WordPress administrators are being emailed fake WordPress security advisories for a fictitious vulnerability tracked as CVE-2023-45124 to infect sites with a malicious plugin.
The campaign has been caught and reported by WordPress security experts at Wordfence and PatchStack, who published alerts on their sites to raise awareness.
Fake WordPress update
The emails pretend to be from WordPress, warning that a new critical remote code execution (RCE) flaw in the platform was detected on the admin’s site, urging them to download and install a plugin that allegedly addresses the security issue.
Phishing email impersonating a WordPress security advisory
Clicking on the email’s ‘Download Plugin’ button takes the victim to a fake landing page at ‘en-gb-wordpress[.]org’ that looks identical to the legitimate ‘wordpress.com’ site.
Fake WordPress landing page
The entry for the fake plugin shows a likely inflated download count of 500,000, along with multiple phony user reviews elaborating on how the patch restored their compromised site and helped them thwart hacker attacks.
The vast majority of the user reviews are five-star reviews, but four-, three-, and one-star reviews are thrown in to make it appear more realistic.
Fake user reviews
Upon installation, the plugin creates a hidden admin user named ‘wpsecuritypatch’ and sends information about the victim to the attackers’ command and control server (C2) at ‘wpgate[.]zip.’
Next, the plugin downloads a base64-encoded backdoor payload from the C2 and saves it as ‘wp-autoload.php’ in the website’s webroot.
The backdoor features file management capabilities, a SQL client, a PHP console, and a command line terminal and displays detailed information about the server environment to the attackers.
Backdoor functionality
The malicious plugin hides itself from the list of installed plugins, so a manual search on the site’s root directory is required to remove it.
Code to hide the admin user and the malicious plugin
At this time, the operational goal of the plugin remains unknown.
However, PatchStack speculates that it might be used for injecting ads on compromised sites, performing visitor redirection, stealing sensitive information, or even blackmailing owners by threatening to leak their website’s database contents.
In cooperation with Europol and Eurojust, law enforcement agencies from seven nations have arrested in Ukraine the core members of a ransomware group linked to attacks against organizations in 71 countries.
The cybercriminals paralyzed major corporations’ operations in attacks using ransomware such as LockerGoga, MegaCortex, HIVE, and Dharma.
“After remaining undetected in the compromised systems, sometimes for months, the criminals would deploy different types of ransomware, such as LockerGoga, MegaCortex, HIVE or Dharma,” Eurojust said.
“A ransom note was then presented to the victim to pay the attackers in bitcoin in exchange for decryption keys.”
Roles within this criminal network varied significantly: some members breached IT networks, while others reportedly helped launder the cryptocurrency payments made by victims to decrypt their files.
The attackers gained access to their targets’ networks by stealing user credentials in brute force and SQL injection attacks, as well as using phishing emails with malicious attachments.
Once in, they used tools like TrickBot malware, Cobalt Strike, and PowerShell Empire to move laterally and compromise other systems before triggering previously deployed ransomware payloads.
The investigation unveiled that this organized group of ransomware affiliates encrypted more than 250 servers of major corporations, leading to losses exceeding several hundred million euros.
Ransomware gang arrests in Ukraine
On November 21st, coordinated raids at 30 locations in Kyiv, Cherkasy, Rivne, and Vinnytsia resulted in the arrest of the group’s 32-year-old mastermind and the capture of four accomplices.
Over 20 investigators from Norway, France, Germany, and the United States helped the Ukrainian National Police with the investigation in Kyiv. Europol also set up a virtual command center in the Netherlands to process the data seized during the house searches.
“With the support of the TOR special unit, law enforcement officers conducted more than 30 authorized searches in the premises and cars of the suspects in Kyiv region, as well as in Cherkasy, Rivne, and Vinnytsia regions,” the National Police of Ukraine’ Department of Cyber Police said today [automated translation].
“Computer equipment, cars, bank and SIM cards, ‘draft’ records, as well as dozens of electronic media and other evidence of illegal activities were seized. In particular, almost 4 million hryvnias and cryptocurrency assets.”
