Here is your weekly summary of news and other public coverage relevant to Vercara, the market leader in DNS, DDoS Mitigation, Web Application Firewalls, and Bot Management. Keep reading to learn about the week’s interesting and informative stories.
NOTE: Except where indicated, this report is released as TLP: CLEAR, and items in it may be shared but not attributed to Vercara. For more information on the Traffic Light Protocol, the definitions and usage are at https://www.first.org/tlp/.
Table of Contents
Hackers exploit WordPress plugin flaw to infect 3,300 sites with malware.
(TLP: CLEAR) This article highlights a security concern involving WordPress sites and the Popup Builder plugin. Hackers are exploiting a vulnerability, tracked as CVE-2023-6000, in outdated versions (4.2.3 and older) of the plugin. The attacks involve injecting malicious code into the Custom JavaScript or Custom CSS sections of the WordPress admin interface, stored within the ‘wp_postmeta’ database table. The injected code serves as event handlers for Popup Builder plugin events, redirecting visitors to malicious destinations such as phishing pages and malware sites. Sucuri reports a recent uptick in a campaign targeting this vulnerability, with 3,329 WordPress sites affected. The primary recommendation for defense is to block the domains “ttincoming.traveltraffic[.]cc” and “host.cloudsonicwave[.]com.” Site administrators are urged to update to Popup Builder version 4.2.7, which addresses the mentioned vulnerability and other security issues. Given the substantial number of active sites using older versions, the risk remains significant. In case of infection, removal involves deleting malicious entries from the plugin’s custom sections and scanning for hidden backdoors to prevent reinfection.
(TLP: CLEAR) Comments: The Popup Builder plugin offers functionalities like creating various popup types (image, countdown, etc), customizing their appearance, and setting triggers for when they appear. This attack intends to trick users into clicking on what they believe to be a legitimate popup ad due to coming from a trusted site but takes them to a malicious site to either install malware, steal credentials, or steal money.
(TLP: CLEAR) Recommended best practices/regulations: Open Worldwide Application Security Project (OWASP) Application Security Verification Standard 4.0.3: “Verify that input and output requirements clearly define how to handle and process data based on type, content, and applicable laws, regulations, and other policy compliance.”
(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, helps prevent common exploits of vulnerabilities in web applications that could lead to the insertion of malware. Signatures for new vulnerabilities are constantly updated along with granular input validation controls and traffic filtering measures for flexibility. UltraWAF includes a number of tools for managing both benign and malicious bots including bot signatures and device fingerprinting. UltraWAF can also prevent some layer 7 DDoS attacks.
Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses a multi-petabyte data lake filled with DNS query history and indicators of compromise from multiple Cyber Threat Intelligence (CTI) data feeds to correlate an incoming DNS query in real-time with previously observed malicious activity. This ensures that users and devices only go to safe, policy-compliant Internet locations.
PetSmart warns of credential stuffing attacks trying to hack accounts.
(TLP: CLEAR) PetSmart, the largest pet retail giant in the US, has issued warnings to certain customers about a credential stuffing attack aimed at breaching accounts. In email notifications, PetSmart informed customers that their passwords were reset as a precautionary measure during the ongoing attacks. The company emphasized that there is no evidence of a compromise to petsmart.com or its systems. The reset was initiated due to increased password guessing attacks, and while some logins may have been valid, the company chose to inactivate passwords to protect customers. Credential stuffing attacks involve using login credentials exposed in data breaches to gain unauthorized access to other accounts. PetSmart joins a list of companies, including PayPal, Spotify, Xfinity, Chick-fil-A, FanDuel, and DraftKings, that have faced similar attacks in the past. Notably, in May 2023, an 18-year-old was charged with hacking 60,000 DraftKings betting accounts and selling them on a stolen account marketplace. The initial reported loss was $300,000, but the Department of Justice later revealed a higher amount, of $600,000 stolen from compromised accounts.
