News Digest: Significant Events From the Cybersecurity World [July 2022]
Two-thirds of the summer has passed! And along with it, many events have happened in the world of cybersecurity.
Let’s talk about the most significant ones today in this article.
Our previous June digest is here.
1. Millions of WordPress sites can be hijacked because of a single plugin
Researchers from Defiant have discovered a large-scale campaign during which attackers scanned about 1.6 million WordPress-based sites. Hackers were looking for a vulnerable Kaswara Modern WPBakery Page Builder plugin that allows you to upload files without authentication.
The fact is that the Kaswara Modern WPBakery Page Builder plugin was abandoned by the author some time ago, and after that a critical vulnerability, CVE-2021-24284, was found in it.
Scans occur as follows: attackers send a POST request to wp-admin/admin-ajax/php, trying to use the AJAX function of the uploadFontIcon plugin to upload a malicious payload (a ZIP file containing a PHP file).
Defiant analysts report that 1,599,852 unique sites have already been scanned, although only a small part of them actually used the vulnerable plugin.
2. The account data of more than 5.4 million Twitter users sold online for $30,000
In July, an announcement appeared on the internet about the sale of personal data of 5.4 million Twitter users. The vulnerability that probably led to the leak has already been fixed by the company.
A user with the nickname “Devil” posted an announcement on one of the forums about the sale of personal data of 5,485,636 Twitter users for $30,000. The attacker reports that the data was obtained using a social network vulnerability, and the array of data includes email addresses, phone numbers, and accounts of a variety of people, including celebrities.
Twitter has not yet confirmed the data leak. The company said that they are investigating the authenticity of the allegations and will do everything to ensure the security of the accounts. Journalists checked and confirmed the authenticity of the data of a few users submitted by the hacker. But it is not known whether all 5.4 million records are reliable.
Even though most of the data being sold is publicly available, attackers can use such collections of email addresses and phone numbers in targeted phishing attacks.
What’s wrong with a Twitter purchase? Read more here.
3. Elon Musk declined to buy Twitter
Elon Musk has officially declined to acquire Twitter. His representatives have already sent the management a letter of termination of the contract.
The reason is a violation of the contract on the part of the social network. They also made several “false and misleading” statements during the negotiations, according to Musk. He is sure that the number of bots on the social network is “incredibly high,” although employees claim it is only about 5% of active users per day.
At the same time, according to the head of Tesla, they refused to provide up-to-date information about bots.
Musk’s lawyer also claims that Twitter violated the agreement when it fired the vice president of finance and a third of its recruitment team.
Twitter chairman of the board of directors Bret Taylor said in response to the decision that the company would sue Musk. As a result, he will be obliged to either complete the transaction that has begun or pay a penalty of $1 billion.
The claim will be considered in a Delaware court. Meanwhile, Musk banned Tesla employees from discussing the deal and sending tweets related to the situation.
4. Uniswap lost $8 million due to a phishing attack
Uniswap is one of the world’s leading crypto exchanges. It works using a decentralized network protocol. This makes it possible to simplify automatic transactions between the Ethereum blockchain when using smart contracts.
Visitors to the crypto exchange regularly use blockchain browsers like etherscan.io to obtain information and make a decision on the feasibility of investing in certain tokens. Hackers took advantage of this to commit theft, misleading investors on the exchange, providing them with false information, and forcing them to believe in the legality of the token/contract.
In this situation, cyber criminals created a simple ERC20 token, transferring it “free of charge” to users with UNI tokens. This was done to lure the victims of the fraudulent scheme to a hacker site. Etherscan.io considers the distribution transaction legal, so the phishing campaign was implemented.
The investor clicks on the token, after which the gullible user is connected to the phishing site. By using the “Click here to apply” button, the user provides hackers with full access to their accounts. As a result, theft on a particularly large scale became possible.
Read more about Uniswap security here.
5. New ransomware masquerades as a Google update
Malicious actors are increasingly using fake Microsoft and Google software updates to try to inject malware into targeted systems.
The malware’s command-and-control server (C2) is hosted on the Microsoft Internet Hosting IP address, which is quite rare for ransomware, according to Development Micro.
In addition, the many methods of HavanaCrypt to check whether it is operating in a virtual environment should be noted. The malware uses code from an open-source key manager when encrypting, as well as using an internet operator called “QueueUserWorkItem” to speed up encryption.
Development Micro states that the malware is probably still under development because it does not send ransom notes to the systems it infects.
HavanaCrypt is one of a growing number of ransomware and other malware that has been spreading in recent months in the form of bogus updates for Windows 10, Microsoft Exchange, and Google Chrome.
In May, security researchers discovered that a ransomware program known as “Magniber” was impersonating Windows 10 updates. Earlier this year, Malwarebytes researchers noticed that operator using the Magnitude exploit kit were trying to trick users into downloading it, turning malware into a replacement for Microsoft Edge.
Is Google secure and private tool? Learn more here.