Tag: hackers

Hackers Exploit Legitimate Websites to Deliver BadSpace Windows Backdoor
News

Hackers Exploit Legitimate Websites to Deliver BadSpace Windows Backdoor

Under the pretense of false browser upgrades, a Windows backdoor known as BadSpace is being distributed via reputable but corrupted websites. To install a backdoor into the victim's machine, the threat actor uses a multi-stage assault chain that includes an infected website, a command-and-control (C2) server, a JScript downloader, and occasionally a phony browser update, according to a report from German cybersecurity company G DATA. Researchers Gi7w0rm and Kevross33 revealed the malware's details for the first time last month. The first step in the process is to hack a website, even one that uses WordPress, and then insert code that uses logic to ascertain whether a person has already visited the site read more Hackers Exploit Legitimate Websites to Deliver BadSpace Windows Back...
Hackers Created Rogue VMs to Evade Detection in Recent MITRE Cyber Attack
News

Hackers Created Rogue VMs to Evade Detection in Recent MITRE Cyber Attack

According to information released by the MITRE Corporation, the threat actor in the cyberattack that targeted the non-profit organization in late December 2023 used rogue virtual machines (VMs) in its VMware environment to take advantage of zero-day vulnerabilities in Ivanti Connect Secure (ICS). According to MITRE researchers Lex Crumpton and Charles Clancy, the adversary used hacked vCenter Server access to establish their own rogue virtual machines (VMs) inside the VMware environment. They developed and implemented BEEFLUSH, a JSP web shell, under the Tomcat server of vCenter Server to run a Python-based tunneling tool, enabling SSH connections between VMs produced by adversaries and the ESXi hypervisor infrastructure. By hiding their malicious activity from centralized manage...
Hackers Exploiting LiteSpeed Cache Bug to Gain Full Control of WordPress Sites
News

Hackers Exploiting LiteSpeed Cache Bug to Gain Full Control of WordPress Sites

Threat actors are actively using a high-severity vulnerability in the WordPress plugin LiteSpeed Cache to create rogue administrator accounts on vulnerable websites. The information was obtained via WPScan, which reported that phony admin users with the identities wpsupp‑user and wp‑configuser had been created using the vulnerability (CVE-2023-40000, CVSS score: 8.3). Patchstack discovered CVE-2023-40000, a stored cross-site scripting (XSS) vulnerability that might allow an unauthorized user to escalate privileges through carefully constructed HTTP requests. Version 5.7.0.1 was released in October 2023, fixing the vulnerability. It's important to remember that the plugin was last updated read more Hackers Exploiting LiteSpeed Cache Bug to Gain Full Control of WordPress Sites. ...
Hackers Increasingly Abusing Microsoft Graph API for Stealthy Malware Communications
News

Hackers Increasingly Abusing Microsoft Graph API for Stealthy Malware Communications

To avoid detection, threat actors have begun using Microsoft Graph API more and more as a weapon. This is done to "enable communications with command-and-control (C&C) infrastructure hosted on Microsoft cloud services," according to a report published with The Hacker News by the Symantec Threat Hunter Team, a division of Broadcom. Several nation-state-aligned hacker groups have been seen utilizing Microsoft Graph API for C&C from January 2022. Threat actors identified as APT28, REF2924, Red Stinger, Flea, APT29, and OilRig are among those included in this. Before its widespread use, the Microsoft Graph API was first observed in June 2021 about an activity cluster known as Harvester. The activity cluster was using a specialized implant called Graphon, which used the API to...
Hackers Exploiting WP-Automatic Plugin Bug to Create Admin Accounts on WordPress Sites
News

Hackers Exploiting WP-Automatic Plugin Bug to Create Admin Accounts on WordPress Sites

A serious security vulnerability in the WordPress plugin WP-Automatic is being actively targeted by threat actors, with the potential to enable site takeovers. The vulnerability, identified as CVE-2024-27956, has a CVSS score of 9.9 out of 10. It affects all plugin versions older than 3.9.2.0. According to a WPScan notice this week, this vulnerability, a SQL injection (SQLi) weakness, presents a serious risk because it allows attackers to create admin-level user accounts, upload malicious files, and potentially take complete control of compromised websites. The problem, according to the firm owned by Automattic, stems from the user authentication method of the plugin, which is easily gotten over to run arbitrary SQL queries against the database using specially constructed request...
Hackers Deploy Python Backdoor in Palo Alto Zero-Day Attack
News

