Introduction
Hello there. In this week's review, we'll cover social media, WordPress plugin vulnerabilities, phishing, and backdoors.
10 things to avoid posting on social media ā and why
If you read the article's title and you are like "I know that already", then, think again. Stop whatever you're doing now, and read the article.
The following should get you started:
It might sound pretty innocuous to post a pic or an update saying youāre excited about an upcoming holiday. But it could signify to someone monitoring your account that your property will be left unattended during that time.
WordPress LiteSpeed Plugin Vulnerability Puts 5 Million Sites at Risk
It is scary and luckily, it was patched in LiteSpeed version 5.7.0.1. So, if you have a version that's less than that, update it immediately.
Here is why:
This plugin suffers from unauthenticated site-wide stored [cross-site scripting] vulnerability and could allow any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by performing a single HTTP request
WordPress Plugin Alert - Critical SQLi Vulnerability Threatens 200K+ Websites
It's a plugin called Ultimate Member and if you have a version lesser than 2.8.3, update it immediately. Stay safe and read more below š
the plugin is "vulnerable to SQL Injection via the 'sorting' parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query
Japan warns of malicious PyPi packages created by North Korean hackers
The good news from this article: they have taken the packages offline. The bad news: thousands have downloaded them before they did. It's not good š.
Here is why:
The Japanese cybersecurity agency says that the final payload (IconCache.db), executed in memory, is a malware known as "Comebacker," first identified by Google analysts in January 2021, who reported that it was used against security researchers.
The Comebacker malware connects to the attacker's command and control (C2) server, sends an HTTP POST request with encoded strings, and waits for further Windows malware to be loaded in memory.
New Phishing Kit Leverages SMS, Voice Calls to Target Cryptocurrency Users
Attackers can do anything to get your money and this article proves this. Watch out and stay safe.
More for you:
Targets of the phishing kit include employees of the Federal Communications Commission (FCC), Binance, Coinbase, and cryptocurrency users of various platforms like Binance, Coinbase, Gemini, Kraken, ShakePay, Caleb & Brown, and Trezor. More than 100 victims have been successfully phished to date.
Hugging Face, the GitHub of AI, hosted code that backdoored user devices
No system is safe.
Here is an excerpt from the article:
One model drew particular concern because it opened a reverse shell that gave a remote device on the Internet full control of the end userās device. When JFrog researchers loaded the model into a lab machine, the submission indeed loaded a reverse shell but took no further action.
Credits
Cover photo by Debby Hudson on Unsplash.
That's it for this week, and I'll see you next time.
Top comments (1)
he cautionary tale of North Korean hackers creating malicious PyPi packages serves as a stark reminder of the ever-present cybersecurity threats. The swift action of taking the packages offline is commendable, yet the unfortunate reality remains ā thousands had already downloaded them. Stay vigilant and prioritize the security of your digital ecosystem. š