(TLP: CLEAR) Comments: Credential stuffing is a type of cyber-attack that tries to gain unauthorized access to accounts by using stolen login credentials off the darknet. Individuals tend to use the same username and password or a variation of them for multiple sites and/or accounts which enables malicious actors to try the stolen account information on multiple sites. Several open-source tools are available such BurpeSuite, OpenBullet, STORM, and SNIPR that are easily installed and take little technical knowledge to run.
(TLP: CLEAR) Recommended best practices/regulations: Organizations should have a rigorous password policy that should be in line with the National Institute of Standards and Technology (NIST) Digital Identity Guidelines (SP 800-63B). NIST SP 800-63B outlines requirements for length and complexity that should be implemented. Additionally, the password policy should have a set period for when passwords need to be changed as well as a review of all user accounts on a periodic basis to ensure accounts are still valid and delete any accounts that are no longer needed (i.e.: accounts of personnel that left the organization).
(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, helps prevent common exploits of vulnerabilities in web applications that could lead to the insertion of malware. Signatures for new vulnerabilities are constantly updated along with granular input validation controls and traffic filtering measures for flexibility. UltraWAF includes many tools for managing both benign and malicious bots including bot signatures and device fingerprinting. UltraWAF can also prevent some layer 7 DDoS attacks.
Massive Cyberattacks hit French government agencies.
(TLP: CLEAR) Multiple French government agencies have faced “intense” cyberattacks since Sunday night, according to the Prime Minister’s office. While specific details about the attacks were not disclosed, experts suggest they might be distributed denial-of-service (DDoS) attacks. Despite their intensity, the attacks were not considered complex, utilizing familiar technical means. The Prime Minister’s office stated that several ministerial services were targeted, describing the attacks as of “unprecedented intensity.” While attributing the attacks to Russia was not confirmed by government experts, a crisis cell has been activated to implement countermeasures. The impact on most services has been reduced, and access to state websites has been restored. Although the French government has not directly linked the attacks to Russia, Pro-Russia hacking groups, including NoName, claimed successful attacks against French authorities, citing their opposition to France’s support for Ukraine.
(TLP: CLEAR) Comments: NoName first appeared in March 2022, and they are assessed to be a Russian DDoS group whose motivation is anti-NATO/US due to their support for Ukraine. NoName has been targeting several European countries over the last year with their campaigns normally last between 2-4 days and targeting a range of industries during those campaigns (government, transportation, finance, and military).
(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.IR-04: “Adequate resource capacity to ensure availability is maintained.” Businesses, particularly those located within NATO and allies, should maintain constant vigilance, and regularly test and enhance their cybersecurity defensive capabilities, specifically DDoS mitigation strategies, architecture, monitoring, and procedures.
(TLP: CLEAR) Vercara: Vercara UltraDDoS Protect provides flexible, automated, and always-on protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks (layer 3 through layer 7). An automated intelligence feed that is constantly updating mitigation devices allows protection against emerging attack vectors and common attack sources.
Source: https://securityaffairs.com/160374/hacking/massive-cyberattacks-hit-french-government-agencies.html
Three-Quarters of cyber incident victims are small businesses.
(TLP: CLEAR) A Sophos report reveals that over 75% of cyber incidents in 2023 targeted small businesses, with ransomware being the most impactful. The LockBit group accounted for the highest number of ransomware incidents against small businesses, comprising 27.59%, surpassing other groups like Akira, BlackCat, and Play. The report notes evolving tactics, such as increased use of remote encryption and ransomware targeting macOS and Linux operating systems. Over 90% of cyberattacks reported by Sophos customers involved data or credential theft, with 43.26% of SMB malware focusing on data theft, including password stealers and spyware. Stolen credentials hold significant value for cybercriminals, leading to social engineering attacks, access to third-party services, internal resource exploitation, or sale on underground forums. The report also highlights the rise of malware-as-a-service operators using malicious web advertising and SEO poisoning, with business email compromise (BEC) attacks becoming more creative, often involving conversations before sending malicious links and attachments. Attackers are experimenting with methods to bypass email security tools, including using embedded images, QR codes, and PDF file attachments linked to malicious scripts or sites.
