It's been a while. What happened? Work, work, and work. I hope you are all doing good. Let's do some review!
Introduction
This week's review is all about vulnerability and attack methods that affect your privacy and security online.
Over a Million WordPress Sites Forcibly Updated to Patch a Critical Plugin Vulnerability
WordPress is among the most used software in the world. Most often, it's subject to vulnerability and bugs that affect its user base. At times, developers are advised to upgrade to a new version when a bug appears in WordPress. On rare occasions, the minds behind WordPress perform a force update if it's a critical bug.
This is one such occasion, the following is an excerpt from the article:
WordPress websites using a widely used plugin named Ninja Forms have been updated automatically to remediate a critical security vulnerability. Successful exploitation of the flaw could allow an attacker to achieve remote code execution and completely take over a vulnerable WordPress site.
Google Chrome extensions can be fingerprinted to track you online
It's no news that trackers can track you online bases on your device fingerprint. Now, a user called z0ccc
has taken it up one level. z0ccc
created a website that can check the installed extensions on Google Chrome. Using this list of extensions, the site will generate a Hash that can be used to track your web browser.
The following is an excerpt from the article:
z0ccc created an Extension Fingerprints website that will check a visitor's browser for the existence of web-accessible resources in 1,170 popular extensions available on the Google Chrome Web Store. Based on the combination of installed extensions, the website will generate a tracking hash that can be used to track that particular browser
New NTLM Relay Attack Lets Attackers Take Control Over Windows Domain
DFSCoerce is the name of the attack and allows you to seize the control of a domain. To complicate matters, there is Proof of Concept (POC) on GitHub.
Here are some highlights from the article:
The discovery of DFSCoerce follows a similar method called PetitPotam that abuses Microsoft's Encrypting File System Remote Protocol (MS-EFSRPC) to coerce Windows servers, including domain controllers, into authenticating with a relay under an attacker's control, letting threat actors potentially take over an entire domain.
Mega says it can’t decrypt your files. New POC exploit shows otherwise
A promise of "we can't decrypt your data" seems true until a group of researchers steps in to verify your claims. This is the case of Mega, a cloud storage provider that aims to achieve end-to-end encryption (E2E). Researchers from Applied Cryptography Group at ETH Zurich devised attack methods against Mega. The attack methods can practically compromise the confidentiality of user files on Mega. You can read the research on Mega-awry.
Here are some key points from the article:
The authors say that the architecture Mega uses to encrypt files is riddled with fundamental cryptography flaws that make it trivial for anyone with control of the platform to perform a full key recovery attack on users once they have logged in a sufficient number of times.
With that, the malicious party can decipher stored files or even upload incriminating or otherwise malicious files to an account; these files look indistinguishable from genuinely uploaded data.
Log4Shell Still Being Exploited to Hack VMWare Servers to Exfiltrate Sensitive Data
At the time of writing, it's over six months since the discovery and patching of the Log4Shell bug. However, there are still exploitation attempts by threat actors for it. The linked article quoted CISA, and CGCYBER:
As part of this exploitation, suspected APT actors implanted loader malware on compromised systems with embedded executables enabling remote command-and-control (C2)
Malicious Windows 'LNK' attacks made easy with new Quantum builder
Some attacks can be difficult to pull off until a tool arises that makes it all simple. Such is the case in this story, and I am not making this up. The following sums it up nicely (emphasis mine):
Researchers at Cyble have spotted a new tool for creating malicious LNKs called Quantum, which features a graphical interface and offers convenient file building through a rich set of options and parameters. The tool is rented for €189 per month, €335 for two months, €899 for six months, or single payment of €1,500 for lifetime access.
Multiple Backdoored Python Libraries Caught Stealing AWS Secrets and Keys
Among the things that can betray application security is a third-party library. It gets worse if it steals something from you. And it's complicated if you have many such libraries in your application. If you are a Python developer, do read the article.
Before that, the following should get you started:
The list of packages includes loglib-modules, pyg-modules, pygrata, pygrata-utils, and hkg-sol-utils, according to Sonatype security researcher Ax Sharma. Some of these packages either contain code that reads and exfiltrates your secrets or use one of the dependencies that will do the job.
Credits
Cover photo by Debby Hudson on Unsplash.
That's it for this week, I'll see you next Friday.