1010.TEAM πŸ‡ΊπŸ‡¦

CYBERSECURITY / DEFENSE / INTELLIGENCE

  • The D Brief: US shifts airstrike HQ; Europe warns of Russian hackers; 30 injured in LCAC mishap; USAF adds EW squadron; And a bit more.

    Β·

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Mal.Metrica Malware Hijacks 17,000+ WordPress Sites

    Β·

    Infected websites mimic legitimate human verification prompts (CAPTCHAs) to trick users, who often request seemingly innocuous clicks, resembling past CAPTCHA challenges.Β 

    Clicking initiates a malicious redirect, exposing users to scams or malware exploiting user familiarity with CAPTCHAs, bypassing suspicion, and increasing the click-through rate for fraudulent purposes.  

    Verifying Process
    Verifying Process

    Attackers are using a novel technique to redirect users to malicious domains, and instead of injecting malicious code directly into the website, they create an image overlay that appears as a verification prompt.Β 

    Document

    Integrate ANY.RUN in Your Company for Effective Malware Analysis

    Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

    • Real-time Detection
    • Interactive Malware Analysis
    • Easy to Learn by New Security Team members
    • Get detailed reports with maximum data
    • Set Up Virtual Machine in Linux & all Windows OS Versions
    • Interact with Malware Safely

    If you want to test all these features now with completely free access to the sandbox:

    The image contains a link to the attacker’s domain (rapid.tmediacontent.com).

    When a user clicks the image, they are redirected through a chain of redirects before ending up on the malicious website.

    This makes it difficult to detect the attack because the malicious code is not part of the original website’s code.Β 

    redirect chain in the browser developer tools
    redirect chain in the browser developer tools

    Mal.Metrica, a large malware campaign, injects malicious scripts into vulnerable WordPress plugins masquerading as legitimate CDN or web analytics services to avoid detection.Β 

    The malware leverages Yandex.Metrica to track the performance of these injections.

    Since 2023, Mal.Metrica has exploited vulnerabilities in tagDiv Composer, Popup Builder, WP Go Maps, and Beautiful Cookie Consent Banner, infecting over 17,449 websites in 2024 alone. 

    Researchers at Sucuri recently identified the threat actors behind Mal.Metrica, highlighting the connection between unpatched vulnerabilities and widespread malware infections.

    fake verification prompts
    fake verification prompts

    A high-severity vulnerability (CVSS 7.5) in the popular WordPress theme “Responsive” allowed attackers to inject malicious code into websites’ footer sections. The vulnerability was identified in March 2024 and has since been patched.Β 

    Attackers exploited the flaw by inserting unauthorized links into the footer copyright area, potentially for malicious purposes.

    On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free.

    The latest version of the theme addresses this issue, as documented in the changelog.txt file. 

    changelog.txt file
    changelog.txt file

    Clicking “Allow” on a fake CAPTCHA triggers a series of browser notification prompts disguised as legitimate security checks.

    These deceptive prompts act as a gateway, initiating a chain of redirects that ultimately land users on malicious websites. 

    Bogus Websites
    Bogus Websites

    The malicious websites employ various social engineering tactics to trick users into compromising their security and privacy.

    Some common scams include malware downloads disguised as essential software updates, phishing attempts that lure users into surrendering personal information, and fraudulent investment opportunities involving cryptocurrency.Β 

    Additionally, these scammy pop-ups can bombard users with further notifications, each notification functioning as a springboard to yet another bogus website designed to exploit unsuspecting victims.

    Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

    The post Mal.Metrica Malware Hijacks 17,000+ WordPress Sites appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    / / / /

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Mal.Metrica Malware Hijacks 17,000+ WordPress Sites

    Β·

    Infected websites mimic legitimate human verification prompts (CAPTCHAs) to trick users, who often request seemingly innocuous clicks, resembling past CAPTCHA challenges.Β 

    Clicking initiates a malicious redirect, exposing users to scams or malware exploiting user familiarity with CAPTCHAs, bypassing suspicion, and increasing the click-through rate for fraudulent purposes.  

    Verifying Process
    Verifying Process

    Attackers are using a novel technique to redirect users to malicious domains, and instead of injecting malicious code directly into the website, they create an image overlay that appears as a verification prompt.Β 

    Document

    Integrate ANY.RUN in Your Company for Effective Malware Analysis

    Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

    • Real-time Detection
    • Interactive Malware Analysis
    • Easy to Learn by New Security Team members
    • Get detailed reports with maximum data
    • Set Up Virtual Machine in Linux & all Windows OS Versions
    • Interact with Malware Safely

    If you want to test all these features now with completely free access to the sandbox:

    The image contains a link to the attacker’s domain (rapid.tmediacontent.com).

