Hackers exploit WordPress Elementor Pro vulnerability

SISA Weekly Threat Watch - 10 April 2023

Cybercriminals have upgraded their techniques to transmit malware covertly by using a variety of file formats, obfuscation methods, and new phishing campaigns with innovative distribution strategies. This past week, hackers also focused extensively on recently patched vulnerabilities and configuration issues in certain significant platforms, like WordPress and Microsoft Azure AD, to infiltrate the networks and steal critical information.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. 3CX supply chain attack campaign

Security researchers have discovered an ongoing supply chain compromise affecting the 3CXDesktopApp voice and video conferencing Private Automatic Branch Exchange (PABX) enterprise call routing software developed by 3CX. The Smooth Operator Attack begins when a user downloads the 3CX desktop application from a website or updates an already installed application. The ffmpeg.dll file is executed by 3CXDesktopApp.exe to begin running on Windows OS. This multi-stage infection process enables the malware to stay hidden and avoid getting detected by many risk reduction measures.

The malware downloads icon files from a GitHub repository and ends the images with Base64-encoded strings. It can gather data about the system, including user account information, network settings, and hardware and software configurations. The impacted organizations are advised to uninstall and reinstall the compromised application. It is also recommended to regularly audit supply chain’s security, check network frequently for any unusual activity and block any URLs that might be used to distribute malware.

2. Stealthy DBatLoader spreading Remcos RAT and Formbook in Europe

A new phishing campaign has set its sights on European entities to distribute Remcos RAT and Formbook via a malware loader dubbed DBatLoader. DBatLoader hides the initial stage from detection engines using image steganography and multi-layer obfuscation techniques. It is spread through phishing campaigns, which constantly implement new distribution strategies. To prevent getting detected, it delivers payloads using a variety of file types, including PDF, HTML, ZIP, and OneNote.

A number of executable files, DLLs, and batch files are dropped by the malware to carry out malicious deeds. Phishing emails masquerade as payment invoices, quotations, updated order documents, sales orders, and other documents to spread Remcos via DBatLoader. The emails send a malicious PDF file, usually with a malicious URL attached. Users must be vigilant about phishing attempts and avoid opening attachments from unknown sources to protect oneself from these attacks. Additionally, administrators must implement cutting-edge security tools like XDR to obtain thorough visibility across endpoints, cloud workloads, and network infrastructure.

3. Millions of sites at risk as hackers exploit WordPress Elementor Pro vulnerability

A recently patched security vulnerability in the Elementor Pro website builder plugin for WordPress is being actively exploited by unknown threat actors. The bug, described as a case of broken access control, impacts versions 3.11.6 and earlier. Successful exploitation of the high-severity flaw allows an authenticated attacker to complete a takeover of a WordPress site that has WooCommerce enabled.

This makes it possible for a malicious user to turn on the registration page (if disabled) and set the default user role to administrator so they can create an account that instantly has the administrator privileges. The flaw is currently being abused in the wild from several IP addresses intending to upload arbitrary PHP and ZIP archive files. It is recommended to update the site as soon as possible if you are running the Elementor Pro plugin with a version lower than 3.11.7.

4. Microsoft fixes new Azure AD vulnerability impacting Bing Search and major apps

A misconfiguration issue impacting the Azure Active Directory (AAD) identity and access management service that exposed several “high-impact” applications to unauthorized access has now been patched by Microsoft. The crux of the vulnerability lies in what’s called “Shared Responsibility confusion,” wherein an Azure app can be incorrectly configured to allow users from any Microsoft tenant, leading to a potential case of unintended access.

Intriguingly, a number of Microsoft’s own internal apps were found to exhibit this behavior, thereby permitting external parties to obtain read and write access to the affected applications. This includes the Bing Trivia app, which was exploited to alter search results in Bing and even manipulate content on the homepage as part of an attack chain dubbed BingBang. To aggravate this, the exploit could be weaponized to trigger a cross-site scripting (XSS) attack on Bing.com and extract a victim’s Outlook emails, calendars, Teams messages, SharePoint documents, and OneDrive files. To secure your multi-tenant applications, follow the guidelines listed out by Microsoft.

5. Winter Vivern APT targets European government entities with Zimbra vulnerability

A new wave of attacks on European governments have been attributed to a lesser-known Russian hacking group known as Winter Vivern. The Winter Vivern APT group (also known as TA473) is targeting webmail users of NATO-aligned governments in Europe by taking advantage of a cross-site scripting vulnerability (CVE-2022-27926) in Zimbra Collaboration Suite. The gang monitors unpatched Zimbra-hosted webmail sites to locate targets using scanning tools like Acunetix.

Phishing emails that masquerade as key government resources carried out the initial stage of the infection chain. The malicious JavaScript payloads are used to steal tokens, usernames, and passwords from cookies that come from a compromised Zimbra endpoint. The Winter Vivern APT carried out the attack using infected documents and scanning tools. It is strongly advised to patch any versions of Zimbra Collaboration used in public-facing webmail portals, notably those by European government institutions.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider