Jun 27 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter that upsets cyber criminals like Georgia upset Portugal π²π²π²
Todayβs hottest cybersecurity news stories:
π³ Credit card skimmer, whoβs got the keys to my bimmer π
π©βπ Polyfill supply chain attack affects 100k websites wow πΈοΈ
π©Ή Patch ASAP! MOVEit vulnerability is being exploited NOW β³
β οΈ Credit Card Data at Risk! π³ A new credit card web skimmer, dubbed Caesar Cipher Skimmer, is targeting popular CMS platforms like WordPress, Magento, and OpenCart. This malware is injected into e-commerce sites to steal financial and payment information. π¨
π΅οΈββοΈ How Caesar Cipher Skimmer Works π
Sucuri's investigation reveals that the skimmer makes malicious changes to the checkout PHP file associated with WooCommerce on WordPress ("form-checkout.php"). This modified file steals credit card details during the checkout process. To avoid detection, the malware disguises itself as Google Analytics and Google Tag Manager. It uses a substitution mechanism similar to the Caesar cipher to encode the malicious code, making it look like a garbled string and concealing the external domain hosting the payload. π΅οΈββοΈ
The compromised websites likely had a PHP script named "style.css" or "css.php" staged to mimic an HTML style sheet and evade detection. These scripts load another obfuscated JavaScript code that creates a WebSocket to fetch the actual skimmer from another server. This script sends the URL of the current web pages, allowing attackers to send customised responses for each infected site. Some versions of the second-layer script even check if it is loaded by a logged-in WordPress user and modify the response accordingly. π
The form-checkout.php file in WooCommerce is not the only deployment method. Attackers also misuse the legitimate WPCode plugin to inject the skimmer into the website database. On Magento sites, JavaScript injections are performed on database tables like core_config_data. The method for OpenCart sites remains unknown. π οΈ
π Widespread Threat π
The prevalence of WordPress and its plugin ecosystem makes it a lucrative target for attackers, providing easy access to a vast attack surface. Comments in some script versions are in Russian, suggesting the threat actors behind this operation are Russian-speaking. π΅οΈββοΈ
π‘οΈ Stay Safe and Secure! π
Site owners should keep their CMS software and plugins up-to-date, enforce strong password practices, and regularly audit their sites for suspicious administrator accounts. Keeping these best practices in mind can help protect your website from such sophisticated attacks. ππ
π E-commerce Sites at Risk! π» Google has blocked ads for e-commerce sites using the service after a Chinese company acquired the domain and modified the "polyfill.js" JavaScript library to redirect users to malicious and scam sites. This supply chain attack impacts over 110,000 websites that embed the library, according to a report from Sansec.
β οΈ Compromised π οΈ
Polyfill is a popular library that adds support for modern web functions in browsers. Concerns arose in February when Funnull, a China-based CDN company, purchased the domain. The original creator, Andrew Betts, urged website owners to remove Polyfill immediately, stating that "no website today requires any of the polyfills in the polyfill[.]io library" and noting that most modern browser features can't be polyfilled.
Web infrastructure providers Cloudflare and Fastly have since offered alternative endpoints to help users move away from . Cloudflare researchers warned that any website embedding the original domain now relies on Funnull to maintain and secure the project, posing a significant supply chain risk. If compromised, all websites using the tool could be affected by malicious code.
π‘οΈ Malware Injection Detected π¦
The domain "cdn.polyfill[.]io" has been found injecting malware that redirects users to sports betting and pornographic sites. The malicious code activates only on specific mobile devices at certain times, avoids detection by admin users, and delays execution if a web analytics service is found, likely to evade detection.
San Francisco-based c/side reported that the domain maintainers added a Cloudflare Security Protection header to their site between March 7 and 8, 2024. This development underscores the ongoing threat to websites using the compromised library.
π¨ Critical Security Flaw in Adobe Commerce and Magento π‘οΈ
This incident follows another critical advisory about a security flaw affecting Adobe Commerce and Magento websites (CVE-2024-34102, CVSS score: 9.8). The flaw allows attackers to read private files and, combined with the iconv bug in Linux, enables remote code execution. This issue, known as CosmicSting, remains largely unpatched despite fixes being available since June 11, 2024. Third parties can gain API admin access without requiring a Linux version vulnerable to the iconv issue (CVE-2024-2961), increasing the severity of the threat.