    When a user clicks the image, they are redirected through a chain of redirects before ending up on the malicious website.

    This makes it difficult to detect the attack because the malicious code is not part of the original website’s code.Β 

    redirect chain in the browser developer tools
    redirect chain in the browser developer tools

    Mal.Metrica, a large malware campaign, injects malicious scripts into vulnerable WordPress plugins masquerading as legitimate CDN or web analytics services to avoid detection.Β 

    The malware leverages Yandex.Metrica to track the performance of these injections.

    Since 2023, Mal.Metrica has exploited vulnerabilities in tagDiv Composer, Popup Builder, WP Go Maps, and Beautiful Cookie Consent Banner, infecting over 17,449 websites in 2024 alone. 

    Researchers at Sucuri recently identified the threat actors behind Mal.Metrica, highlighting the connection between unpatched vulnerabilities and widespread malware infections.

    fake verification prompts
    fake verification prompts

    A high-severity vulnerability (CVSS 7.5) in the popular WordPress theme “Responsive” allowed attackers to inject malicious code into websites’ footer sections. The vulnerability was identified in March 2024 and has since been patched.Β 

    Attackers exploited the flaw by inserting unauthorized links into the footer copyright area, potentially for malicious purposes.

    On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free.

    The latest version of the theme addresses this issue, as documented in the changelog.txt file. 

    changelog.txt file
    changelog.txt file

    Clicking “Allow” on a fake CAPTCHA triggers a series of browser notification prompts disguised as legitimate security checks.

    These deceptive prompts act as a gateway, initiating a chain of redirects that ultimately land users on malicious websites. 

    Bogus Websites
    Bogus Websites

    The malicious websites employ various social engineering tactics to trick users into compromising their security and privacy.

    Some common scams include malware downloads disguised as essential software updates, phishing attempts that lure users into surrendering personal information, and fraudulent investment opportunities involving cryptocurrency.Β 

    Additionally, these scammy pop-ups can bombard users with further notifications, each notification functioning as a springboard to yet another bogus website designed to exploit unsuspecting victims.

    Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

    The post Mal.Metrica Malware Hijacks 17,000+ WordPress Sites appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    / / / /

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Expert-Led Webinar – Uncovering Latest DDoS Tactics and Learn How to Fight Back

    Β·

    In today’s rapidly evolving digital landscape, the threat of Distributed Denial of Service (DDoS) attacks looms more significant than ever. As these cyber threats grow in sophistication, understanding and countering them becomes crucial for any business seeking to protect its online presence. To address this urgent need, we are thrilled to announce our upcoming webinar, “Uncovering Contemporary

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Hackers Increasingly Abusing Microsoft Graph API for Stealthy Malware Communications

    Β·

    Threat actors have been increasingly weaponizing Microsoft Graph API for malicious purposes with the aim of evading detection. This is done to “facilitate communications with command-and-control (C&C) infrastructure hosted on Microsoft cloud services,” the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Hackers Exploit Microsoft Graph API For C&C Communications

    Β·

    An emerging threat leverages Microsoft’s Graph API to facilitate command-and-control (C&C) communications through Microsoft cloud services. 

    Recently, security analysts at Symantec discovered a previously undocumented malware called BirdyClient or OneDriveBirdyClient.

    This malware targeted an organization in Ukraine. It abused Microsoft OneDrive for C&C by connecting to the Graph API to upload and download files.Β 

    While masquerading as legitimate software, the malware’s core functionality reveals an evolving technique that leverages trusted cloud services for malicious purposes by threat actors of unknown motivation and attribution.

    Document

    Integrate ANY.RUN in Your Company for Effective Malware Analysis

    Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

    • Real-time Detection
    • Interactive Malware Analysis
    • Easy to Learn by New Security Team members
    • Get detailed reports with maximum data
    • Set Up Virtual Machine in Linux & all Windows OS Versions
    • Interact with Malware Safely

    If you want to test all these features now with completely free access to the sandbox:

    Technical Analysis

    Command-and-control (C&C) communications are becoming more and more common among attackers who take advantage of the Microsoft Graph API that was built for integrating Microsoft cloud services.