This operation follows other arrests in 2021 as part of the same law enforcement action when police detained 12 more suspects part of the same ransomware group linked to attacks against 1,800 victims in 71 countries.
As the investigation revealed two years ago, the attackers deployed LockerGoga, MegaCortex, and Dharma ransomware. They also used malware like Trickbot and post-exploitation tools such as Cobalt Strike in their attacks.
Subsequent efforts at Europol and in Norway focused on analyzing data on devices seized in Ukraine in 2021 and helped identify additional suspects arrested one week ago in Kyiv.
Free LockerGoga and MegaCortex ransomware decrypters
The forensic analysis also allowed Swiss authorities to develop decryption tools for the LockerGoga and MegaCortex ransomware variants in collaboration with No More Ransom partners and Bitdefender.
This international police action was initiated by French authorities in September 2019 and focuses on locating threat actors in Ukraine and bringing them to justice with the help of a joint investigation team (JIT) comprising Norway, France, the United Kingdom, and Ukraine, with financial support from Eurojust and collaborating with Dutch, German, Swiss, and U.S. authorities.
The list of participating law enforcement agencies includes:
Norway: National Criminal Investigation Service (Kripos)
France: Public Prosecutor’s Office of Paris, National Police (Police Nationale – OCLCTIC)
Netherlands: National Police (Politie), National Public Prosecution Service (Landelijk Parket, Openbaar Ministerie)
Ukraine: Prosecutor General’s Office (Офіс Генерального прокурора), National Police of Ukraine (Національна поліція України)
Germany: Public Prosecutor’s Office of Stuttgart, Police Headquarters Reutlingen (Polizeipräsidium Reutlingen) CID Esslingen
Switzerland: Swiss Federal Office of Police (fedpol), Polizei Basel-Landschaft, Public Prosecutor’s Office of the canton of Zurich, Zurich Cantonal Police
United States: United States Secret Service (USSS), Federal Bureau of Investigation (FBI)
Europol: European Cybercrime Centre (EC3)
Eurojust
“In an unprecedented effort, law enforcement and judicial authorities from seven countries have joined forces with Europol and Eurojust to dismantle and apprehend in Ukraine key figures behind significant ransomware operations wreaking havoc across the world,” Europol said.
“The operation comes at a critical time, as the country grapples with the challenges of Russia’s military aggression against its territory.”
https://www.fiber.net/wp-content/uploads/2023/11/law-enforcement-arrest-bright.webp9001600Fibernet Support/wp-content/uploads/2024/03/logo.svgFibernet Support2023-11-28 15:07:252024-03-25 17:11:21Police Dismantle Ransomware Group Behind Attacks in 71 Countries
Today, Microsoft shared a temporary fix for a known issue causing Outlook Desktop to crash when sending emails from Outlook.com accounts.
This confirms customer reports regarding crashing issues when using Outlook.com accounts shared on Microsoft’s community website and other social networks since last Monday, November 20.
According to online reports, restarting, repairing Outlook, reinstalling the application, and creating a fresh Outlook profile for the impacted email account fails to address the issue.
“I’ve tried everything (safe mode, new profile, repair pst, even up to and including a system restore to attempt to roll back a previous installation) to no avail,” one of the affected users said.
These problems only affect Outlook for Microsoft 365 users and those in the Current Channel (Preview) channel using Outlook build 17029.20028.
“The issue is fixed in future builds 17029.20052+. However, this build has not been released yet,” Microsoft said.
While a limited number of customers did report they had successfully worked around this known issue by reinstalling Office, Microsoft suggests reverting to an earlier version.
To do that, type Command Prompt in the Windows search box, right-click Command Prompt and click Run as administrator.
Next, paste the following commands into the Command Prompt window and hit Enter after each:
cd %programfiles%\Common Files\Microsoft Shared\ClickToRun
officec2rclient.exe /update user updatetoversion=16.0.16924.20124
Redmond also started rolling out fixes last week for some of the customers affected by another known Microsoft 365 issue behind ‘Something Went Wrong [1001]’ sign-in errors, rendering desktop Office apps unusable for many affected users.
These ongoing login issues impact customers using Excel, Word, Outlook, and PowerPoint for Microsoft 365, Microsoft 365 Apps for business, and Office apps for iOS and Android, as the company confirmed over a month ago.
Previously, it fixed another bug causing significant delays for Microsoft 365 customers when saving attachments in Outlook Desktop to a network share.
Earlier this year, Microsoft tackled various other Outlook issues, including ones blocking Microsoft 365 customers from accessing emails and calendars and causing slow starts and freezes during cache re-priming.
https://www.fiber.net/wp-content/uploads/2024/03/Outlook.webp9001600Fibernet Support/wp-content/uploads/2024/03/logo.svgFibernet Support2023-11-28 15:04:242024-03-25 17:11:28Microsoft Shares Temp Fix for Outlook Crashes When Sending Emails
Passwords have long been used as the primary gatekeepers of digital security, yet they can also be a weak link in the chain.
According to IBM’s 2023 Cost of a Breach report, phishing (16%) and stolen credentials (15%) are still the most common initial attack vectors for cyber-attacks. Stealing and selling credentials is a lucrative business for cybercriminals – it’s not something they’ll be given up on anytime soon.
An organization’s first step should be to tighten up their password policies and stop end-users from choosing the weak and vulnerable passwords, with common patterns and easily guessable phrases.
But as Specops research shows, 83% of compromised passwords actually satisfy the password length and complexity requirements of regulatory password standards.
IT teams also need a way to scan Active Directories for passwords that have become compromised – before they’re used by attackers.
Why check for breached passwords?
Enforcing strong, longer passwords is crucial to help protect end-users against brute force, dictionary, and hybrid attacks. However, strong passwords can still become compromised. For example, people can be targeted with phishing attacks that trick them into giving up their credentials.
From that point on, the password is compromised until it is changed, which can often be too late – especially if the end-user or organization has no idea the initial credential theft has even occurred.
This risk is exacerbated through password reuse. Organizations can guide their employees through training and control the kinds of passwords they make at work, but they can’t stop them reusing the passwords in their personal lives.
This is particularly problematic if the personal devices and applications they use have weak security or are accessed via unsecured networks. A Google survey found that 66% of Americans reuse their passwords across more than one online account.
Without a tool to check for compromised passwords, it can take organizations a long time to discover they have a problem. IBM estimate it takes nearly a year on average to detect a breach from stolen or compromised credentials.
It’s risky to wait for end-users’ passwords to expire or relying on being able to spot the early signs of an attack through other measures.
These factors all underscore the urgency of being able to discover compromised passwords within your Active Directory.
How to find compromised passwords
There are manual ways to export passwords from your Active Directory and cross-reference them against publicly available lists of breached passwords. However, using a third party tool is far quicker and easier.
And in the case of Specops Password Auditor, it’s free tool. Specops Password Auditor is a powerful tool that can help you quickly identify and mitigate password-related vulnerabilities within your Active Directory.
Using Specops Password Auditor is straightforward. Simply download your free tool and follow these steps:
Run Specops Password Auditor: After installation, launch Specops Password Auditor and allow it to scan your Active Directory.
Analyze the report: It generates comprehensive reports that highlight user and password policy information. Pay special attention to the section on accounts using compromised passwords.
Act: Once you’ve identified compromised passwords, prompt users to change them immediately. This step is vital in preventing unauthorized access to your systems.
Beyond identifying compromised passwords, Specops Password Auditor equips you with knowledge about the overall state of your password policies and user accounts, identifying blank passwords, breached passwords, identical passwords, admin accounts, delegable admin accounts, stale admin accounts, stale user accounts, user accounts with the control flag for not requiring a password set/password never expires, expired or expiring passwords, password age, and when passwords were last changed.
Armed with this information, you can make informed decisions to enhance your organization’s access security.
Automating breached password checks
Specops Password Auditor offers a great initial health check of your Active Directory by cross-referencing against 950 million known compromised passwords. It helps to inform you where your password policy needs improving and where your password-related vulnerabilities lie.
The next step is building a stronger password policy and automating the process of checking for compromised passwords. This is where a more advanced tool such as Specops Password Policy comes in.