(TLP: CLEAR) Comments: Small businesses do not normally have the budget to implement a robust cyber security program which makes them more susceptible to being a victim of cyber-attacks. Because small businesses are not able to have robust security measures, it makes them a lucrative target that allows cyber-criminals to gain access to sensitive data with little investment on their part.
(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.PS-05: “Installation and execution of unauthorized software are prevented.” By enforcing a content filtering policy to block typical software download sites in addition to hacker tools and P2P services, organizations reduce the amount of malware and trojan horses that are introduced into their organization unknowingly by their users. This can be done via a protective DNS or forward web proxy solution with website category feeds.
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.
Vercara’s Web Application Firewall, UltraWAF, helps prevent common exploits of vulnerabilities in web applications that could lead to the insertion of malware. Signatures for new vulnerabilities are constantly updated along with granular input validation controls and traffic filtering measures for flexibility. UltraWAF includes several tools for managing both benign and malicious bots including bot signatures and device fingerprinting. UltraWAF can also prevent some layer 7 DDoS attacks.
Source: https://www.infosecurity-magazine.com/news/cyber-incident-victims-small/
Stanford: Data of 27,000 people stolen in September ransomware attack.
(TLP: CLEAR) Stanford University reveals that the personal information of 27,000 individuals was compromised in a ransomware attack on its Department of Public Safety (SUDPS) network. The university detected the attack on September 27, launching an investigation into the cybersecurity incident affecting SUDPS systems. The unauthorized access occurred between May 12, 2023, and September 27, 2023, exclusively within the Department of Public Safety’s network. Stolen data includes personally identifiable information (PII) like date of birth, Social Security number, government ID, passport number, driver’s license number, and more. Some individuals may also have had biometric data, health/medical information, email credentials, usernames, passwords, security questions, digital signatures, and credit card information exposed. While Stanford has not attributed the incident to a specific ransomware group, the Akira ransomware gang claimed responsibility in October and published the stolen data on their dark web leak site. Akira, active since March 2023, gained notoriety for targeting various industries, and negotiation chats indicate ransom demands ranging from $200,000 to millions, depending on the breached organization’s size. This incident follows a February 2023 data breach at Stanford and a 2021 incident involving the Clop ransomware leaking documents from the Stanford School of Medicine’s Accellion File Transfer Appliance platform.
(TLP: CLEAR) Comments: The Clop ransomware group is assessed to be a Russian group that first emerged in February 2019. This group uses several techniques to evade detection such as digitally signed malware and is also known to conduct double extortion on their victims where they threaten to release or sell stolen data if the ransom isn’t paid. The education industry has been a primary target for ransomware groups due to the amount of personally identifiable information (PII) that is usually kept on IT systems. There was about a 70% increase in cyber-attacks targeting the education industry in 2023 compared to the prior year.
(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 5.2: “An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that conclude the system components are not at risk from malware.” Using a combination of agent-based and network-based detection, such as with a Protective DNS Solution, provides overlapping protection for conventional IT assets such as laptops, desktops, and some servers but also for non-standard IT assets such as IoT devices and some servers that cannot run anti-malware software.
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), enforces malware filtering as a network service using 4 distinct malware detection engines, including a dynamic decision engine that compares domain details, DNS query details, query answers, and other data points to determine if a domain is malicious before endpoints can be infected by them.
About Vercara.
The world’s top brands depend on Vercara to safeguard their digital infrastructure and online presence. Vercara offers a suite of cloud-delivered services that are always secure, reliable, and available and enable global businesses to thrive online. UltraSecure protects organizations’ networks and applications against risks and downtime, ensuring that businesses and their customers enjoy exceptional and uninterrupted interactions all day, every day. Delivering the industry’s best performance and always-on service, Vercara’s mission-critical security portfolio provides best-in-class DNS, application, and network security, including DDoS, WAF, and Bot management services to its global 5000 customers and beyond.
To learn more about Vercara solutions, please visit our solutions overview page or contact us.