Hackers Deploy Python Backdoor in Palo Alto Zero-Day Attack

The recently discovered zero-day vulnerability in Palo Alto Networks PAN-OS software has been used by threat actors since March 26, 2024, or over three weeks prior to its discovery yesterday. Under the moniker Operation MidnightEclipse, the network security company's Unit 42 division is monitoring the activity and crediting it to the efforts of a lone threat actor with an unidentified origin. This command injection vulnerability, listed as CVE-2024-3400 (CVSS score: 10.0), allows unauthenticated attackers to run arbitrary code on the firewall with root privileges. It is important to note that this problem only affects firewall installations running PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 with GlobalProtect gateway and device telemetry enabled read more Hackers Deploy Python Bac...
Hackers deploy crypto drainers on thousands of WordPress sites
News

Hackers deploy crypto drainers on thousands of WordPress sites

Fake NFT and discount pop-ups are already appearing on around 2,000 compromised WordPress websites, tricking users into connecting their wallets to cryptocurrency drainers that automatically steal money. Last month, the website security company Sucuri revealed that hackers had gained access to almost 1,000 WordPress sites in order to spread cryptocurrency drainers through YouTube videos and malvertising. It is thought that when their initial campaign proved unsuccessful, the threat actors started using news scripts on the hacked websites to enable users' web browsers to be used as instruments for brute-forcing admin passwords on other websites. Approximately 1,700 brute-forcing websites were targeted in these attacks; well-known examples include the website of Ecuador's Associati...
Hackers Exploit Magento Bug to Steal Payment Data from E-commerce Websites
News

Hackers Exploit Magento Bug to Steal Payment Data from E-commerce Websites

It has been discovered that malicious actors are using a serious weakness in Magento to introduce a persistent backdoor into e-commerce websites.According to Adobe, the attack makes use of CVE-2024-20720 (CVSS score: 9.1), a case of "improper neutralization of special elements" that may allow for arbitrary code execution. The company addressed it in security patches that were made available on February 13, 2024.According to Sansec, it found a deftly constructed layout template in the database that is automatically injected with malicious code to carry out arbitrary commands. According to the firm, to execute system commands, attackers combine the Magento layout parser with the beberlei/assert package, which is installed by default read more Hackers Exploit Magento Bug to Steal Payme...
CISA Warns: Hackers Actively Attacking Microsoft SharePoint Vulnerability
News

CISA Warns: Hackers Actively Attacking Microsoft SharePoint Vulnerability

Based on proof of active exploitation in the wild, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a security hole affecting Microsoft Sharepoint Server to its list of known exploited vulnerabilities (KEV). This significant remote code execution vulnerability, identified as CVE-2023-24955 (CVSS score: 7.2), enables arbitrary code execution by an authorized attacker with Site Owner capabilities. An authorized attacker might remotely execute code on the SharePoint Server as a Site Owner through a network-based attack, according to a warning from Microsoft. Microsoft fixed the vulnerability in its May 2023 Patch Tuesday patches. The update was made more than two months after CISA included CVE-2023-29357, a SharePoint Server privilege escalation vulnerabili...
Hackers Exploiting Popular Document Publishing Sites for Phishing Attacks
News

Hackers Exploiting Popular Document Publishing Sites for Phishing Attacks

Once again demonstrating how threat actors are repurposing legitimate services for malicious ends, threat actors are using digital document publishing (DDP) sites hosted on platforms such as FlipSnack, Issuu, Marq, Publuu, RelayTo, and Simplebooklet for phishing, credential harvesting, and session token theft. According to Cisco Talos researcher Craig Jackson, hosting phishing lures on DDP sites increases the chance of a successful phishing attack because these sites frequently have a positive reputation, are unlikely to show up on web filter blocklists, and may give users a false sense of security if they recognize them as reputable or familiar. Although adversaries have previously hosted phishing documents using well-known cloud-based services like Google Drive, OneDrive, Dropbox,...