Introduction
The diversification of this week's review is quite a lot, and I hope that you don't get overwhelmed in the process. However, if you've been following this series for a while, you'll be fine ๐.
Today, the articles that we'll review together are about the following:
- Internet of Things
- Vulnerabilities (No surprises here)
- A new phishing technique (Wait till you read it. It's crafty.
- A macOS malware ๐
- An Android malware that can steal payment card data
- Slack AI data exfiltration
Let's go!
Critical Flaw in Donation Plugin Exposed 100,000 WordPress Sites to Takeover
Update! Update!! Update!! Well, that's if you have this plugin on your WordPress website. The short excerpt below briefly explains how the flaw works.
Tracked as CVE-2024-5932 (CVSS score of 10/10), the bug is described as a PHP object injection via the deserialization of untrusted input from the โgive_titleโ parameter.
Unauthenticated attackers, Defiant explains, could trigger the security defect to inject a PHP object and then exploit a POP (Property Oriented Programming) chain to execute arbitrary code remotely or delete arbitrary files.
Litespeed Cache bug exposes millions of WordPress sites to takeover attacks
If you have this plugin on your WordPress website and its version is less than or equal to 6.3.0.1, update immediately. Why? That's because you are running a vulnerable version that can allow the following on your WordPress website: The ability for unauthenticated visitors to gain administrator-level access to your website. Yes, you read that right.
There is no excerpt for this one. Go read the article.
New Phishing Technique Bypasses Security on iOS and Android to Steal Bank Credentials
A developer can spend months, if not years developing a secure system. The annoying part? Someone, somewhere across the globe can spend probably less than that cracking the system. This article is a classic example.
Here is what's going on:
The threat actors behind the phishing campaigns combined automated voice calls, social media malvertising, and SMS messages to distribute links to the third-party websites hosting the fraudulent applications.
Opening the phishing link to a page imitating the official Google Play/Apple Store page or the official website of the targeted banking application.
The user was then prompted to install a new version of the banking application, leading to the installation of the malicious program without any security warning being displayed on the device.
New macOS Malware "Cthulhu Stealer" Targets Apple Users' Data
Take this article as a notification that threat actors are increasingly targeting macOS. Furthermore, the threat actors behind "Cthulhu Stealer" appear to be financially motivated because this stealer can steal credentials and crypto wallets.
To be potentially safe from this malware, remember the following advice from the article:
While threats to macOS are much less prevalent than to Windows and Linux, users are advised to download software only from trusted sources, stay away from installing unverified apps, and keep their systems up-to-date with the latest security updates.
Android malware steals payment card data using previously unseen technique
I just wonder about the lengths that threat actors are willing to go to steal money. It's creative but not in a good way. In the embedded YouTube video below, the researcher details how the malware works. What's more, this is our "excerpt" for this article ๐
Slack AI data exfiltration from private channels via indirect prompt injection
I'll be honest with you: It's technical. However, here is the core of the attack: Attackers can steal anything from a private Slack channel using the LLM that's used to generate content.
From the article, here is a brief of what's going on:
The core of the issue from Slack AI stems from prompt injection, initially discovered by Jon Cefalu, and more specifically indirect prompt injection, initially coined by Kai Greshake
As such, if Slack AI ingests any instruction via a message, if that instruction is malicious, Slack AI has a high likelihood of following that instruction instead of, or in addition to, the user query.
Credits
Cover photo by Debby Hudson on Unsplash.
That's it for this week, and I'll see you next time.