Once you’ve identified compromised credentials and vulnerabilities using Specops Password Auditor report, you can bolster your organization’s password security further using Specops Password Policy.
Specops Password Policy enforces password length and complexity while preventing the use of common character types at the beginning or end of passwords and consecutively repeated characters.
To facilitate the creation of stronger yet memorable passwords, it supports passphrases, a combination of words that may seem unrelated, making them both easier for users to remember and harder for hackers to decipher.
Specops Password Policy with Breached Password Protection feature, checks your Active Directory against a list of 3 billion unique weak and known compromised passwords – including those being used right now in attacks on Specops’ honeypot accounts.
On top of that, if continuous scan is activated, users will be alerted by SMS or email as soon as their password has been discovered to be compromised and forced to change it. Our research team’s attack monitoring data collection systems update the service daily to ensure your network is protected from real-world password attacks.
Secure your business against breached passwords today
Compromised credentials offer attackers an easy route into your organization – it’s too risky to not have visibility over whether your end-users have been involved in breaches.
Start on boosting your access security with a free audit of your Active Directory for password-related vulnerabilities.
And if you’re interested in automating the process and securing against a constantly updated list of over 3 billion unique weak and compromised passwords, give Specops Password Policy a trial.
https://www.fiber.net/wp-content/uploads/2024/03/specops-compromised-passwords.jpg9001600Fibernet Support/wp-content/uploads/2024/03/logo.svgFibernet Support2023-11-16 13:38:502024-03-25 17:11:37Are Your End-users’ Passwords Compromised? Here’s How to Check
The Microsoft AI research division accidentally leaked dozens of terabytes of sensitive data starting in July 2020 while contributing open-source AI learning models to a public GitHub repository.
Almost three years later, this was discovered by cloud security firm Wiz whose security researchers found that a Microsoft employee inadvertently shared the URL for a misconfigured Azure Blob storage bucket containing the leaked information.
Microsoft linked the data exposure to using an excessively permissive Shared Access Signature (SAS) token, which allowed full control over the shared files. This Azure feature enables data sharing in a manner described by Wiz researchers as challenging to monitor and revoke
When used correctly, Shared Access Signature (SAS) tokens offer a secure means of granting delegated access to resources within your storage account.
This includes precise control over the client’s data access, specifying the resources they can interact with, defining their permissions concerning these resources, and determining the duration of the SAS token’s validity.
“Due to a lack of monitoring and governance, SAS tokens pose a security risk, and their usage should be as limited as possible. These tokens are very hard to track, as Microsoft does not provide a centralized way to manage them within the Azure portal,” Wiz warned today.
“In addition, these tokens can be configured to last effectively forever, with no upper limit on their expiry time. Therefore, using Account SAS tokens for external sharing is unsafe and should be avoided.”
38TB of private data exposed via Azure storage bucket
The Wiz Research Team found that besides the open-source models, the internal storage account also inadvertently allowed access to 38TB worth of additional private data.
The exposed data included backups of personal information belonging to Microsoft employees, including passwords for Microsoft services, secret keys, and an archive of over 30,000 internal Microsoft Teams messages originating from 359 Microsoft employees.
In an advisory on Monday by the Microsoft Security Response Center (MSRC) team, Microsoft said that no customer data was exposed, and no other internal services faced jeopardy due to this incident.
Wiz reported the incident to MSRC on June 22nd, 2023, which revoked the SAS token to block all external access to the Azure storage account, mitigating the issue on June 24th, 2023.
“AI unlocks huge potential for tech companies. However, as data scientists and engineers race to bring new AI solutions to production, the massive amounts of data they handle require additional security checks and safeguards,” Wiz CTO & Cofounder Ami Luttwak told BleepingComputer.
“This emerging technology requires large sets of data to train on. With many development teams needing to manipulate massive amounts of data, share it with their peers or collaborate on public open-source projects, cases like Microsoft’s are increasingly hard to monitor and avoid.”
BleepingComputer also reported one year ago that, in September 2022, threat intelligence firm SOCRadar spotted another misconfigured Azure Blob Storage bucket belonging to Microsoft, containing sensitive data stored in files dated from 2017 to August 2022 and linked to over 65,000 entities from 111 countries.