    Graph API access to services such as OneDrive is used by malware families like BirdyClient, Bluelight (Vedalia/APT37 group), Backdoor.Graphon (Harvester group), and Graphite (Swallowtail/APT28 group) for C&C purposes.Β 

    This new approach helps threat actors hide their malicious communications in legitimate cloud traffic, making detection difficult.

    Advanced persistent threats that abuse unknown C&C channels created by repurposing cloud integration capabilities raise concerns about the misuse of trusted services.

    Microsoft’s Graph API has become increasingly popular for command-and-control (C&C) abuse among various threat groups.

    OneDrive and Microsoft 365 Mail were used by SiestaGraph to target an ASEAN country. 

    Backdoor.Graphican, an evolved form of older malware, was utilized by the Flea (APT15) group in campaigns against foreign ministries where Graph API and OneDrive served as their C&C infrastructure components.Β 

    GraphStrike is a penetration testing toolkitβ€”one of many examples that illustrates how attackers are abusing legitimate cloud integration capabilities for malicious communication purposes, which helps them hide within trusted services.Β 

    However, as more knowledge about this technique spreads throughout other hacking communities, we should expect authenticated API access to be misused as never before, which will create new challenges for all.

    On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free.

    To avoid detection, threat actors have started to use Microsoft’s Graph API as a platform for their command-and-control servers. 

    This is done so that their malicious communications will seem like normal cloud activities, while at the same time providing them with free, safe hosting using ordinary cloud accounts.Β 

    Accordingly, given its increased adoption by various threat actors aimed at ensuring continuity of operations, misusing authorized API access channels for C2 presents a growing problem that requires more alertness and innovative protection mechanisms.

    IoCs

    • afeaf8bd61f70fc51fbde7aa63f5d8ad96964f40b7d7fce1012a0b842c83273e – BirdyClient
    • 5c430e2770b59cceba1f1587b34e686d586d2c8ba1908bb5d066a616466d2cc6 – Bluelight
    • 470cd1645d1da5566eef36c6e0b2a8ed510383657c4030180eb0083358813cd3 – Graphon
    • f229a8eb6f5285a1762677c38175c71dead77768f6f5a6ebc320679068293231 – Graphite
    • 4b78b1a3c162023f0c14498541cb6ae143fb01d8b50d6aa13ac302a84553e2d5 – Graphican 
    • a78cc475c1875186dcd1908b55c2eeaf1bcd59dedaff920f262f12a3a9e9bfa8 – Graphican
    • 02e8ea9a58c13f216bdae478f9f007e20b45217742d0fbe47f66173f1b195ef5  – Graphican
    • 1a87e1b41341ad042711faa0c601e7b238a47fa647c325f66b1c8c7b313c8bdf – SiestaGraph 
    • fe8f99445ad139160a47b109a8f3291eef9c6a23b4869c48d341380d608ed4cb – SiestaGraph
    • 7fc54a287c08cde70fe860f7c65ff71ade24dfeedafdfea62a8a6ee57cc91950 – SiestaGraph

    Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

    The post Hackers Exploit Microsoft Graph API For C&C Communications appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    / / / /

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • ApacheMQ Authentication Flaw Let Unauthorized Users Perform Multiple Actions

    Β·

    Apache ActiveMQ is a Java based communication management tool for communicating with multiple components in a server.

    It is an open-source widely used messaging service that can be used to send messages between two or more applications.

    However, Apache ActiveMQ has been discovered with a critical flaw in its authentication that could allow literally anyone to perform malicious actions on the vulnerable instance.

    This vulnerability has been assigned with CVE-2024-32114 and the severity has been given as 8.5 (High).

    Document

    Integrate ANY.RUN in Your Company for Effective Malware Analysis

    Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

    • Real-time Detection
    • Interactive Malware Analysis
    • Easy to Learn by New Security Team members
    • Get detailed reports with maximum data
    • Set Up Virtual Machine in Linux & all Windows OS Versions
    • Interact with Malware Safely

    If you want to test all these features now with completely free access to the sandbox:

    Technical Analysis – CVE-2024-32114

    According to the reports shared with Cyber Security News, this vulnerability exists due to the default configuration on Apache ActiveMQ which does not properly secure the API web context where the Jolokia JMX REST API and the Message REST API are located.Β 

    This arises specifically because the API web request does not require authentication, allowing access to anyone.

    Moreover, this could allow a threat actor to interact with the Jolokia JMX REST API and perform actions like producing a message, consuming a message, or purging or deleting destinations using the Message REST API.Β 

    On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free.

