Cybercriminals associated with the BlackCat ransomware are using a sneaky method called malvertising to spread their malicious software. They are disguising their malware as a popular file transfer application called WinSCP. Malvertising involves using search engine optimization tricks to display fake ads on search engine results pages, redirecting unsuspecting users to dangerous websites.
In this case, the attackers are targeting people who are searching for WinSCP and tricking them into downloading malware instead. The malware contains a backdoor called Cobalt Strike Beacon, which connects to a remote server for further malicious activities. The attackers also use legitimate tools like AdFind to discover networks and gather information.
Once the attackers gain access to a system, they exploit their privileges to carry out various harmful actions. These include reconnaissance, moving through the network, bypassing antivirus software, and stealing customer data. They even tamper with security software to avoid detection. The attackers aim to gain administrator-level control over the system and set up methods to monitor and control it remotely.
If the attack is not detected and stopped early on, it can cause significant damage to the targeted organisation. The attackers can establish persistent access, making it difficult to remove them completely. This incident highlights how threat actors are exploiting platforms like Google Ads to spread malware.
In another development, cybersecurity company Avast has released a free decryptor tool to help victims of ransomware called Akira recover their data without paying the attackers. Akira, which emerged in March 2023, targets both Windows and Linux systems. It shares some similarities with the Conti v2 ransomware, indicating that the malware authors might have been inspired by leaked Conti sources.
While the Conti/TrickBot syndicate shut down in May 2022, its remnants still exist as smaller entities, using shared infrastructure and tools to distribute new malware strains. Crypters, which encrypt and obfuscate malware to evade detection, are being used to distribute various malware strains by different factions within the group.
Despite the ever-changing nature of the cybercrime landscape, ransomware remains a constant threat. A new ransomware group called Rhysida has emerged, primarily targeting sectors such as education, government, manufacturing, and technology across different regions. Rhysida is still in the early stages of development, but it poses a significant risk to organisations.
It's crucial for individuals and businesses to stay vigilant against these threats, keep their software up to date, use strong passwords, and regularly back up their data. It's also essential to have reliable cybersecurity measures in place to detect and prevent these attacks.
As many as 200,000 WordPress websites are currently vulnerable to ongoing attacks exploiting a critical security flaw in the popular Ultimate Member plugin. Tracked as CVE-2023-3460, the vulnerability allows unauthenticated attackers to create new user accounts with administrative privileges, giving them complete control over affected sites. The flaw affects all versions of the plugin, including the latest release (2.6.6) from June 29, 2023.
The issue stems from inadequate blocklist logic that needs to properly handle user meta values, enabling attackers to manipulate the wp_capabilities user meta value and gain administrative access. Although specific details about the vulnerability have been withheld due to active exploitation, researchers have found ways to bypass the implemented filters, making the issue actively exploitable.
The plugin maintainers have released partial fixes in versions 2.6.4, 2.6.5, and 2.6.6, but WPScan has discovered several methods to circumvent these patches. Rogue administrator accounts have been observed being added to affected sites, allowing the upload of malicious plugins and themes through the site's administration panel.
Users of the Ultimate Member plugin are strongly advised to disable it until a comprehensive patch is made available. Additionally, it is recommended to conduct an audit of all administrator-level users on affected websites to check for any unauthorised accounts.
On July 1, Ultimate Member released version 2.6.7 to address the actively exploited vulnerability. The update introduces whitelisting for meta keys, enhances form settings, and separates form data from submitted data to improve security. The maintainers also plan to include a new feature that allows website administrators to reset passwords for all users.
It is critical for website administrators to promptly update their Ultimate Member plugin to version 2.6.7 and follow recommended security practices to mitigate the risk of unauthorised access and potential damage to their websites.
A serious security flaw has been found in the Social Login and Register plugin for WordPress developed by miniOrange. This vulnerability, known as CVE-2023-2982, allows attackers to log in as any user by exploiting the information provided in their email address.
The flaw affects all versions of the plugin up to version 7.6.4. It was addressed with the release of version 7.6.5 on June 14, 2023, after responsible disclosure on June 2, 2023. The flaw arises from a hard-coded encryption key used to secure login information from social media accounts. Attackers can create a valid request with an encrypted email address, granting unauthorised access to user accounts, including those with administrative privileges. With over 30,000 sites using this plugin, the impact could be significant.
In addition to this discovery, a high-severity vulnerability was recently found in the LearnDash LMS plugin, affecting over 100,000 active installations. This flaw, identified as CVE-2023-3105, allowed users with existing accounts to reset any user's password, even those with administrator access. The issue has been patched in version 4.6.0.1, released on June 6, 2023.
These findings highlight the importance of regularly updating plugins to the latest versions and being vigilant about potential security risks. Plugin developers are constantly working to patch vulnerabilities, and website administrators must promptly apply these updates to protect their users' accounts and sensitive data.
*Subscribe to our newsletter
.svg)
.png)
.png)
.png)