SOCRadar also created a data leak search portal named BlueBleed that enables companies to find out if their sensitive data was exposed online.
Microsoft later added that it believed SOCRadar “greatly exaggerated the scope of this issue” and “the numbers.”
https://www.fiber.net/wp-content/uploads/2024/03/microsoft-azure.jpg8001600Fibernet Support/wp-content/uploads/2024/03/logo.svgFibernet Support2023-11-16 13:35:352024-03-25 17:11:44Microsoft Leaks 38TB of Private Data Via Unsecured Azure Storage
Choosing colocation service providers means knowing the propensity of natural disasters where data centers are located. Fortunately for Utah Fibernet seekers, this state is ranked by WalletHub as the third safest in the nation. (For those interested, Utah is also the second safest state for “workplace safety” and fourth safest for “driving safety.”) Knowing how likely a natural disaster is can play a critical role in choosing your data center location. Data centers, including colocation data centers, are built with safeguarding akin to Fort Knox, but nothing is truly indestructible. Clients can find more security in a data center than they could manage on their own—unless you have a really big budget and safety know-how—which is why colocation data centers are so desirable.
In Utah, there are still possibilities for natural disasters just like there are anywhere else. You’ll find preparedness information on the State of Utah website, and it’s worth knowing what the most “common” natural disasters may be, starting with earthquakes. You might not think “earthquakes” when you hear Utah, but the state is located along a major fault line. This means the earth’s crust isn’t very strong in this area, and sometimes fault lines are caused by a geologic break after mountain blocks have been bolstered up naturally in comparison to dipping valleys—which pretty much sums up the landscape of many places in Utah.
Not All “Natural” Things are Good
Spanning from Malad City to Fayette, Utah County boasts a big fault line that runs below a number of residential and business areas. Currently, geologists say that it’s feasible for a 7.5 earthquake to hit this area. The good news is that there are many things businesses can do to prepare for an earthquake, and a good colocation data center will be built to withstand such a disaster. However, earthquakes don’t “just” cause structural damage. They also often leak during power outages, which is why colocation data centers should feature redundant power with generators.
Another possible natural disaster in the state is floods. Flash floods are a potential problem in every single state, but they’re relatively more common in Utah than in some other states. Obviously, the areas with the biggest vulnerabilities are at the bottom of steep slopes, close to stream valleys, and near any natural water source. Hopefully, your colocation service provider built a data center that’s not in a high-risk flood zone (feel free to ask them). It’s best to physically visit the data center if possible to see just what kind of preparation work has been made in case of a flood.
Where the Wild Things Are: Utah
Floods and landslides go hand in hand. Again, landslides are most common near steep slopes. You don’t want a data center nestled at the base of the Wasatch Mountains, for example. Similar precautions should be made for landslides, including avenues for guiding water away from the data center. There are also wildfires to contend with. A state rich in natural beauty and known for sometimes sizzling summers of course can be vulnerable to wildfires. Data centers should be “fireproof” and located in an area far from “kindling” (even if it means the outside landscaping is rather boring).
Finally, there is the risk of an avalanche. A state beloved for skiing, snowboarding, and other winter sports is going to come with an avalanche risk. These can be particularly troublesome during a quick spring thaw, but shouldn’t impact your data center unless it’s located in a mountainous region. There are avalanche zones in Utah, and of course, your data center should not be located in one of these.