    To prevent this vulnerability, users of Apache ActiveMQ are recommended to update the default conf/jetty.xml configuration file with the below code for adding authentication requirements.

    As an alternative, users can upgrade their Apache ActiveMQ to version 6.1.2, which has an updated default configuration with authentication.

    Apache has also released a security advisory for addressing this vulnerability.

    Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

    The post ApacheMQ Authentication Flaw Let Unauthorized Users Perform Multiple Actions appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    / / /

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • 68% of Data Breach Occurs Due to Social Engineering Attacks

    Β·

    In the latest edition of Verizon’s Data Breach Investigations Report (DBIR) for 2024, a concerning trend has been highlighted, a significant 68% of data breaches are now occurring due to social engineering attacks.

    This revelation underscores the increasing sophistication and prevalence of these tactics in the cyber threat landscape.

    Social engineering exploits the human factor, manipulating individuals into breaking normal security procedures.

    The DBIR’s findings suggest that despite advancements in technology, human vulnerabilities remain a critical weak point.

    Document

    Integrate ANY.RUN in Your Company for Effective Malware Analysis

    Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

    • Real-time Detection
    • Interactive Malware Analysis
    • Easy to Learn by New Security Team members
    • Get detailed reports with maximum data
    • Set Up Virtual Machine in Linux & all Windows OS Versions
    • Interact with Malware Safely

    If you want to test all these features now with completely free access to the sandbox:

    The report indicates that phishing, pretexting, and other forms of social engineering are not only prevalent but are also becoming more sophisticated.

    Breakdown of breaches by attack type
    Breakdown of breaches by attack type

    Verizon’s 2024Β DBIR has revised its methodology to provide clearer insights into breaches involving the human element.

    It excludes cases of malicious privilege misuse to focus on incidents that could potentially be mitigated through improved security awareness and training.

    The Role of Ransomware and Extortion

    The report also sheds light on the role of ransomware and extortion in the cybersecurity threat landscape.

    Approximately one-third of all breaches involved these tactics, with pure extortion attacks marking a significant rise over the past year.

    On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free.

    This shift indicates a strategic evolution among cybercriminals, who are increasingly leveraging ransomware and extortion to capitalize on their attacks.

    Breakdown of breaches by attack type.
    Breakdown of breaches by attack type.

    The combination of ransomware and other forms of extortion has been particularly impactful, affecting 32% of breaches and being a top threat across 92% of industries surveyed.

    This highlights the critical need for organizations to enhance their defensive strategies against these forms of cyberattacks.

    Third-Party Vulnerabilities and Preventive Measures

    An expanded concept of breaches involving third-party entities was introduced in this year’s report.

    This includes incidents where partner infrastructure is compromised or where indirect software supply chain issues occur.

    The report notes a 68% increase in such breaches, primarily fueled by zero-day exploits used in ransomware and extortion attacks.

    Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β  68% increase in such breaches
                                                68% increase in such breaches

    This finding emphasizes the importance of diligent vendor selection and the need for organizations to prioritize security in their supply chains.

    By choosing partners with robust security measures, companies can significantly mitigate the risk of being compromised through third-party vulnerabilities.

    Verizon’s 2024 DBIR provides a stark reminder of the persistent and evolving threats in the digital world.

    With a significant portion of breaches attributable to social engineering, the human element continues to be a critical battleground in cybersecurity.

    Organizations must prioritize comprehensive security training and robust protocols to safeguard against these insidious attacks.

    Meanwhile, the rise of ransomware and extortion, along with the vulnerabilities in third-party partnerships, calls for an urgent reassessment of current security strategies and vendor management practices.

    Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

    The post 68% of Data Breach Occurs Due to Social Engineering Attacks appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    / /

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • New Guide Explains How to Eliminate the Risk of Shadow SaaS and Protect Corporate Data

    Β·

    SaaS applications are dominating the corporate landscape. Their increased use enables organizations to push the boundaries of technology and business. At the same time, these applications also pose a new security risk that security leaders need to address, since the existing security stack does not enable complete control or comprehensive monitoring of their usage.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • NSA, FBI Alert on N. Korean Hackers Spoofing Emails from Trusted Sources

    Β·

    The U.S. government on Thursday published a new cybersecurity advisory warning of North Korean threat actors’ attempts to send emails in a manner that makes them appear like they are from legitimate and trusted parties. The joint bulletin was published by the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Department of State. “The

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