of a phishing attack and recommends the use of multi-factor authentication and recommends implementing them to help mitigate phishing attacks. The threat actor was detected using Mullvad VPN and these associated IP addresses during the attack:

  • 107.150.22.47
  • 138.199.6.199
  • 146.70.187.157
  • 179.43.189.85
  • 185.156.46.165
  • 198.44.136.69
  • 198.44.136.71
  • 198.44.140.133
  • 198.44.140.199
  • 199.116.118.207
  • 206.217.205.88
  • 66.63.167.152
  • 66.63.167.154
  • 87.249.134.10
  • 96.44.191.132

Why it matters: MongoDB is one of the most widely used NoSQL databases. Although the threat actor appears to have only accessed one customer’s information and logs, it is still a lesson of caution regarding the dangers of phishing. The detected breach, while appears to not have a large impact, is evidence that the security of a system and company ultimately falls in the hands of people who are susceptible to tricks. Thus, it is important to not only implement proper authentication controls such as multi-factor authentication but to train users on the dangers of phishing and the different types they are used. It takes teamwork to make a company and teamwork to keep it safe.

FBI Releases BlackCat Decryption Tool

Summary: Operations of the BlackCat ransomware gang have reportedly been interrupted by the FBI and other law enforcement agencies around the world. The ransomware gang’s online portal previously went offline for five days sparking speculations of law enforcement interference against the ransomware gang. It was reported that through a confidential human source, a type of informant, the law enforcement agencies were able to access the gang’s online services.

The action against BlackCat has led to the discovery and release of a decryption tool containing the keys needed for victims to unlock their encrypted files. It also resulted in the discovery of 946 public/private key pairs used by the gang to host their malicious sites and dismantle them. However, as of December 19, 2023, the ransomware gang appears to still be in operation as they have created a new website.

Why it matters: BlackCat, also known as ALPHAV, is currently one of the most prolific ransomware gangs. There have been hundreds of victims that have been targeted by the ransomware and in total it has cost millions of dollars in loss. The release of the decryption tool by the FBI has already been in use to help dozens of affected victims and can be used to help more in the future. Although the ransomware gang appears to still be active, both the temporary disruption of the infrastructure and the release of the tool cause big losses to the attackers both financially and reputationally

Apple Security Patch Updates

Summary: Apple announced on November 30, 2023 that two CVE’s were recently discovered in their WebKit browser engine. The discovery, made by Clément Lecigne of Google’s Threat Analysis Group, could lead to the disclosure of sensitive information and arbitrary code execution.

The CVEs are tracked as CVE-2023-42916 and CVE-2023-42917. These affect iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later. The vulnerabilities were reportedly being actively exploited before iOS 16.7.1. These vulnerabilities were addressed with the release of iOS 16.7.3, iPadOS 16.7.3, tvOS 17.2, and watchOS 10.2.

Why it matters: Apple products are some of the most widely used in the world. iPhonesiPadsApple Watches, and Apple TV are household names and command large market shares in their respective categories. The presence of these vulnerabilities endangers the security of each user’s data given that they are actively being exploited. Not only is personal information stored in those devices endangered but also companies that use Apple products are vulnerable as well. Company-owned Apple devices could thus be targeted, which could lead to the disclosure of sensitive company information as well as having their systems impacted through arbitrary code execution.

An Old Threat Returns

Summary: Zscaler ThreatLabz discovered that attackers are exploiting the old Microsoft Office CVE-2017-11882 in phishing campaigns to distribute the malware known as Agent Tesla. The malware, commonly used as a Malware-As-A-Service (MaaS), is an advanced keylogger and data stealer used for gaining initial access. It is capable of clipboard logging, screen keylogging, screen capturing, and extracting stored passwords from different web browsers.

The attackers exploit this vulnerability by sending out phishing emails with words such as “orders” and “invoice” to trick the users into downloading the attachment. The attachment scans the version of Excel to determine if it is vulnerable to the CVE which in turn releases a series of payloads and programs that installs the Agent Tesla malware on the device.

Why it matters: The majority of security-focused updates are based on entire system updates; however, this vulnerability is program-based. The attack itself is only effective against old versions of Excel as the vulnerability was discovered in 2017. It serves as a reminder for people that security comprises of multiple vulnerable parts. While the most important part of this attack is the recipient downloading the malicious file, it is also important to recognize that programs should be updated and not just the operating system. To create a secure environment, it is important to train people not only to be on the lookout for phishing emails but to also update their programs to the newer, more secure versions.

 

Security Tip of the Month – Saving Passwords

Summary:Passwords are the most common authentication method for users to access sensitive information on their devices. Normally, these passwords are complex and sometimes hard to remember. The impact especially gets larger when multiple sites require passwords to be saved which leads to users writing their passwords on a place easy to be seen or reusing their passwords across multiple websites. If someone sees a person’s password written out or finds out they reuse the same password, a malicious person could easily access their accounts. That’s why many companies have come out with products called password managers that take away the stress of remembering multiple passwords. These password managers do not store the passwords in plaintext but instead they encrypt the passwords to ensure that in the event of a failure they remain safe and secure.

Why it matters: Password managers take the pressure off from having to remember their passwords. Many people write their passwords on sheets of paper or save them in unencrypted files that can easily be stolen or read. They can also generate complex passwords themselves in an instant. Some can even detect the strength of passwords to ensure that the accounts stay secure. Most importantly, they can save old and new complex passwords across devices and browsers to allow users an easier time logging into their chosen websites. These days the number of strong, unique passwords that people normally have is normally too difficult to maintain without having to save them from somewhere. Additionally, certain employers require that passwords need to be changed every few months. To minimize the difficulty for users to manage all their passwords, it is recommended for them to use password managers to make it easier to login to their accounts while still keeping them secure. While they may be a single point of failure, they are essential given the number of different passwords people have these days.