π§ Action Required! π
Website owners must update their CMS software, plugins, and remove any dependencies on the compromised to safeguard against these attacks. Maintaining robust security practices, such as enforcing strong passwords and regularly auditing for suspicious activity, is crucial to protect against such sophisticated threats. π
Stay ahead of the curve with Presspool.ai! π Subscribe to their newsletter for the latest buzz in the information technology space, with a special focus on AI. Their slogan says it all: "Actionable marketing insights for the visionary AI executive." π€π‘ Thatβs us, alright! π€΅ How about you? Visionary AI executive, much? π
And if the newsletter gets your motor running then you can take a butchers at their cool AI marketing product too which is sure to help you make the most of our new artificial overlords and put them to work for your business π€π©βπ»π
Rest assured, the process is very straightforward.
You simply:
π Sign Up & Create Campaign
π Define your audience, budget, and message to captivate your audience.
π Launch your campaign, as Presspoolβs AI matches it with ideal newsletter audiences for optimal reach and conversions. π―
π΅οΈ Finally, you leverage real-time analytics to track performance and refine future strategies. π Elevate your marketing game and stay informed with Presspool.ai! π Simples! π¦¦
Presspool.aiΒ π°ππ€ may just have what you need to succeed. And if the product isnβt for you, the newsletter alone is a gamechanger. And we know newsletters π
A newly disclosed critical security flaw in Progress Software's MOVEit Transfer is already being exploited shortly after details of the bug were made public. The vulnerability, identified as CVE-2024-5806 (CVSS score: 9.1), is an authentication bypass impacting specific versions of the software:
From 2023.0.0 before 2023.0.11
From 2023.1.0 before 2023.1.6
From 2024.0.0 before 2024.0.2
π‘οΈ Vulnerability Details
Progress Software's advisory describes an improper authentication flaw in MOVEit Transfer's SFTP module, which can lead to an authentication bypass. Additionally, a similar critical vulnerability (CVE-2024-5805, CVSS score: 9.1) affects MOVEit Gateway version 2024.0.0. Successful exploitation of these vulnerabilities allows attackers to bypass SFTP authentication, gaining unauthorised access to MOVEit Transfer and Gateway systems.
π Technical Insights
watchTowr Labs has provided detailed technical information about CVE-2024-5806. Security researchers Aliz Hammond and Sina Kheirkhah explained that the flaw can be used to impersonate any user on the server. The issue comprises two distinct vulnerabilities: one in Progress MOVEit and another in the IPWorks SSH library. While the ability to impersonate arbitrary users is unique to MOVEit, the forced authentication vulnerability in IPWorks SSH affects all applications using this library.
π οΈ Mitigation Measures
Progress Software has recommended the following steps to mitigate the risk:
Block public inbound RDP access to MOVEit Transfer server(s)
Limit outbound access to only known trusted endpoints from MOVEit Transfer server(s)
According to Rapid7, exploiting CVE-2024-5806 requires knowledge of an existing username, the ability to authenticate remotely, and the SFTP service being publicly accessible over the internet.
π Impact and Response
As of June 25, Censys data indicates approximately 2,700 MOVEit Transfer instances online, primarily in the U.S., U.K., Germany, Netherlands, Canada, Switzerland, Australia, France, Ireland, and Denmark. Given the history of previous critical vulnerabilities in MOVEit Transfer, such as CVE-2023-34362 (CVSS score: 9.8) which was widely abused in Cl0p ransomware attacks last year, it's imperative for users to promptly update to the latest software versions.
π½ Broader Security Concerns
This development coincides with a report from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which disclosed that its Chemical Security Assessment Tool (CSAT) was targeted by an unknown threat actor in January. This attack exploited flaws in the Ivanti Connect Secure (ICS) appliance (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893), potentially compromising sensitive data such as Top-Screen surveys, Security Vulnerability Assessments, and Site Security Plans. CISA noted that no evidence of data exfiltration has been found.
π Call to Action
To protect against these evolving threats, users of MOVEit Transfer must immediately update their software, enforce stringent security measures, and regularly audit their systems for vulnerabilities. Staying vigilant and applying the latest patches is crucial to safeguarding sensitive information and maintaining robust security postures.
ποΈ Extra, Extra! Read all about it! ποΈ
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
π‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday π
π΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for π
πΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πΎ
Let us know what you think.
So long and thanks for reading all the phish!