DEV Community

Cover image for Security news weekly round-up - 28th April 2023
Habdul Hazeez
Habdul Hazeez

Posted on

Security news weekly round-up - 28th April 2023

Hello 👋 everyone, it's been a while and I hope that you're all doing good. Work has kept me occupied for the past few months, but today I have the chance to write in this series. So, let's get on with it and I hope you enjoy reading it!

Introduction

This week's review is about malware and software vulnerabilities. They are stories that can affect my life and yours, so grab a cup of coffee, and let's get started.


Hackers Exploit Outdated WordPress Plugin to Backdoor Thousands of WordPress Sites

The plugin in question is "Eval PHP" and to make matters worse, it has not received an update in 11 years. Plus, before this incident, users were still downloading it and this makes the hackers job lot easier. Luckily, at the time of writing, WordPress had disabled future downloads of the plugin. But, if you have it on your server, the following summary is a good reason why you should rethink its usage:

... the combination of a legitimate plugin and a backdoor dropper in a WordPress post allows them to easily reinfect the website and stay hidden. All the attacker needs to do is to visit one of the infected posts or pages and the backdoor will be injected into the file structure.

Lazarus Subgroup Targeting Apple Devices with New RustBucket macOS Malware

Once upon a time, it's APT28 and by the looks of it, they're not going anywhere, soon. This malware uses a sophisticated delivery process to infect a macOS, although the initial point of entry is not known at the time of writing. But the lesson here, as documented in the following excerpt, is not to open email attachments from untrusted sources:

.. it's an AppleScript file that's engineered to retrieve a second-stage payload from a remote server. The second-stage payload, written in Objective-C, is a basic application that offers the ability to view PDF files and only initiates the next phase of the attack chain when a booby-trapped PDF file is opened through the app.

One such nine-page PDF document identified by Jamf purports to offer an "investment strategy," that when launched, reaches out to the command-and-control (C2) server to download and execute a third-stage trojan, a Mach-O executable written in Rust that comes with capabilities to run system reconnaissance commands.

Thousands of Apache Superset servers exposed to RCE attacks

If you're using Apache Superset servers, it's time to update ASAP! This update prevents the server from using a default "SECRET_KEY" that can be abused by threat actors. Here are more details:

According to a new report by Horizon3, Apache Superset used a default Flask Secret Key to sign authentication session cookies. As a result, attackers can use this default key to forge session cookies that allow them to log in with administrator privileges to servers that did not change the key.

New Atomic macOS info-stealing malware targets 50 crypto wallets

This malware is sophisticated and it cost 1,000 United States dollars per month. One advice: watch out and install the necessary security software to protect yourself. Here is why:

The Atomic Stealer boasts a comprehensive array of data-theft features, providing its operators with enhanced opportunities for penetrating deeper into the target system.

Upon executing the malicious dmg file, the malware displays a fake password prompt to obtain the system password, allowing the attacker to gain elevated privileges on the victim's machine.

Google banned 173K developer accounts to block malware, fraud rings

If you allow your users to roam free on your services, they can cause unimaginable damage to others and your reputation as a company. That's why Google is taking steps like these to prevent fraudulent transactions that can result in losses of up to two billion United States dollars ($2 bn). The following excerpt has more for you:

Throughout 2021, Google blocked 1.2 million policy-violating apps, banned 190,000 accounts linked to malicious and spammy devs, and closed approximately 500,000 inactive or abandoned developer accounts.

More recently, in February 2023, Google revealed that the next major version of the world's most popular mobile operating system, Android 14 (now in Beta), will block malware from abusing sensitive permissions by targeting older API levels (Android versions).

Google Gets Court Order to Take Down CryptBot That Infected Over 670,000 Computers

If it's harmful and operates using a server and a domain, take it down. Here, that's what Google is doing to stop "CryptBot" that's spreading via "pirate" websites. The following is a quick summary of what you need to know:

CryptBot is estimated to have infected over 670,000 computers in 2022 with the goal of stealing sensitive data such as authentication credentials, social media account logins, and cryptocurrency wallets from users of Google Chrome.

The harvested data is then exfiltrated to the threat actors, who then sell the data to other attackers for use in data breach campaigns. The malware has been traditionally delivered via maliciously modified versions of legitimate and popular software packages such as Google Earth Pro and Google Chrome that are hosted on fake websites.

Attention Online Shoppers: Don't Be Fooled by Their Sleek, Modern Looks — It's Magecart!

While you're shopping online, be careful and second guess any pop modal that asks for your credit card information. This campaign is convincing and the threat actors are using the original logos from the compromised web store. We have more in the following excerpt:

The remarkable thing here is that the skimmer looks more authentic than the original payment page. Once the payment card details are harvested, a fake error message about payment cancellation is briefly displayed to the victim before redirecting to the actual payment page, at which point the payment will go through.

Credits

Cover photo by Debby Hudson on Unsplash.


That's it for this week, and I'll see you next time.

Top comments (0)