WordPress plugin zero-day affects 200K sites

Over the past week, significant threats and security vulnerabilities have been observed in the cybersecurity landscape. These include zero-day affecting a large number of sites, phishing attack resulting in data breaches, government-backed actors exploiting critical vulnerability, and a ransomware group introducing a new tool for advanced attacks. These incidents highlight the importance of proactive security measures and rapid responses to vulnerabilities and breaches.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. D-Link confirms data breach due to employee falling for phishing attack

D-Link has confirmed a data breach linked to information that was stolen from its network and made available for sale on BreachForums. The attacker alleges to have taken the source code for D-Link’s D-View network management software and millions of records containing personal details of customers and employees. It has been for sale on the hacking forum, with the attacker demanding $500 for the stolen customer information and alleged D-View source code.

D-Link acknowledged the security breach as resulting from an employee falling prey to a phishing attack, giving the attacker access to the company’s network. The company clarified that the intruder accessed a product registration system in a “test lab environment” running an outdated D-View 6 system that reached the end of life in 2015. It is recommended to implement strict access controls and permissions to ensure that only authorized personnel have access to sensitive data and systems. Additionally, employ firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS) to safeguard network from unauthorized access and suspicious activities.

2. CVE-2023-5360: WordPress plugin zero-day affects 200K sites

Wordfence Threat Intelligence team issued a warning about ongoing attacks on WordPress sites. These attacks are using exploits designed for a vulnerability found in the Royal Elementor Addons and Templates plugin. Since the exploitation was observed before the vendor released a patch, the flaw was leveraged by hackers as a zero-day. The vulnerability affecting this add-on allows unauthenticated attackers to carry out arbitrary file uploads on vulnerable websites.

While the plugin has a feature for validating file extensions to allow only specific, authorized file types, unauthenticated users can manipulate the ‘allowed list’ to evade checks and sanitization. This opens the door for potential remote code execution, which could result in a full compromise of the website. All users of the add-on are recommended to upgrade to the latest version as soon as possible.

3. Google TAG detects state-backed actors exploiting WinRAR vulnerability

In recent weeks, Google’s Threat Analysis Group (TAG) has detected multiple government-backed hacking groups exploiting a known vulnerability, CVE-2023-38831, in WinRAR, a popular Windows file archiver tool. Cybercrime groups began exploiting this vulnerability in early 2023, while it was still unknown to defenders. Though the patch was released in August, many users are still vulnerable. The vulnerability allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive.

It enables threat actors to gain code execution by tricking users into opening maliciously crafted RAR and ZIP archives with decoy files. Google’s TAG identified these activities and attributed them to three distinct hacking groups – FROZENBARENTS (also known as Sandworm), FROZENLAKE (also known as APT28), and ISLANDDREAMS (also known as APT40). To stay protected, it is recommended to update WinRAR to the latest version, scan for and remove suspicious e-mail attachments, maintain situational awareness of the latest threats, and implement appropriate Access Control Lists (ACLs).

4. Blackcat Ransomware releases new utility ‘Munchkin’

The BlackCat group has introduced a new tool called “Munchkin” enabling them to execute ransomware payloads on distant machines and encrypt remote Server Message Block (SMB) or Common Internet File Shares (CIFS). Researchers discovered this innovative tool, which operates as a tailored Alpine OS Linux distribution packaged as an ISO file. When infiltrating a target system, the attackers use Munchkin to create a virtual environment, enabling password extraction, lateral network movement, and the execution of customized ransomware payloads.

The tool streamlines BlackCat ransomware activities, enhancing evasion of security measures through virtualization and automation, while modularity allows for customization based on specific targets or campaigns. The threat actors emphasize the importance of removing Munchkin to avoid exposing access tokens and negotiation chats. To effectively mitigate these risks, it is crucial to employ a comprehensive approach that encompasses continuous awareness, robust access controls, proactive threat detection, and a well-prepared response to security incidents.

5. Cisco issues alert on zero-day vulnerability in IOS XE software

Cisco issued a caution to administrators regarding a newly discovered zero-day vulnerability of utmost severity within its IOS XE Software. This flaw could potentially grant malicious actors full administrative privileges, enabling them to assume complete control of vulnerable routers. Cisco has designated this vulnerability as critical and identified it as CVE-2023-20198.

Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system. Cisco has recommended immediate actions, including disabling the HTTP Server feature, monitoring for unusual user accounts, and implementing strong network security practices, to mitigate the risk associated with this threat.