This Week in Cyber 07th July 2023

Malvertising Campaign Distributes BlackCat Ransomware Disguised as WinSCP: A Growing Threat

In a concerning development, threat actors associated with the BlackCat ransomware have employed malvertising tricks to distribute malicious installers disguised as the WinSCP file transfer application. By hijacking keywords and displaying bogus ads on search engine result pages, the attackers redirected users to fake webpages where they unknowingly downloaded a backdoor containing a Cobalt Strike Beacon. This allowed the threat actors to gain unauthorized access, conduct reconnaissance, move laterally, and exfiltrate data. The incident underscores the importance of user vigilance and robust security measures to counter malvertising-based malware distribution.

Critical Unpatched WordPress Plugin Flaw Exposes 200,000 Websites to Secret Admin Account Exploitation

An alarming security vulnerability has emerged in the widely used Ultimate Member plugin for WordPress, leaving approximately 200,000 websites at risk. Tracked as CVE-2023-3460, the flaw allows unauthenticated attackers to exploit inadequate blocklist logic, creating new user accounts with full administrative privileges. This grants unauthorized individuals complete control over compromised websites. Despite partial fixes, WPScan researchers found the patches insufficient, urging website administrators to temporarily disable the plugin and review administrator-level users for unauthorized accounts. To address the flaw, Ultimate Member released version 2.6.7, which addresses the vulnerability and introduces a feature enabling administrators to reset passwords for all users. Vigilance, regular updates, strong access controls, and monitoring are essential to protect websites from cyber threats and mitigate the risks posed by such security flaws.

Critical RCE Flaw (CVE-2023-27997) Leaves 330,000 FortiGate Firewalls Unpatched

A critical security flaw known as CVE-2023-27997, or XORtigate, has put approximately 330,000 FortiGate firewalls at risk. This vulnerability affects Fortinet devices and has already been exploited in the wild. According to cybersecurity firm Bishop Fox, about 69 percent of the nearly 490,000 Fortinet SSL-VPN interfaces exposed on the internet remain unpatched. Fortinet released patches for this vulnerability last month in versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5. However, the company acknowledged that the flaw may have already been exploited in certain cases, particularly targeting government, manufacturing, and critical infrastructure sectors. Bishop Fox's analysis revealed that only 153,414 of the discovered appliances had been updated to a patched FortiOS version. Additionally, many publicly accessible Fortinet devices had not received updates for the past eight years, running on outdated FortiOS versions 5 and 6. Considering the lucrative nature of exploiting Fortinet devices, it is crucial for users to promptly update to the latest version available to mitigate the risks associated with this vulnerability.

New Proxyjacking Campaign: Cybercriminals Exploit Vulnerable SSH Servers

A financially motivated campaign is targeting vulnerable SSH servers to covertly incorporate them into a proxy network. Attackers exploit SSH for remote access and use malicious scripts to enroll victim servers in a peer-to-peer (P2P) proxy network, like Peer2Profit or Honeygain. Unlike cryptojacking, proxyjacking leverages the victim's unused bandwidth to discreetly run various services as a P2P node. This strategy offers advantages of monetizing excess bandwidth with reduced resource loads and minimizing the chances of detection. However, the anonymity provided by proxyware services can be exploited to obfuscate the source of attacks. Discovered by Akamai researcher Allen West on June 8, 2023, the campaign breaches vulnerable SSH servers and deploys an obfuscated Bash script that fetches dependencies from a compromised web server. The script camouflages the curl command-line tool as a CSS file and terminates competing instances of bandwidth-sharing programs. This enables the launch of Docker services that utilize the victim's bandwidth for financial gains. Additionally, the hosting server is found to host a cryptocurrency miner, indicating involvement in both cryptojacking and proxyjacking. While proxyware itself is not inherently malicious, some companies offering such services lack proper verification of IP sourcing and occasionally suggest installing the software on work computers. Unauthorized installations enable threat actors to control multiple systems and generate illegitimate revenue. West emphasizes the importance of strong passwords, patch management, and meticulous logging as effective preventive measures against these attacks.