Compared to most other states, Utah doesn’t face many natural disasters. There are also regions of the state more prone to natural disasters than others. When shopping around for a colocation provider, make sure to ask the actual address of the data center, if there have been any natural disasters in recent history, and do your due diligence to make sure the likelihood of a natural disaster is slim. There are never any guarantees, but it’s not very wise to choose a colocation provider with a data center in the middle of the woods (wildfires), in a ski resort town (avalanches), or at the bottom of a slope (floods and landslides). Common sense can go a long way—as can researching geographic locations.
https://www.fiber.net/wp-content/uploads/2024/03/UtahBlog1.jpg7202060Fibernet Support/wp-content/uploads/2024/03/logo.svgFibernet Support2023-10-20 09:31:132024-03-25 17:12:07Utah Ranked Third Safest State for Natural Disasters
Do you think your business might need colocation services, but you’re not quite sure? Do you want to make sure this is the right move for you right now before you start researching local providers and data centers? Maybe you’re not even sure what colocation providers do, but in your quest for a better web host you’ve been inundated with the term. Cloud hosting targets small businesses, and colocation services are an alternative for small to mid-sized companies who want to snag scalability while maintaining the best security. It’s for businesses that want a budget-friendly option and who expect (or hope!) for growth, so they want a service provider who can “grow” with them.
However, for the non-techie, coming across terms like dedicated hosting, hybrid options, and colocation service providers can be frustrating and read like mumbo jumbo. First things first: What exactly is colocation? Basically, it’s when you house a server you own in a data center managed by pros. You’re not leasing or renting hardware—you own it. However, you don’t have to manage it. You rent “rack space” in a colocation environment, but you still provide all of the servers and hardware that goes along with it. It’s almost like having an in-house server, but you avoid risks and enjoy scalability that’s otherwise impossible.
Isn’t Colocation an Obvious Choice?
Now that you know what colocation is, how do you know if it’s for you? It sounds like a great approach where you enjoy all the rewards of having your own server with none of the risks. Plus, if you’re a small business with big growth dreams, you’d better make sure scalability is on the agenda. However, bear in mind that timing is everything. You might be overdue for making the switch, or you might not be there yet. Answer these key questions and you’ll find out if “colo” is for you right now:
Are you an early-stage startup on a budget? Sometimes there’s a thin line between “startup” and small business. The vast majority of startups fail, and sometimes poor financial decisions exacerbate an already delicate situation. If you’re strapped for cash and your current web presence includes just a smattering of static pages, you probably don’t need a more advanced infrastructure right now. In fact, with static pages, you may never need colocation. It’s when you start adding more dynamic pages that colocation can help. There are many financial investments you can make to bolster your startup’s odds for success, but going with a colocation center isn’t one of them. Wait until you make it to “small business size” and then reconsider.
Do you have an in-house server already? If so, then going with a colocation provider might be a great way to get more protection and up your redundancy. After all, you’ve already made the “big purchase.” Servers can be incredibly expensive, to the tune of $200,000 in some cases. If you haven’t already purchased a server, make sure you really need one first. Otherwise, you could easily bankrupt your business before it has a fighting chance.
Are you all about physical infrastructure? Web hosting is a complex issue and it’s a lot more than owning servers and related equipment. You also need to focus on connectivity, cooling strategies, and redundant power just to get started. Having everything you need in-house is a lot of work and very expensive. Businesses that already own servers and are after an improved infrastructure can benefit from colocation services.
Are you “certified”? Some industries require certification, particularly if you store sensitive information. Surprisingly, a lot of businesses go colocation because it’s the best, easiest way to abide by certification requirements like the SOC I Type II or the HIPAA standards. Some of these certifications are incredibly complex, and you can spend a lot of time and money trying to play by the rules. A colocation provider takes care of a lot of the leg work for you, freeing you up to actually run your business.
Do you need high-performing hardware for your applications? Some applications use a bevy of resources, and it can be expensive to find the best solutions from web hosts. “High-performance servers” may be offered from a slew of web hosts, but there will come a time when you might need to just buy your own. Leasing hardware is kind of like renting an apartment instead of buying: It works well for a while, but most people eventually outgrow that kind of situation.
Colocation isn’t for everyone, but it’s a fantastic solution for many growing companies. Go with a local provider for optimal customer service and peace of mind knowing that professionals and your data center are relatively close—yet far enough away that you can sit back and let the experts take care of much of the busy work.
https://www.fiber.net/wp-content/uploads/2024/03/ColocationBlog.jpg7202060Fibernet Support/wp-content/uploads/2024/03/logo.svgFibernet Support2023-10-20 09:29:122024-03-25 17:12:13Quiz: Are You Ready for Colocation Services?