Hackers exploit unpatched flaw in WordPress’ Ultimate Member plugin

SISA Weekly Threat Watch - 10 July 2023

The sophisticated and deceptive attack techniques used by rising threat actors underline the need for enterprises to prioritize early detection and rapid response within their networks. Researchers noticed cybercriminals executing advanced attacks this week, including proxyjacking SSH servers, exploiting WordPress flaw, employing HTML smuggling, stealing cryptocurrency, and participating in DDoS attack campaigns. Strong cybersecurity measures are critical for minimizing these diverse threats.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Cybercriminals hijacking vulnerable SSH servers in new proxyjacking campaign

There is an ongoing financially motivated campaign that specifically targets vulnerable SSH servers with the intention of covertly capturing them into a proxy network. The attackers responsible for these proxyjacking attacks exploit weaknesses in SSH servers that are publicly accessible online. In this active campaign, threat actors utilize SSH for remote access, deploying malicious scripts to covertly recruit victim servers into a peer-to-peer (P2P) proxy network like Peer2Proxy or Honeygain.

In one of the recent attacks, the attackers, upon gaining access to vulnerable SSH servers, employed a Base64-encoded Bash script to enroll the compromised systems into the proxy networks of Honeygain or Peer2Profit. Researchers also discovered the presence of cryptominers, exploits, and hacking tools on the compromised server. It is recommended to implement standard security practices, such as using strong passwords, regularly patching systems, and maintaining detailed logs for effective prevention against proxyjacking and similar threats.

2. Hackers targeting unpatched WordPress plugin flaw to create secret admin accounts

Around 200,000 WordPress websites are vulnerable to ongoing attacks that make use of a significant unpatched security flaw (CVE-2023-3460) in the Ultimate Member plugin. Ultimate Member is a popular plugin that helps in the creation of user-profiles and communities on WordPress sites. By exploiting the flaw discovered in the plugin, unauthenticated attackers can create new user accounts with administrative privileges, giving them the power to take complete control of affected sites.

Though details about the flaw have been withheld due to active abuse, it stems from an inadequate blocklist logic put in place to alter the wp_capabilities user meta value of a new user to that of an administrator and gain full access to the site. Users of Ultimate Member are advised to disable the plugin until a proper patch that completely plugs the security hole is made available. It is also recommended to audit all administrator-level users on the websites to determine if any unauthorized accounts have been added.

3. Chinese threat actors exploit HTML smuggling in SmugX campaign

A phishing campaign called SmugX attributed to a Chinese threat actor, has been strategically targeting embassies and foreign affairs ministries in multiple nations. The SmugX attacks employ two distinct infection chains, both utilizing the HTML smuggling technique to conceal malicious payloads within encoded strings of HTML documents attached to the phishing messages. In one variant of the campaign, a ZIP archive containing a malicious LNK file is delivered. When launched, the LNK file triggers PowerShell to extract an archive, saving it in the Windows temporary directory. The second variant of the attack chain relies on HTML smuggling to download a JavaScript file from the attacker’s command and control (C2) server. This JavaScript file, in turn, downloads an MSI file.

To evade detection, the SmugX campaign executes the hijacked legitimate program, facilitating the loading of PlugX malware into the computer’s memory using DLL sideloading techniques. Persistence is ensured by the malware through the creation of a hidden directory where both the legitimate executable and malicious DLL files are stored. Organizations are advised to prioritize employee awareness and training, implement multi-factor authentication (MFA), deploy advanced threat detection solutions, enforce least privilege access, and employ network segmentation to protect critical systems and data.

4. New Windows Meduza Stealer targets crypto wallets and password managers

Cybersecurity researchers have discovered a new Windows-based information stealer called Meduza Stealer that is actively being developed by its author to evade detection by software solutions. Meduza malware is the newest weapon added to the ever-increasing arsenal of Crimeware-as-a-Service (CaaS). The malware aims to attack Windows-based computers and businesses.

It can steal a variety of system and browser information, including login information, browsing history, bookmarks, etc. Even worse, the Meduza virus can also gather information from 76 cryptocurrency wallet extensions, 19 password managers, clients, Discord, and 95 web browsers. Unlike other common malware, Meduza’s binary does not use obfuscation techniques, making it virtually undetectable. It is recommended to regularly install updates for operating system, browsers, and installed applications to patch vulnerabilities that malware can exploit. Additionally, keep a close eye on the financial accounts, including cryptocurrency wallets, and regularly review transaction history for any suspicious activities.

5. Russian hacker project DDoSia sees 2,400 percent membership increase

First surfaced in the fall of 2022, the pro-Russia crowdsourced DDoS project, ‘DDoSia,’ has seen a massive 2,400% growth in less than a year, with over ten thousand people helping conduct attacks on Western organizations. Registration of new users is fully automated through the Telegram bot, which supports only the Russian language. New participants start by providing a TON (Telegram Open Network) wallet address to receive cryptocurrency, and in response the bot creates a unique client ID and provides a text file for help.

Subsequently, new participants receive a ZIP-archive containing a tool for attacks. After that, the DDoSia client launches a command line invitation. There, participants receive a list of targets in an encrypted form from which they can pick a specific target to attack. The tool was employed in attacks against Ukraine and NATO countries, including the Eastern Flank. Organizations are recommended to take precautionary measures such as enrolling in a DDoS (Cloud) Mitigation protection service, developing DDoS response and business continuity plans, and limiting traffic only to authorized areas.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider