Fake antivirus sites using SEO poisoning to distribute malware

In the past week, cybersecurity experts have uncovered several significant threats across various platforms and sectors. These include a critical vulnerability in the AI service Replicate, malicious antivirus websites targeting Android and Windows devices, the exploitation of WordPress plugins to steal credit card data, credential stuffing attacks on Okta’s Customer Identity Cloud, and targeted cyber espionage campaigns by the newly identified group LilacSquid. These incidents highlight the ongoing need for robust security measures, vigilance, and proactive defenses to protect sensitive information and infrastructure.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Critical vulnerability in Replicate AI service puts customer data at risk

Cybersecurity experts have identified a severe vulnerability in Replicate, an AI-as-a-service provider, which could have allowed malicious actors to access proprietary AI models and sensitive data. The vulnerability stemmed from the way AI models are packaged, enabling arbitrary code execution and cross-tenant attacks using a malicious model. By creating a rogue Cog container, researchers achieved remote code execution on Replicate’s infrastructure via a Redis server within a Google Cloud-hosted Kubernetes cluster.

This exploitation could have compromised AI model integrity and exposed private data, including personally identifiable information (PII). The vulnerability was responsibly disclosed in January 2024 and subsequently fixed by Replicate, with no evidence of prior exploitation. Recommendations include strict access controls, enhanced code review and validation, isolation of customer environments, and continuous monitoring and auditing for suspicious activities.

2. Bogus antivirus websites distributing malware to Android and Windows devices

Threat actors are using fake antivirus websites mimicking Avast, Bitdefender, and Malwarebytes to distribute malware targeting Android and Windows devices, stealing sensitive information. Sites like avast-securedownload[.]com deliver the SpyNote trojan, bitdefender-app[.]com distributes the Lumma information stealer, and malwarebytes[.]pro deploys the StealC malware.

Additionally, a rogue Trellix binary named “AMCoreDat.exe” has been found to drop stealer malware that exfiltrates browser data. These malicious sites are likely spread through SEO poisoning and malvertising. To protect against such threats, it is recommended to verify download sources, use reputable antivirus solutions, avoid pirated software, and keep systems updated.

3. WordPress plugin misused to harvest credit card info from e-commerce websites

Threat actors are exploiting lesser-known WordPress plugins like Dessky Snippets to inject malicious PHP code that steals credit card data. Security researchers identified a campaign where attackers modified the WooCommerce billing form to capture and exfiltrate sensitive information to a malicious URL. This malicious code, stored in the dnsp_settings option of the wp_options table, affects over 200 installations by altering checkout processes to collect credit card details.

Similar attacks have targeted other WordPress plugins like WPCode and Simple Custom CSS and JS. Site owners are advised to keep plugins updated, use strong passwords, audit for malware, use reputable third-party scripts, and implement security measures like Content Security Policies (CSP).

4. Okta issues warning on credential stuffing attacks in Customer Identity Cloud

Okta has warned of a vulnerability in its Customer Identity Cloud’s (CIC) cross-origin authentication feature, making it susceptible to credential stuffing attacks. Since April 15, 2024, Okta has notified affected customers and recommended actions such as reviewing tenant logs for suspicious login events, rotating credentials, and considering the restriction or disabling of cross-origin authentication.

To mitigate risks, Okta advises enabling breached password detection, using Credential Guard, and adopting passwordless, phishing-resistant authentication methods. This alert follows a rise in credential stuffing attacks facilitated by residential proxy services.

5. LilacSquid attacks IT, energy, and pharma industries

The newly identified cyber espionage group LilacSquid has been implicated in targeted attacks across multiple sectors in the U.S., Europe, and Asia, focusing on data theft since 2021. The group exploits known vulnerabilities and compromised RDP credentials to infiltrate organizations, deploying tools like MeshAgent and a customized Quasar RAT variant called PurpleInk.

The campaign targets IT, energy, and pharmaceutical sectors, utilizing techniques similar to North Korean APT groups such as Lazarus. Key recommendations include regular patch management, securing RDP ports, implementing network segmentation, and deploying advanced endpoint protection to detect and block malware and unauthorized activities.